Bug #1629
incorrect permissions on ssh_authorized_keys created files
| Status: | Closed | Start: | 10/03/2008 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  James Turnbull |
% Done: | 0% |
|
| Category: | ssh | |||
| Target version: | 0.24.8 | |||
| Affected version: | 0.24.5 | Branch: | ||
| Keywords: | ssh authorized_keys mode permission | |||
| Votes: | 0 |
Description
When setting the “target” parameter to something outside the user’s home (e.g. /etc/ssh/authorized_key/${username}.pub), the file containing the public keys are owned by root with mode 0600. During ssh login, sshd changes it’s process uid before reading the authorized keys file and therefore key-based login fails because sshd can’t read this file owned and readable only by root.
When changing file mode to 0644 or changind the file owner to the target user, key-based login works as expected.
The idea behind this is to be able to have root-owned authorized keys files to prevent users from putting more than their own key in their account keyring.
Maybe we should have an additional boolean parameter which would let the admin define if the key files can be editable by the user or not.
Associated revisions
Revision 9eb377aab786296d2b9c5c4807026bf8e5f89f55
Fixed #2004 – ssh_authorized_key fails if no target is defined
This commit depends on 7f291afdacf59f762c3b78481f5420ec8919e46d (fixing #1629) which was cherry-picked from master.
Signed-off-by: Francois Deppierraz francois@ctrlaltdel.ch
Revision 39deaf373c46c20d14a04391ad4b7c70ad43e266
Fixed #2004 – ssh_authorized_key fails if no target is defined
This commit depends on 7f291afdacf59f762c3b78481f5420ec8919e46d (fixing #1629) which was cherry-picked from master.
Signed-off-by: Francois Deppierraz francois@ctrlaltdel.ch
History
Updated by James Turnbull almost 2 years ago
- Status changed from Unreviewed to Needs design decision
I don’t use the type. I’ll leave it for the developer to comment.
Updated by Francois Deppierraz almost 2 years ago
Fix available at http://github.com/ctrlaltdel/puppet/tree/tickets/0.24.x/1629
Tests are a work in progress. Any advice about how to test the provider flush method is welcome !
Updated by Francois Deppierraz over 1 year ago
- Status changed from Needs design decision to Ready for Testing
- Target version set to 0.24.7
Ok, a bunch of tests was added and some refactoring as well. Everything was squashed in a single commit for clarity.
http://github.com/ctrlaltdel/puppet/commits/tickets/0.24.x/1629
Updated by James Turnbull over 1 year ago
- Target version changed from 0.24.7 to 0.25.0
This isn’t going to make 0.24.7
Updated by Francois Deppierraz over 1 year ago
- Status changed from Ready for Testing to Ready for Checkin
Updated by Francois Deppierraz over 1 year ago
- Assignee changed from Francois Deppierraz to James Turnbull
James,
I’m not sure if on which branch you’ll be handling work for 0.25 ?
Anyway, a branch rebased on master is available at http://github.com/ctrlaltdel/puppet/commits/tickets/master/1629
Updated by James Turnbull over 1 year ago
- Status changed from Ready for Checkin to Closed
Pushed in commit:“69432d6f1dda6a59a015bcd30a729524e3655fd3” in branch master.
Updated by Francois Deppierraz over 1 year ago
- Status changed from Closed to Re-opened
- Target version changed from 0.25.0 to 0.24.8
Hi James,
It would be great if this fix could be included in 0.24.8. BTW, the fix for #2004 depends on it too.
Updated by James Turnbull over 1 year ago
- Status changed from Re-opened to Closed
Pushed in commit:“8a671e528e2d024f19c22e0381c3dc135d32884b” in branch 0.24.x