SSH key question
Colin Watson
cjwatson at ubuntu.com
Sun Dec 20 18:16:54 UTC 2020
On Sat, Dec 19, 2020 at 08:31:31PM -0800, MR ZenWiz wrote:
> I looked in the auth.log and queried the message on the web.
>
> The message says:
>
> Authentication refused: bad ownership or modes for directory /home/admar
>
> The solution listed is to change the home directory to deny group and
> other write permissions on the home directory and set the permissions
> for ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.
>
> I had my home set for 775, and write access to the users group (I have
> a good reason for this), so when I changed it to 755, the
> password-less login from the laptop worked.
>
> That would make perfect sense except for one minor detail: I have the
> exact same 775 permissions with the same group set on my laptop's home
> directory, and no issue whatsoever doing the password-less login from
> the desktop to the laptop.
Your setup will only work if the "users" group contains only you, and no
other users. Otherwise sshd will consider it insecure, because the
group-writability is no longer harmless: other users could use their
write access to your home directory to modify your ~/.ssh/ directory
(possibly by renaming the original out of the way).
The ability to have limited group-writability is a Debian patch; see
https://salsa.debian.org/ssh-team/openssh/blob/master/debian/patches/user-group-modes.patch
for details.
--
Colin Watson (he/him) [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list