Re: [suse-security] ssh-authentication
Hi again, now it works. The problem was, that the homedir of the user had the mods drwxrwxr-x. I changed it to drwxr-xr-x, now it works... Hmm, strange.... How can I manage it that the group has write-access to this directory ? And why does the sshd not allow access when the group has write-access ? Sorry, I don't understand this. Is this part of the security-behaviour of sshd or what ? And can this be changed ? TIA ---Stephan
Well... The reason for that is that any user part of the same group can then add themselves, and thus log-in as the other person. This is an ssh security feature. And it would not be advisable to change. On Tue, Dec 07, 1999 at 10:22:10AM +0100, Security Webmaster OKDesign oHG wrote:
Hi again, now it works. The problem was, that the homedir of the user had the mods drwxrwxr-x. I changed it to drwxr-xr-x, now it works... Hmm, strange.... How can I manage it that the group has write-access to this directory ? And why does the sshd not allow access when the group has write-access ? Sorry, I don't understand this. Is this part of the security-behaviour of sshd or what ? And can this be changed ? TIA ---Stephan
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-------------------------------- Omar Al-Sakka -------------------------------- WARNING : PROLONGED EXPOSURE TO THIS MESSAGE HAZARDOUS TO YOU HEALTH!! --------------------------------
On Tue, 7 Dec 1999, Omar Al-Sakka wrote:
The reason for that is that any user part of the same group can then add themselves, and thus log-in as the other person. This is an ssh security feature. And it would not be advisable to change.
But if you would add a+t and the file were not group writable it would not be possible for someone else to change the file. Maybe that's a little too complicated to check for :-)
On Tue, Dec 07, 1999 at 10:22:10AM +0100, Security Webmaster OKDesign oHG wrote:
Hi again, now it works. The problem was, that the homedir of the user had the mods drwxrwxr-x. I changed it to drwxr-xr-x, now it works... Hmm, strange.... How can I manage it that the group has write-access to this directory ? And why does the sshd not allow access when the group has write-access ? Sorry, I don't understand this. Is this part of the security-behaviour of sshd or what ? And can this be changed ? TIA ---Stephan
Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
On Tue, 7 Dec 1999, Robert Casties wrote:
On Tue, 7 Dec 1999, Omar Al-Sakka wrote:
The reason for that is that any user part of the same group can then add themselves, and thus log-in as the other person. This is an ssh security feature. And it would not be advisable to change.
But if you would add a+t and the file were not group writable it would not be possible for someone else to change the file. Maybe that's a little too complicated to check for :-)
And you should not trust too much for that to be portable and to do the same thing over all many unix variations. -Pete
On Tue, Dec 07, 1999 at 10:22:10AM +0100, Security Webmaster OKDesign oHG wrote:
Hi again, now it works. The problem was, that the homedir of the user had the mods drwxrwxr-x. I changed it to drwxr-xr-x, now it works... Hmm, strange.... How can I manage it that the group has write-access to this directory ? And why does the sshd not allow access when the group has write-access ? Sorry, I don't understand this. Is this part of the security-behaviour of sshd or what ? And can this be changed ? TIA ---Stephan
Cheers Robert
-- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 7 Dec 1999, Petri Sirkkala. wrote:
But if you would add a+t and the file were not group writable it would not be possible for someone else to change the file. Maybe that's a little too complicated to check for :-)
And you should not trust too much for that to be portable and to do the same thing over all many unix variations.
Naah, shure ;-) (I won't even trust all Linux kernel versions) I would set up a g+w (maybe g+s) group directory in the users home directory and keep the homedir u+w only. Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
participants (4)
-
Omar Al-Sakka -
Petri Sirkkala. -
Robert Casties -
Security Webmaster OKDesign oHG