From owner-freebsd-security  Thu May 11 18:17: 0 2000
Delivered-To: freebsd-security@freebsd.org
Received: from peak.mountin.net (peak.mountin.net [207.227.119.2])
	by hub.freebsd.org (Postfix) with ESMTP id 26ECD37BC6F
	for <security@FreeBSD.ORG>; Thu, 11 May 2000 18:16:57 -0700 (PDT)
	(envelope-from jeff-ml@mountin.net)
Received: (from daemon@localhost)
	by peak.mountin.net (8.9.1/8.9.1) id UAA18678;
	Thu, 11 May 2000 20:16:54 -0500 (CDT)
	(envelope-from jeff-ml@mountin.net)
Received: from dial-85.max1.wa.cyberlynk.net(207.227.118.85) by peak.mountin.net via smap (V1.3)
	id sma018676; Thu May 11 20:16:39 2000
Message-Id: <4.3.2.20000511192741.00c24ac0@207.227.119.2>
X-Sender: jeff-ml@207.227.119.2
X-Mailer: QUALCOMM Windows Eudora Version 4.3
Date: Thu, 11 May 2000 20:10:41 -0500
To: Mike Silbersack <silby@silby.com>
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: Re: envy.vuurwerk.nl daily run output
Cc: security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.21.0005101351400.26803-100000@achilles.silby.co
 m>
References: <20000509150609.L42267@vuurwerk.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 01:56 PM 5/10/00 -0500, Mike Silbersack wrote:
>This just got me thinking... are .ssh/authorized_keys files checked for
>changes by the security scripts?  I know I probably wouldn't notice for a
>long while if someone had modified mine, all the time during which someone
>could be playing around on the box.

You could always force the ownership of .ssh/ and any files under it to 
root.  This adds some administrative overhead, but then to change 
authorized_keys they already have root and you have a bigger fish to fry.

The only that needed to change for openssh is the file permissions.  With 
ssh from ports the .ssh directory and files could be owned by root with the 
same group as the user:

.ssh/ root:<user's group> mode 510
.ssh/authorized_keys root:<user's group> mode 440

With openssh in the bases system the modes must be 511 and 444 in order for 
RSA authentication to work in contradiction with the suggestions in sshd(8).

In any case you can make it more difficult.  Combining chflags and the 
secure level would make it even harder, but then you have an administrative 
nightmare to modify existing files.


Jeff Mountin - jeff@mountin.net
Systems/Network Administrator
FreeBSD - the power to serve



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message