Wrong permissions for $HOME
Roman B.
rbyshko at gmail.com
Sat Nov 19 05:26:59 EST 2011
Thank you guys for a quick answer! I suspected this motivation. There
is one small case here when attacker still gets some information. If
attacker has stolen valid key, then trying to log in with this key
will give him either a shell or the information that user directory or
.ssh is writable (if we assume there was no other problem), but I
agree this is not a big deal anymore, after attacker has a valid key.
On Fri, Nov 18, 2011 at 19:13, Michael Loftis <mloftis at wgops.com> wrote:
> On Fri, Nov 18, 2011 at 11:02 AM, Roman B. <rbyshko at gmail.com> wrote:
>> Hi,
>>
>> today me and a friend of mine spent several hours figuring out why ssh
>> still asked for a password after we set up public key authentication.
>> We have tried to understand the problem by reading 'ssh -vvv ...', but
>> unfortunately the output was not useful. In the end of the day we have
>> found out that sshd actually was logging this problem.... So that's
>> for the context.
>>
>> Now, can you please add some debugging information to ssh, so that the
>> user is able to understand the problem by reading ssh -vvv which will
>> be much mor helpful in comparison to sshd logging. Is there any reason
>> you haven't done so already?
>
> Security mostly, also the fact that the error isn't on the client's
> side anyway, it's server side. The administrator would be able to
> find the error quickly, it's not user-solveable anyway. In the case
> ofa personal machine, you're both, so your responsibility is to check
> your logs.
>
> If you expose server side errors to the client you also give attackers
> more information. In this sort of a case the failure is ideally
> identical to wrong password and user does not exist from the clients
> point of view. Thus an attacker can't gain any information from this
> route. Yes yes yes, sounds silly, but, every layer helps. It's only
> a small part of a security model.
>
> --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>
More information about the openssh-unix-dev
mailing list