On Sat, Dec 19, 2020 at 08:31:31PM -0800, MR ZenWiz wrote:
> I looked in the auth.log and queried the message on the web.
> The message says:
> Authentication refused: bad ownership or modes for directory /home/admar
> The solution listed is to change the home directory to deny group and
> other write permissions on the home directory and set the permissions
> for ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.
> I had my home set for 775, and write access to the users group (I have
> a good reason for this), so when I changed it to 755, the
> password-less login from the laptop worked.
> That would make perfect sense except for one minor detail: I have the
> exact same 775 permissions with the same group set on my laptop's home
> directory, and no issue whatsoever doing the password-less login from
> the desktop to the laptop.
Your setup will only work if the "users" group contains only you, and no
other users. Otherwise sshd will consider it insecure, because the
group-writability is no longer harmless: other users could use their
write access to your home directory to modify your ~/.ssh/ directory
(possibly by renaming the original out of the way).
On Sun, Dec 20, 2020 at 10:18 AM Colin Watson <[hidden email]> wrote:
> Your setup will only work if the "users" group contains only you, and no
> other users. Otherwise sshd will consider it insecure, because the
> group-writability is no longer harmless: other users could use their
> write access to your home directory to modify your ~/.ssh/ directory
> (possibly by renaming the original out of the way).
That explains it - many thanks, Colin.
I have fixed the permissions and they are now fine. I have other ways
to go around the limitation that do not include writability to my home
directory or through it.
Thanks all who responded and I hope this helps those who did not as well.
> On Thu, Dec 10, 2020 at 05:52:01PM -0800, MR ZenWiz wrote:
>> On Thu, Dec 10, 2020 at 2:26 PM Chris Green <[hidden email]> wrote:
>> > When you run ssh-key-gen do you provide a passphrase for the generated
>> > key or do you just hit return when asked? If you just hit return then
>> > the key is 'passphraseless'.
>> Are you saying I should use the 'passphraseless' key? I don't give it
>> one because I don't want to have one.
> If the key is 'passphraseless' then you don't need to provide the
> passphrase when you use it to login to a remote ssh server. However it
> means that anyone with access to your system can get the key and use
> it themselves for remote access. If you provide a passphrase for the
> key then the system will ask for it when you use the key, an 'agent'
> of some sort remembers the key/passphrase for the duration of your
> session and thus you don't have to repeatedly enter the passphrase
> every time you use the key.
> Many systems allow you to configure them so that the passphrase for
> your ssh keys is the same as your login password and thus your key(s)
> can be automatically decrypted and kept in the agent when you log in.
> That's what my original question was asking, if you had provided a
> passphrase to the key which matched your login password on one system
> but not on the other you might see the symptoms you describe because
> the key would get automatically decrypted on one system but not on the
> Chris Green
It is important to note that the key is simply stored in a file in your
home directory usually '~/.ssh/' so any application running as your user
has access to it. Which is why it's important to have that file
encrypted with a password. So that a single misbehaving program doesn't
steal the file. A remote attacker would then have access to your