On Sun, Feb 21, 2010 at 12:19:47PM +0100, Ingo Schwarze wrote:
> Tobias Ulmer wrote on Sun, Feb 21, 2010 at 02:36:43AM +0100:
> 
> > I've got a bunch of "users" with no password/no way to log in, just to
> > keep services tidy and separated. Some of these have to connect to ssh
> > servers, therefore they require a .ssh/known_hosts. /etc/security thinks
> > this is a security risk and complains about it every night...
> 
> I think the basic idea makes sense.
> 
> The file name still in use for backward compatibility,
>   ".ssh/authorized_keys2",
> is obviously missing form the patch, though.

Oh fsck, where's that file documented? I was looking at sshd(8) which I
thought should be authoritative about these kind of things. A quick grep
through /usr/share/man has 0 matches.

Your patch looks fine to me.

> 
> Reading /usr/src/usr.bin/ssh/pathnames.h, i found no other file
> name missing from the patch, but it would be nice if one of the
> OpenSSH hackers could confirm this.
> 
> In case i receive an OK and no objections, i plan to put the
> following in after unlock:
> 
> 
> Index: security
> ===================================================================
> RCS file: /cvs/src/etc/security,v
> retrieving revision 1.88
> diff -u -r1.88 security
> --- security  3 Jun 2009 14:45:39 -0000       1.88
> +++ security  21 Feb 2010 10:28:14 -0000
> @@ -40,7 +40,7 @@
>                       printf("Login %s is off but still has a valid shell and 
> an entry in /etc/skey.\n", $1);
>               if (system("test -d "$9" -a ! -r "$9"") == 0)
>                       printf("Login %s is off but still has valid shell and 
> home directory is unreadable\n\t by root; cannot check for existence of 
> alternate access files.\n", $1);
> -             else if (system("for file in .ssh .rhosts .shosts .klogin; do 
> if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) 
> && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done"))
> +             else if (system("for file in .ssh/authorized_keys 
> .ssh/authorized_keys2 .rhosts .shosts .klogin; do if test -e "$9"/$file; then 
> if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) 
> ; then exit 1; fi; fi; done"))
>                        printf("Login %s is off but still has a valid shell 
> and alternate access files in\n\t home directory are still readable.\n",$1);
>       }
>       if ($3 == 0 && $1 != "root")

Reply via email to