Bug #1629
incorrect permissions on ssh_authorized_keys created files
| Status: | Closed | Start date: | 10/03/2008 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  James Turnbull |
% Done: | 0% |
|
| Category: | ssh | |||
| Target version: | 0.24.8 | |||
| Affected Puppet version: | 0.24.5 | Branch: | ||
| Keywords: | ssh authorized_keys mode permission | |||
| Votes: | 0 |
Description
When setting the “target” parameter to something outside the user’s home (e.g. /etc/ssh/authorized_key/${username}.pub), the file containing the public keys are owned by root with mode 0600. During ssh login, sshd changes it’s process uid before reading the authorized keys file and therefore key-based login fails because sshd can’t read this file owned and readable only by root.
When changing file mode to 0644 or changind the file owner to the target user, key-based login works as expected.
The idea behind this is to be able to have root-owned authorized keys files to prevent users from putting more than their own key in their account keyring.
Maybe we should have an additional boolean parameter which would let the admin define if the key files can be editable by the user or not.
History
Updated by James Turnbull over 3 years ago
- Status changed from Unreviewed to Needs Decision
I don’t use the type. I’ll leave it for the developer to comment.
Updated by Francois Deppierraz about 3 years ago
Fix available at http://github.com/ctrlaltdel/puppet/tree/tickets/0.24.x/1629
Tests are a work in progress. Any advice about how to test the provider flush method is welcome !
Updated by Francois Deppierraz about 3 years ago
- Status changed from Needs Decision to In Topic Branch Pending Review
- Target version set to 0.24.7
Ok, a bunch of tests was added and some refactoring as well. Everything was squashed in a single commit for clarity.
http://github.com/ctrlaltdel/puppet/commits/tickets/0.24.x/1629
Updated by James Turnbull about 3 years ago
- Target version changed from 0.24.7 to 0.25.0
This isn’t going to make 0.24.7
Updated by Francois Deppierraz about 3 years ago
- Status changed from In Topic Branch Pending Review to Ready For Checkin
Updated by Francois Deppierraz about 3 years ago
- Assignee changed from Francois Deppierraz to James Turnbull
James,
I’m not sure if on which branch you’ll be handling work for 0.25 ?
Anyway, a branch rebased on master is available at http://github.com/ctrlaltdel/puppet/commits/tickets/master/1629
Updated by James Turnbull about 3 years ago
- Status changed from Ready For Checkin to Closed
Pushed in commit:69432d6f1dda6a59a015bcd30a729524e3655fd3 in branch master.
Updated by Francois Deppierraz almost 3 years ago
- Status changed from Closed to Re-opened
- Target version changed from 0.25.0 to 0.24.8
Hi James,
It would be great if this fix could be included in 0.24.8. BTW, the fix for #2004 depends on it too.
Updated by James Turnbull almost 3 years ago
- Status changed from Re-opened to Closed
Pushed in commit:8a671e528e2d024f19c22e0381c3dc135d32884b in branch 0.24.x