Date: Thu, 11 May 2000 20:10:41 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Mike Silbersack <silby@silby.com> Cc: security@FreeBSD.ORG Subject: Re: envy.vuurwerk.nl daily run output Message-ID: <4.3.2.20000511192741.00c24ac0@207.227.119.2> In-Reply-To: <Pine.BSF.4.21.0005101351400.26803-100000@achilles.silby.co m> References: <20000509150609.L42267@vuurwerk.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:56 PM 5/10/00 -0500, Mike Silbersack wrote: >This just got me thinking... are .ssh/authorized_keys files checked for >changes by the security scripts? I know I probably wouldn't notice for a >long while if someone had modified mine, all the time during which someone >could be playing around on the box. You could always force the ownership of .ssh/ and any files under it to root. This adds some administrative overhead, but then to change authorized_keys they already have root and you have a bigger fish to fry. The only that needed to change for openssh is the file permissions. With ssh from ports the .ssh directory and files could be owned by root with the same group as the user: .ssh/ root:<user's group> mode 510 .ssh/authorized_keys root:<user's group> mode 440 With openssh in the bases system the modes must be 511 and 444 in order for RSA authentication to work in contradiction with the suggestions in sshd(8). In any case you can make it more difficult. Combining chflags and the secure level would make it even harder, but then you have an administrative nightmare to modify existing files. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20000511192741.00c24ac0>