Wrong permissions for $HOME

Michael Loftis mloftis at wgops.com
Sat Nov 19 05:13:21 EST 2011


On Fri, Nov 18, 2011 at 11:02 AM, Roman B. <rbyshko at gmail.com> wrote:
> Hi,
>
> today me and a friend of mine spent several hours figuring out why ssh
> still asked for a password after we set up public key authentication.
> We have tried to understand the problem by reading 'ssh -vvv ...', but
> unfortunately the output was not useful. In the end of the day we have
> found out that sshd actually was logging this problem.... So that's
> for the context.
>
> Now, can you please add some debugging information to ssh, so that the
> user is able to understand the problem by reading ssh -vvv which will
> be much mor helpful in comparison to sshd logging. Is there any reason
> you haven't done so already?

Security mostly, also the fact that the error isn't on the client's
side anyway, it's server side.  The administrator would be able to
find the error quickly, it's not user-solveable anyway.  In the case
ofa  personal machine, you're both, so your responsibility is to check
your logs.

If you expose server side errors to the client you also give attackers
more information.  In this sort of a case the failure is ideally
identical to wrong password and user does not exist from the clients
point of view.  Thus an attacker can't gain any information from this
route.  Yes yes yes, sounds silly, but, every layer helps.  It's only
a small part of a security model.

-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


More information about the openssh-unix-dev mailing list