[Bug 2042] New: Troubleshooting information should be logged when sshd doesn't have permission to read user's authorized_keys file

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Sep 15 02:48:59 EST 2012


https://bugzilla.mindrot.org/show_bug.cgi?id=2042

          Priority: P5
            Bug ID: 2042
          Assignee: unassigned-bugs at mindrot.org
           Summary: Troubleshooting information should be logged when sshd
                    doesn't have permission to read user's authorized_keys
                    file
          Severity: enhancement
    Classification: Unclassified
                OS: Linux
          Reporter: asari.takashi at gmail.com
          Hardware: All
            Status: NEW
           Version: 5.6p1
         Component: sshd
           Product: Portable OpenSSH

For ease of troubleshooting, I think sshd should complain when
authorized_keys file  couldn't be read.

Currently we can see debug level messages like this:

$ sudo /usr/sbin/sshd -dDp 2022
debug1: sshd version OpenSSH_5.6p1
:
debug1: trying public key file /Users/asari/.ssh/authorized_keys
debug1: Could not open authorized keys
'/Users/asari/.ssh/authorized_keys': Permission denied

... but I believe this message should go to the info level, because
it's likely to be caused by a misconfiguration. (To be precise, I think
it's still fine to leave the log at debug level when authorized_keys
doesn't exist (No such file or directory).)

I see many users including me have difficulty with troubleshooting
about this, typically the admin performed 'sudo cp pubkey
~username/.ssh/authorized_keys' and left the file owned by root and
600-mode.

One concern about this feature request is about such a case like root
placed non-readable empty files into ~username/.ssh/authorized_keys{,2}
and intended to prevent the user from placing his/her own
authorized_keys file...  though I think it's a very rare case (and even
no problem if the mode were user-readable).

By the way, when authorized_keys had too open mode or was owned by the
other user (except by root),  even currently we can see messages like
"Authentication refused: bad ownership or modes for file
$USER/.ssh/authorized_keys", and a client can receive notice about this
as of OpenSSH 5.7 ( https://bugzilla.mindrot.org/show_bug.cgi?id=1554
). I understand that these messages intend not to point a
misconfiguration but to point a security issue, but I'd be happy if I
can see similar messages like this.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list