[Bug 2042] New: Troubleshooting information should be logged when sshd doesn't have permission to read user's authorized_keys file
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Sep 15 02:48:59 EST 2012
https://bugzilla.mindrot.org/show_bug.cgi?id=2042
Priority: P5
Bug ID: 2042
Assignee: unassigned-bugs at mindrot.org
Summary: Troubleshooting information should be logged when sshd
doesn't have permission to read user's authorized_keys
file
Severity: enhancement
Classification: Unclassified
OS: Linux
Reporter: asari.takashi at gmail.com
Hardware: All
Status: NEW
Version: 5.6p1
Component: sshd
Product: Portable OpenSSH
For ease of troubleshooting, I think sshd should complain when
authorized_keys file couldn't be read.
Currently we can see debug level messages like this:
$ sudo /usr/sbin/sshd -dDp 2022
debug1: sshd version OpenSSH_5.6p1
:
debug1: trying public key file /Users/asari/.ssh/authorized_keys
debug1: Could not open authorized keys
'/Users/asari/.ssh/authorized_keys': Permission denied
... but I believe this message should go to the info level, because
it's likely to be caused by a misconfiguration. (To be precise, I think
it's still fine to leave the log at debug level when authorized_keys
doesn't exist (No such file or directory).)
I see many users including me have difficulty with troubleshooting
about this, typically the admin performed 'sudo cp pubkey
~username/.ssh/authorized_keys' and left the file owned by root and
600-mode.
One concern about this feature request is about such a case like root
placed non-readable empty files into ~username/.ssh/authorized_keys{,2}
and intended to prevent the user from placing his/her own
authorized_keys file... though I think it's a very rare case (and even
no problem if the mode were user-readable).
By the way, when authorized_keys had too open mode or was owned by the
other user (except by root), even currently we can see messages like
"Authentication refused: bad ownership or modes for file
$USER/.ssh/authorized_keys", and a client can receive notice about this
as of OpenSSH 5.7 ( https://bugzilla.mindrot.org/show_bug.cgi?id=1554
). I understand that these messages intend not to point a
misconfiguration but to point a security issue, but I'd be happy if I
can see similar messages like this.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list