Package: openssh-server Version: 1:5.5p1-3 Severity: important Hi,
Base-files package just switched to umask 002 by default for new install (see #248140 and discussion in d-devel). However, with this setup, openssh-server babdly behave. It is similar to #314347 that was opened for openssh-client and permission chechs for $HOME/.ssh/config. The fix for this bug should probably be similar. Here is a example of the problem: On 15/05/2010 03:12, Joey Hess wrote: > > Vincent Danjean wrote: >> >> I'm happy with this move. However, there is still an interaction with ssh >> >> to deal with: >> >> vdanj...@eyak:~$ chmod -Rv g+w .ssh/authorized_keys >> >> vdanj...@eyak:~$ ssh localhost >> >> vdanj...@localhost's password: >> >> And, in /var/log/auth.log: >> >> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or >> >> modes for file /home/vdanjean/.ssh/authorized_keys >> >> >> >> vdanj...@eyak:~$ chmod -Rv g-w .ssh/authorized_keys >> >> le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--). >> >> vdanj...@eyak:~$ ssh localhost >> >> You have mail. >> >> Last login: Tue May 11 17:10:30 2010 >> >> vdanj...@eyak:~$ >> >> >> >> My system is in UPG but I was using default umask 022 > > > > FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3. > > See #314347. It was changed to allow group-writable files if > > the owner is the only member in the group. Somethink is wrong here. Should 314347 be reopened ? vdanj...@eyak:~$ LC_ALL=C apt-cache policy openssh-server openssh-server: Installed: 1:5.5p1-3 Candidate: 1:5.5p1-3 Version table: *** 1:5.5p1-3 0 500 http://ftp.fr.debian.org unstable/main Packages 500 http://ftp.fr.debian.org testing/main Packages 100 /var/lib/dpkg/status 1:5.1p1-5 0 500 http://ftp.fr.debian.org stable/main Packages 1:4.3p2-9etch3 0 500 http://ftp.fr.debian.org oldstable/main Packages vdanj...@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean' vdanjean:x:1000: vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash vdanj...@eyak:~$ Regards, Vincent -- System Information: Debian Release: squeeze/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.33-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages openssh-server depends on: ii adduser 3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii dpkg 1.15.7.1 Debian package management system ii libc6 2.11-0exp6 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.11-1 common error description library ii libgssapi-krb5-2 1.8.1+dfsg-2 MIT Kerberos runtime libraries - k ii libkrb5-3 1.8.1+dfsg-2 MIT Kerberos runtime libraries ii libpam-modules 1.1.1-3 Pluggable Authentication Modules f ii libpam-runtime 1.1.1-3 Runtime support for the PAM librar ii libpam0g 1.1.1-3 Pluggable Authentication Modules l ii libselinux1 2.0.94-1 SELinux runtime shared libraries ii libssl0.9.8 0.9.8n-1 SSL shared libraries ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-client 1:5.5p1-3 secure shell (SSH) client, for sec ii procps 1:3.2.8-9 /proc file system utilities ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-server recommends: ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.4-1 X authentication utility Versions of packages openssh-server suggests: pn molly-guard <none> (no description available) pn rssh <none> (no description available) ii ssh-askpass 1:1.2.4.1-9 under X, asks user for a passphras pn ufw <none> (no description available) -- debconf information: ssh/vulnerable_host_keys: ssh/new_config: true * ssh/use_old_init_script: true ssh/disable_cr_auth: false ssh/encrypted_host_key_but_no_keygen: -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100517083101.4308.55473.report...@eyak.imag.fr