SSH key question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Colin Watson
On Sat, Dec 19, 2020 at 08:31:31PM -0800, MR ZenWiz wrote:

> I looked in the auth.log and queried the message on the web.
>
> The message says:
>
> Authentication refused: bad ownership or modes for directory /home/admar
>
> The solution listed is to change the home directory to deny group and
> other write permissions on the home directory and set the permissions
> for ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.
>
> I had my home set for 775, and write access to the users group (I have
> a good reason for this), so when I changed it to 755, the
> password-less login from the laptop worked.
>
> That would make perfect sense except for one minor detail: I have the
> exact same 775 permissions with the same group set on my laptop's home
> directory, and no issue whatsoever doing the password-less login from
> the desktop to the laptop.

Your setup will only work if the "users" group contains only you, and no
other users.  Otherwise sshd will consider it insecure, because the
group-writability is no longer harmless: other users could use their
write access to your home directory to modify your ~/.ssh/ directory
(possibly by renaming the original out of the way).

The ability to have limited group-writability is a Debian patch; see
https://salsa.debian.org/ssh-team/openssh/blob/master/debian/patches/user-group-modes.patch
for details.

--
Colin Watson (he/him)                              [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
On Sun, Dec 20, 2020 at 10:18 AM Colin Watson <[hidden email]> wrote:
>
:
>
> Your setup will only work if the "users" group contains only you, and no
> other users.  Otherwise sshd will consider it insecure, because the
> group-writability is no longer harmless: other users could use their
> write access to your home directory to modify your ~/.ssh/ directory
> (possibly by renaming the original out of the way).
>
That explains it - many thanks, Colin.

I have fixed the permissions and they are now fine.  I have other ways
to go around the limitation that do not include writability to my home
directory or through it.

Problem solved!

Thanks all who responded and I hope this helps those who did not as well.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

ubuntu-users mailing list
In reply to this post by Chris Green


On 2020-12-11 04:42, Chris Green wrote:

> On Thu, Dec 10, 2020 at 05:52:01PM -0800, MR ZenWiz wrote:
>> On Thu, Dec 10, 2020 at 2:26 PM Chris Green <[hidden email]> wrote:
>> >
>> :
>> > When you run ssh-key-gen do you provide a passphrase for the generated
>> > key or do you just hit return when asked?  If you just hit return then
>> > the key is 'passphraseless'.
>> >
>> Are you saying I should use the 'passphraseless' key?  I don't give it
>> one because I don't want to have one.
>>
> If the key is 'passphraseless' then you don't need to provide the
> passphrase when you use it to login to a remote ssh server.  However it
> means that anyone with access to your system can get the key and use
> it themselves for remote access.  If you provide a passphrase for the
> key then the system will ask for it when you use the key, an 'agent'
> of some sort remembers the key/passphrase for the duration of your
> session and thus you don't have to repeatedly enter the passphrase
> every time you use the key.
>
> Many systems allow you to configure them so that the passphrase for
> your ssh keys is the same as your login password and thus your key(s)
> can be automatically decrypted and kept in the agent when you log in.
>
> That's what my original question was asking, if you had provided a
> passphrase to the key which matched your login password on one system
> but not on the other you might see the symptoms you describe because
> the key would get automatically decrypted on one system but not on the
> other.
>
> --
> Chris Green
It is important to note that the key is simply stored in a file in your
home directory usually '~/.ssh/' so any application running as your user
has access to it. Which is why it's important to have that file
encrypted with a password. So that a single misbehaving program doesn't
steal the file. A remote attacker would then have access to your
devices/servers.

---
Steven Mainor
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

0x9477C19B.asc (3K) Download Attachment
signature.asc (849 bytes) Download Attachment
12