tags 314347 pending thanks On Wed, Jun 15, 2005 at 03:59:38PM -0500, Branden Robinson wrote: > 1148 {0} [EMAIL PROTECTED]:~/packages/xorg-x11/svn/trunk/debian$ svn up > Bad owner or permissions on /home/branden/.ssh/config > svn: Connection closed unexpectedly > 1149 {1} [EMAIL PROTECTED]:~/packages/xorg-x11/svn/trunk/debian$ l -l > $HOME/.ssh/config > -rw-rw-r-- 1 branden branden 125 Jun 26 2004 /home/branden/.ssh/config > 1150 {0} [EMAIL PROTECTED]:~/packages/xorg-x11/svn/trunk/debian$ chmod 644 > /home/branden/.ssh/config > 1151 {0} [EMAIL PROTECTED]:~/packages/xorg-x11/svn/trunk/debian$ svn up > At revision 220. > > I think that check is excessively paranoid.
Evidently I made all my ~/.ssh/config files mode 0644 ages ago for some other reason, since I never noticed this change in behaviour ... > I can think of a few possibilities for resolving this bug: [...] > 2) Simply tolerate group-writable files if the group name in question is > identical to the user name. > > 3) Alternatively or additionally to 2), ensure that the user is the only > member of the group owning the group-writable file. The combination of these two suggestions seems to be the best fix. I've implemented this in CVS and sent a patch upstream. > 5) As part of the many migrations done to the new openssh world order, walk > /home and chmod g-w on all .ssh/config files. Some people might > consider this intrusive, though, and it doesn't prevent the creation of > new accounts with this problem. That would run into problems with NFS, too. On Fri, Jun 17, 2005 at 12:59:45PM -0400, Frederic Briere wrote: > I assume this is an attempt to make sure ~/.ssh/config is 0600 or > something. Actually, it's really to check that it's not *writable* by other parties. The relevant ChangeLog entry says: - [EMAIL PROTECTED] 2004/04/18 23:10:26 [readconf.c readconf.h ssh-keysign.c ssh.c] perform strict ownership and modes checks for ~/.ssh/config files, as these can be used to execute arbitrary programs; ok markus@ NB. ssh will now exit when it detects a config with poor permissions > * There's no mention of this behavior in the documentation ssh(1) says: $HOME/.ssh/config This is the per-user configuration file. The file format and configuration options are described in ssh_config(5). Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others. ssh_config(5) has similar text. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]