Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])

Davis, Ricardo C. RCDavis at intermedia.com
Sat Mar 17 02:26:36 EST 2001


That was it!  Thank you so much, Markus!

It would have been nice if one could easily discern that from the debugging
information without looking at the source code.  But then, we are talking
about Unix here.  :)

I had not thought of the scenario regarding a compromise through group write
permissions.  Somebody really ought to put this in the OpenSSH FAQ (perhaps
as an example of what not to do) and save another security-newbie a few days
trying to figure it out!

The account that I'm dealing with is for automated processing and not a
"real" user; the account administrators group (basically the sys admins and
the ops manager) usually need only read access to check status of
processing.  The account's home directory was made group writeable so that
operational changes could be made "on the fly" without having to log into
that account.  But it's no great loss not being able to do so.

Thanks again!  You and others on this list have been very helpful!


-Ricardo

-----Original Message-----
From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de]
Sent: Friday, March 16, 2001 3:07 AM
To: Davis, Ricardo C.
Subject: Re: Support for here documents with sftp client in OpenSSH
2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])


On Thu, Mar 15, 2001 at 05:51:54PM -0500, Davis, Ricardo C. wrote:
> drwxrwx---   10 myaccoun  acctAdm      4096 Mar 15 13:42 myaccount

sshd does not like group writeable homedirectories.
everyone from the group can do:
	$ cd myaccount
	$ mv .ssh .ssh-disabled
	$ mkdir .ssh
	$ echo mykey > .ssh/authorized_keys2
	
> # cd myaccount
> # ls -ld .ssh
> drwx------    2 myaccoun  myaccoun     4096 Mar 15 16:56 .ssh
> 
> Strange ... it doesn't appear to me there is a problem.

homedir is the problem.





More information about the openssh-unix-dev mailing list