From owner-freebsd-questions@FreeBSD.ORG  Sat Jan 20 16:01:06 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DCA1A16A40A
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Jan 2007 16:01:06 +0000 (UTC)
	(envelope-from news@nermal.rz1.convenimus.net)
Received: from mx3.netclusive.de (mx3.netclusive.de [89.110.132.133])
	by mx1.freebsd.org (Postfix) with ESMTP id A05E613C457
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Jan 2007 16:01:05 +0000 (UTC)
	(envelope-from news@nermal.rz1.convenimus.net)
Received: from nermal.rz1.convenimus.net (p3EE24BF3.dip0.t-ipconnect.de
	[62.226.75.243])
	by mx3.netclusive.de (Postfix) with ESMTP id 5D8D46040F2
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Jan 2007 17:01:04 +0100 (CET)
Received: by nermal.rz1.convenimus.net (Postfix, from userid 8)
	id 4413615213; Sat, 20 Jan 2007 17:01:03 +0100 (CET)
To: freebsd-questions@freebsd.org
Path: not-for-mail
From: Christian Baer <christian.baer@uni-dortmund.de>
Newsgroups: gmane.os.freebsd.questions
Date: Sat, 20 Jan 2007 17:01:03 +0100 (CET)
Organization: Convenimus Projekt
Lines: 25
Message-ID: <eotebv$1g7a$1@nermal.rz1.convenimus.net>
References: <eooa8o$14k0$2@nermal.rz1.convenimus.net>
	<200701181701.04719.kirk@strauser.com>
	<20070119151015.GC25249@submonkey.net>
	<200701190953.29017.kirk@strauser.com>
NNTP-Posting-Host: garfield.rz1.convenimus.net
X-Trace: nermal.rz1.convenimus.net 1169308863 49386 192.168.100.11 (20 Jan
	2007 16:01:03 GMT)
X-Complaints-To: abuse@convenimus.net
NNTP-Posting-Date: Sat, 20 Jan 2007 16:01:03 +0000 (UTC)
User-Agent: slrn/0.9.8.1 (FreeBSD)
Subject: Re: ssh public key authentification
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jan 2007 16:01:06 -0000

On Fri, 19 Jan 2007 09:53:23 -0600 Kirk Strauser wrote:

>> Why not?  Group write is plenty enough for someone else to replace the
>> .ssh directory with another one, so sshd checks for that.
>
> To replace it with another 700 directory owned by the user, containing a 40=
> file also owned by the user?

That obviously isn't possible - at least not directly. I would be
feasible to replace and existing ssh_config in the user's directory if
this had too liberal rights and the file were located at ~, not ~/.ssh/.
If the attacker got at the config-file he or she could put in a new
position for the authorized_keys and thus replace the file. All very
theoretical and not likely since the defaults of FreeBSD won't allow it.
root must mess up for this one. Does root ever mess up? :-)

I think it's more likely that the sshd only checks this one directory in
case of public key authentification. If it is group- or world- writable
it doesn't trust the key file. Checking the exact location and the file
itself if there is any chance it could be tampered with would result in
a more complex algorithm and complexity is something you try to avoid in
security matters.

Regards
Chris