Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Solved. Why? was: Re: [suse-security] Problems with OpenSSH after upgrading:private keys broken !
  • From: JW <jw@xxxxxxxxxxxxxxxxxx>
  • Date: Thu, 06 Dec 2001 13:07:54 -0600
  • Message-id: <5.1.0.14.0.20011206124740.020e1730@xxxxxxxxxxxxxxxxxxxxxxx>
At 07:28 PM 12/6/2001 +0100, you wrote:
>JW wrote:
>
>> I'm not a pro at this. In each case I copied the contents of the .pub file to ~/.ssh/authorized_keys on the remote server - that's all I should really need to do, yes?
>>
>> I just don't understand why it's failing.
>
>you need to copy the new DSA Key to authorized_keys2, notice the 2.

Thanks, I tried that, that also does not work on the new servers but curiously it fixes the problem with the remote servers that havn't been updated yet. According to the man page you don't have to use "2":

jw@fluorite:~/.ssh > man ssh-keygen

$HOME/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentica­
tion. The contents of this file should be added to
$HOME/.ssh/authorized_keys on all machines where the user wishes
to log in using public key authentication. There is no need to
keep the contents of this file secret.

(same for dsa)

But on the old version man page it _does_ say you have to use authorized_keys2 for dsa specifically.

>After all, a look into the logfile of the Server you're connecting
>to would help. Maybe a permissions problem.

Ah!, now this is curious(why didn't I think of that...):

Dec 6 12:41:31 fluorite sshd[32564]: Authentication refused: bad ownership or modes for file /home/jw/.ssh/authorized_keys
Dec 6 12:41:31 fluorite sshd[32564]: Authentication refused: bad ownership or modes for file /home/jw/.ssh/authorized_keys2


-rw-rw-r-- 1 jw users 218 Dec 6 12:35 authorized_keys
-rw-rw-r-- 1 jw users 218 Dec 6 12:35 authorized_keys2

I also tried removing the group w bit, then the user w bit - which caused the error to change to:

Dec 6 12:47:03 fluorite sshd[32712]: Authentication refused: bad ownership or modes for directory /home/jw

I have my home group writable, we all do for certain reasons. I removed the g+w bit and they key worked - I wasn't asked for a password.

This is a SERIOUS problem - on our remote servers we have a certain use we all use at times that _has_ to have g+w. Is there a way to tell sshd to ignore the fact that ~ has the g+w bit?



>--
>intraDAT AG http://www.intradat.com
>Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0
>D - 60329 Frankfurt am Main Fax: +49 69-25629-256
> Junk mail is war. RFCs do not apply.

----------------------------------------------------
Jonathan Wilson
System Administrator

Cedar Creek Software http://www.cedarcreeksoftware.com
Central Texas IT http://www.centraltexasit.com


< Previous Next >
Follow Ups
References