On Sun, 5 Jul 2020 15:20:50 -0500, Lionel B Dyck wrote:
>Good point - 600
>
>Website: https://www.lbdsoftware.com
>
>-----Original Message-----
>From: Grant Taylor
>Sent: Sunday, July 5, 2020 3:03 PM
>
>On 7/5/20 1:13 PM, Lionel B Dyck wrote:
>> Grant - that was it - for some reason my /home/me/.ssh was 777 -
>> changed to 644 and no more password prompt.
>
>O.o?! That sounds like a potential security problem. Hence why ssh wouldn't
>use the key files.
>
I believe Grant was discussing 777, not 644 as a security problem.
If others have read permission to ~/.ssh, they can determine only
the filenames; without search permission they can't access those
files.
Here's how I set my ~/.ssh permissions. Any criticism is welcome.
# ################################################
#! /bin/sh -x
# Doc: Set useful and safe permissions for ~/.ssh
: "in $0"
cd && chmod u+rwx .ssh && cd .ssh && chmod og-w .. ||
{ : "ssh requires that no one other than user be able to write \$HOME"
exit; }
:
chmod -R og-rwx . && { # Prevent browsing -- especially authorized_keys
chmod -R u+rw . # User can read and write everything.
chmod a+x . # Allow everyone to search .ssh
chmod a+r *.pub # and to read public keys.
ls -al; } # Did we do it right?
# ################################################
My motivation for allowing others to read ~/.ssh/*.pub is to allow
them to grant me permission to their accounts if they choose.
Often the other guy is just me on another system.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
