[PLUG] SSH/SCP: Passphrase lost

Elliott Mitchell ehem at m5p.com
Fri Sep 24 16:20:03 UTC 2004 

>From: "Kenneth G. Stephens" <kens at cad2cam.com>
> On Thu, 2004-09-23 at 13:43, Elliott Mitchell wrote:
> > >From: "Kenneth G. Stephens" <kens at cad2cam.com>
> > > You may have to add execute permission for other to your home and .ssh2 
> > > directories.  The ssh daemon is still root while it tries to read your
> > > key.  Does not change you the user until after the key is checked.
> > 
> > You need to go back to the Unix basics class. Think about the
> > implications of what you said...   Changing the permissions is absolutely
> > unneeded.
> > 
> > If you then go and read about security, and in particular SSH; you'll
> > learn that having the .ssh directories be only readable/executable by you
> > IS THE STANDARD CONFIGURATION AS OTHERWISE IT IS NOT SECURE!!!

> Please notice that I did not say to open the permissions anymore than to
> let the ssh daemon running as root see the keys it needs to see.  Do not
> add other's read or write permissions to the home directory.  I root
> cannot read your keys you will never get logged in with them.

There are two severe flaws with what you're saying. First, as root is
god, it is rather difficult to stop a root from doing whatever it wants
to (the NSA kernel extensions change this, but this is a recent factor).
Even doing `chmod 000` on a file will not stop root from reading it,
because, root is god and can do anything, and root can chmod it to any
other permissions it wants.

Second, sshd does a setuid() prior to accessing the keys. Add a third
factor, unless you're using an odd configuration OpenSSH completely
ignores .ssh2 directories, utilizing only the .ssh directory.

Though allowing others to access the directory in theory won't kill you
it is still a VERY BAD IDEA! I suggest you get better knowledge about
what you're dealing with next time you try to help others.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \   (    |         EHeM at gremlin.m5p.com PGP 8881EF59         |    )   /
  \_  \   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
    \___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/

More information about the PLUG mailing list