Re: ssh public key authentification
On Fri, 19 Jan 2007 09:53:23 -0600 Kirk Strauser wrote: Why not? Group write is plenty enough for someone else to replace the .ssh directory with another one, so sshd checks for that. To replace it with another 700 directory owned by the user, containing a 40= file also owned by the user? That obviously isn't possible - at least not directly. I would be feasible to replace and existing ssh_config in the user's directory if this had too liberal rights and the file were located at ~, not ~/.ssh/. If the attacker got at the config-file he or she could put in a new position for the authorized_keys and thus replace the file. All very theoretical and not likely since the defaults of FreeBSD won't allow it. root must mess up for this one. Does root ever mess up? :-) I think it's more likely that the sshd only checks this one directory in case of public key authentification. If it is group- or world- writable it doesn't trust the key file. Checking the exact location and the file itself if there is any chance it could be tampered with would result in a more complex algorithm and complexity is something you try to avoid in security matters. Regards Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh public key authentification
Kirk Strauser wrote: The problem was not the authorized_keys file itself, it was my home directory. I don't think so. More likely, it was the .ssh directory itself. Nope. :-) The only thing I changed was /usr/home/christian from mode 770 to mode 750. Then it worked. I'm guessing it was the write-bit for the group which lead the sshd not to trust the key. Regards, Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh public key authentification
On Thu, Jan 18, 2007 at 05:00:56PM -0600, Kirk Strauser wrote: On Thursday 18 January 2007 16:44, Christian Baer wrote: The problem was not the authorized_keys file itself, it was my home directory. I don't think so. More likely, it was the .ssh directory itself. Why not? Group write is plenty enough for someone else to replace the .ssh directory with another one, so sshd checks for that. Ceri -- That must be wonderful! I don't understand it at all. -- Moliere pgppxF88au6W8.pgp Description: PGP signature
Re: ssh public key authentification
On Friday 19 January 2007 9:10 am, Ceri Davies wrote: Why not? Group write is plenty enough for someone else to replace the .ssh directory with another one, so sshd checks for that. To replace it with another 700 directory owned by the user, containing a 400 file also owned by the user? -- Kirk Strauser pgpCCD0vRRwLq.pgp Description: PGP signature
Re: ssh public key authentification
Hello Christian, On 1/18/07, Christian Baer [EMAIL PROTECTED] wrote: Hi peeps! This may not seem to be a real FreeBSD-issue, but I've gotten this to run on several other machines, just not my Sun running FreeBSD. To clarify this: I haven't really tried this on any other FreeBSD system recently though. I'm probably just to thick to get it right, so go ahead and insult me, if you see the flaw in my scheme. :-) The main idea behind my evil plan is to be able to log into my other computers on the net (LAN) using PuTTY on a Windows-XP box without having to type my password all the time. Don't worry about the security aspect if my key could be stolen, I have taken other measures to avoid that. The whole thing should be pretty trivial: I created a key using PuTTY, copied the public key to ~/.ssh/authorized_keys (everthing in one line), chose the private key in PuTTY and tried to log in. All I got in response was: Server refused out key. Have you verified the permissions of the authorized_keys file on the server? If you have permissions set too loose (e.g. unneeded read/write permission to groups/other users), sshd may be refusing to trust that file. I went through all the default settings of the sshd (and yes, I did give it a HUP, when I changed the key) and everything checked out as far as I could tell. I had the feeling that PuTTY and the key created by it were the cause, so I created a key with ssh-keygen(1). Same result. What did I miss? If the file permissions seem to be OK, you may want to check for sshd entries in /var/log to see if there is a more verbose error available. You may wish to give this a read (it mostly just covers those points): http://www.freebsddiary.org/ssh-authorized-keys.php Sincerely, -Parker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh public key authentification
On 1/18/07, Christian Baer [EMAIL PROTECTED] wrote: The whole thing should be pretty trivial: I created a key using PuTTY, copied the public key to ~/.ssh/authorized_keys (everthing in one line), chose the private key in PuTTY and tried to log in. All I got in response was: Server refused out key. Did you copy the displayed Public key for pasting into OpenSSH from PuttyGEN, or did you paste the actual contents of the public key? Putty's on-disk format for public keys is not compatible with OpenSSH. -- Noel Jones ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh public key authentification
On Thu, 18 Jan 2007 11:50:52 -0600 Parker Anderson wrote: Have you verified the permissions of the authorized_keys file on the server? If you have permissions set too loose (e.g. unneeded read/write permission to groups/other users), sshd may be refusing to trust that file. The directory has mode 700 and the file hast 600. Restricting these any further could result in a problem. :-) You may wish to give this a read (it mostly just covers those points): http://www.freebsddiary.org/ssh-authorized-keys.php Ok, I did that. Now it works! :-) The problem was not the authorized_keys file itself, it was my home directory. This had mode 770, which seemed fine to me as it is owned by christian:christian. Making it group-readable shouldn't pose a security problem, as only I will be in this group. However, sshd didn't see it that way, it seems. Now that I changed it to 750, all is fine. :-) Thanks für your help! Good night! Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh public key authentification
On Thu, 18 Jan 2007 12:14:34 -0600 Noel Jones wrote: Did you copy the displayed Public key for pasting into OpenSSH from PuttyGEN, or did you paste the actual contents of the public key? Putty's on-disk format for public keys is not compatible with OpenSSH. Yeah, I got that right. sshd wants to have the key in one line, while PuTTY-keygen makes several lines out of them. The problem were the homedir permissions (see other post). Regards Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh public key authentification
On Thursday 18 January 2007 16:44, Christian Baer wrote: The problem was not the authorized_keys file itself, it was my home directory. I don't think so. More likely, it was the .ssh directory itself. -- Kirk Strauser pgpXWYQbAuWpq.pgp Description: PGP signature