From owner-freebsd-security  Mon Sep 10 11:16:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.yadt.co.uk (yadt.demon.co.uk [158.152.4.134])
	by hub.freebsd.org (Postfix) with SMTP id 4529237B403
	for <Freebsd-security@FreeBSD.ORG>; Mon, 10 Sep 2001 11:15:58 -0700 (PDT)
Received: (qmail 84353 invoked from network); 10 Sep 2001 18:15:52 -0000
Received: from gattaca.local.yadt.co.uk (HELO mail.gattaca.yadt.co.uk) (qmailr@10.0.0.2)
  by xfiles.yadt.co.uk with SMTP; 10 Sep 2001 18:15:52 -0000
Received: (qmail 62064 invoked by uid 1000); 10 Sep 2001 18:15:52 -0000
Date: Mon, 10 Sep 2001 19:15:52 +0100
From: David Taylor <davidt@yadt.co.uk>
To: Adam Laurie <adam@algroup.co.uk>
Cc: Freebsd-security@FreeBSD.ORG
Subject: Re: allow selective RSA AUTH in sshd setup?
Message-ID: <20010910191552.A61465@gattaca.yadt.co.uk>
Mail-Followup-To: Adam Laurie <adam@algroup.co.uk>,
	Freebsd-security@FreeBSD.ORG
References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk> <3B9D00D0.C522C41A@algroup.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3B9D00D0.C522C41A@algroup.co.uk>; from adam@algroup.co.uk on Mon, Sep 10, 2001 at 19:05:04 +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 10 Sep 2001, Adam Laurie wrote:

> > If you really want to verify all changes to users authorized_keys file,
> > change the ownership so users can't modify the file but still read it.
> 
> and how would you do that without blocking their entire home directory
> then? :)
> 

Easy enough

# mkdir ~user/.ssh
# touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc}
# chown root:usersprivategroup ~user/.ssh
# chmod 750 ~user/.ssh
# chown user:usersprivategroup ~user/.ssh/*
# chmod 640 ~user/.ssh/*
# chown root:usersprivategroup ~user/.ssh/authorized_keys

SSH even seems happy to have a root-owned authorized_keys file...

-- 
David Taylor
davidt@yadt.co.uk

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message