Ssh and home directory permissions

file-permissionspermissionsssh

sshd will refuse to accept public key authentication if the user's home directory is group-accessible, even if ~/.ssh is set to 700? If the permissions on ~/.ssh are acceptable, why do the permissions on ~ matter?

Best Answer

I guess the reason is that if your home directory is writable by someone else, then a malicious user can create ~/.ssh, add desired keys and then change permissions on it to 700.

Even if you already have a ~/.ssh, it can simply be renamed to something else and a new one created.

However, on modern systems such trick is usually not possible due to chown working only for super-user, this has not always been the case:

In earlier versions of UNIX, all users could run the chown command to change the ownership of a file that they owned to that of any other user on the system. (http://www.diablotin.com/librairie/networking/puis/ch05_07.htm)

Whether chmod behaves one way or another depends on libc compilation options, and for the sake of security OpenSSH server is slightly paranoid.

Related Solutions

What permissions on /var/mail directory

The permissions drw-rws--- on directories are wrong because even the owner of the directory cannot go into them, due to the lack of the x bit (=1 when using the numeric form).

You can test this by yourself by doing this as a normal user (not root):

$ mkdir -m 2670 /tmp/testdir
$ ls -ld /tmp/testdir
drw-rws--- 2 vmail vmail 4096 Apr  3 23:16 /tmp/testdir
$ cd /tmp/testdir
bash: cd: /tmp/testdir: Permission denied

I think that these lines in your current script:

chmod -R 0660 /var/mail/*.com
chmod -R g+rwxs /var/mail/*.com

should be instead:

chmod -R 2770 /var/mail/*.com

SSH: “Permissions 0644 for ‘the_key.pub’ are too open.”

You may be running ssh-keygen on the wrong file. ssh-keygen -y operates on a private key file. ".pub" files normally contain the public key. You probably have a file there named my_key, without any extension, and it ought to be mode 0600. That is the file which should contain the private key.

To directly answer your question, SSH keys are normally used to permit connecting to remote servers without a password. Possession of the private key would permit someone to log into your account on any system which accepts the key. ssh-keygen and the other ssh utilities require private key files to have restricted permissions because the files are sensitive and need to remain secure.

Best Answer

Related Solutions

What permissions on /var/mail directory

SSH: “Permissions 0644 for ‘the_key.pub’ are too open.”

Related Question