From owner-freebsd-security  Mon Sep 10 11:20:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13])
	by hub.freebsd.org (Postfix) with ESMTP id 6FF7F37B403
	for <Freebsd-security@FreeBSD.ORG>; Mon, 10 Sep 2001 11:20:40 -0700 (PDT)
Received: from localhost (davidk@localhost)
	by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8AHF0V10626;
	Mon, 10 Sep 2001 10:16:20 -0700 (PDT)
Date: Mon, 10 Sep 2001 10:15:00 -0700 (PDT)
From: David Kirchner <davidk@accretivetg.com>
X-X-Sender:  <davidk@localhost>
To: David Taylor <davidt@yadt.co.uk>
Cc: Adam Laurie <adam@algroup.co.uk>, <Freebsd-security@FreeBSD.ORG>
Subject: Re: allow selective RSA AUTH in sshd setup?
In-Reply-To: <20010910191552.A61465@gattaca.yadt.co.uk>
Message-ID: <20010910101420.W85958-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 10 Sep 2001, David Taylor wrote:

> Easy enough
>
> # mkdir ~user/.ssh
> # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc}
> # chown root:usersprivategroup ~user/.ssh
> # chmod 750 ~user/.ssh
> # chown user:usersprivategroup ~user/.ssh/*
> # chmod 640 ~user/.ssh/*
> # chown root:usersprivategroup ~user/.ssh/authorized_keys
>
> SSH even seems happy to have a root-owned authorized_keys file...

And then chflags schg .ssh so the user can't rename and re-create the .ssh
directory.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message