Bug #7388
closedarvados-login-sync doesn't remove write permission on ssh key
Description
OpenSSH will refuse to use an authorized_key file if it is group-writable or global-writable.
In RH-based distributes, umask is default to 002, which means the file will be 660, which violate the rule, and stop the ssh-key login procedure.
For the other distributions which probably don't have this problem, this is for safety sake.
I'll create a github pull request in a short while.
Example:
[root@shell ~]# ls la ~someone/.ssh/ 2 someone someone 4096 Sep 28 10:08 .
total 12
drwx-----
drwxr-x--- 5 someone someone 4096 Sep 28 09:48 ..rw-rw--- 1 someone someone 699 Sep 28 10:10 authorized_keys
[root@shell ~]# /usr/sbin/sshd -f /etc/ssh/sshd_config -p 8888 -Dd
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
...
debug1: temporarily_use_uid: 501/502 (e=0/0)
debug1: trying public key file /home/someone/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for file /home/someone/.ssh/authorized_keys
debug1: restore_uid: 0/0
...
Updated by Chen Chen over 8 years ago
Pull request #29 created.
https://github.com/curoverse/arvados/pull/29
Updated by Brett Smith over 8 years ago
I just merged this branch and pushed it to master. Thanks very much!
Updated by Brett Smith over 8 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset arvados|commit:a5b2fa0f7dbefe103ce2bc87f1136ee01e915141.