From 5f047fbcceb7e981c67e0cfc325c5a386a15a09a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 30 Aug 2006 01:07:00 +0000 Subject: [PATCH] - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 [sshd.8] Add more detail about what permissions are and aren't accepted for authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ --- ChangeLog | 4 ++++ sshd.8 | 18 ++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6eeca5a5..55e75708 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [sshd_config.5] Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, ok jmc@ djm@ + - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 + [sshd.8] + Add more detail about what permissions are and aren't accepted for + authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ 20060824 - (dtucker) [openbsd-compat/basename.c] Include errno.h. diff --git a/sshd.8 b/sshd.8 index 778ea906..522279ee 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $ +.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -681,9 +681,23 @@ rlogin/rsh. .It ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described above. -This file is not highly sensitive, but the recommended +The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .Pp +If this file, the +.Pa ~/.ssh +directory, or the user's home directory are writable +by other users, then the file could be modified or replaced by unauthorized +users. +In this case, +.Nm +will not allow it to be used unless the +.Cm StrictModes +option has been set to +.Dq no . +The recommended permissions can be set by executing +.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys . +.Pp .It ~/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with -- 2.45.1