[PATCH] ssh-copy-id should do chmod go-w

Thu Oct 4 05:16:00 EST 2001

If your home directory is accessed via NFS, then yes, your .sshd has to
be 711 at least and your authorized_keys* files must be 644.

Doubly so if you're using secure NFS.

Unless your home directory is exported such that root on the NFS clients
has root privs on the server. And this caveat doesn't count if you're
using secure NFS.

Nico

On Wed, Oct 03, 2001 at 12:08:19PM -0700, Ladner, Eric (CLAD) wrote:
> 
> Ah.. maybe I'm not as paranoid as I should be.
> 
> Thanks for the info.
> 
> Eric
> 
> -----Original Message-----
> From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org]
> Sent: Wednesday, October 03, 2001 1:58 PM
> To: openssh-unix-dev at mindrot.org
> Subject: RE: [PATCH] ssh-copy-id should do chmod go-w
> 
> 
> 
> 
> $ ls -l .ssh/authorized_keys2
> -rw-------  1 mouring  users  237 Sep  4 17:43 .ssh/authorized_keys2
> 
> It does? =) Could have fooled my UNIX boxes.  <smile>
> 
> - Ben
> 
> On Wed, 3 Oct 2001, Ladner, Eric (CLAD) wrote:
> 
> > Doesn't the authorized_keys have to be world readable?
> >
> > Just checking..
> >
> > Eric
> >
> > -----Original Message-----
> > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org]
> > Sent: Wednesday, October 03, 2001 1:36 PM
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: [PATCH] ssh-copy-id should do chmod go-w
> >
> >
> >
> >
> > On Wed, 3 Oct 2001, Peter W wrote:
> >
> > > > chmod 700 .ssh; chmod 600 .ssh/authorized_keys
> > > >
> > > > makes more sense.  Changing ~/ permissions is a local policy issue,
> and
> > I
> > > > know I get peaved when something changes my policy without asking.
> > >
> > > What about simply setting the umask to 077 before doing anything? If the
> > > user has existing files/dirs, they won't be changed, but any new stuff
> > would
> > > be safely created.
> > >
> >
> > Best idea I've seen so far.
> >
> > If no one scream...this is what the new line will look like:
> >
> > { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat
> > >> .ssh/authorized_keys"
> >
> > - Ben
> >
> >
> >
> 
--

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.