Date: Mon, 10 Sep 2001 19:42:25 +0100 From: Adam Laurie <adam@algroup.co.uk> To: David Taylor <davidt@yadt.co.uk> Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <3B9D0991.C5AD21FA@algroup.co.uk> References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk> <3B9D00D0.C522C41A@algroup.co.uk> <20010910191552.A61465@gattaca.yadt.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
David Taylor wrote:
>
> On Mon, 10 Sep 2001, Adam Laurie wrote:
>
> > > If you really want to verify all changes to users authorized_keys file,
> > > change the ownership so users can't modify the file but still read it.
> >
> > and how would you do that without blocking their entire home directory
> > then? :)
> >
>
> Easy enough
>
> # mkdir ~user/.ssh
> # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc}
> # chown root:usersprivategroup ~user/.ssh
> # chmod 750 ~user/.ssh
> # chown user:usersprivategroup ~user/.ssh/*
> # chmod 640 ~user/.ssh/*
> # chown root:usersprivategroup ~user/.ssh/authorized_keys
$ mv .ssh .ssh-
$ cp -r .ssh- .ssh
$ cat dodgy_geezer.pub >> .ssh/authorized_keys
=:O
>
> SSH even seems happy to have a root-owned authorized_keys file...
true these days, but has not always been the case.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B9D0991.C5AD21FA>