What about the immutable bit "chmod +i .ssh".
If it is root owned, and the immutable bit set, no one can change it. Root has
to unset the bit first. However, it will not be able to update for new sshd
hosts, but that it is a security feature.
Atro, test this on your box and let me know.
Shirkdog
-----Original Message-----
From: atossava@cc.helsinki.fi [mailto:atossava@cc.helsinki.fi]
Sent: Friday, September 24, 2004 3:05 AM
To: secureshell@securityfocus.com
Subject: Re: Locking down ssh config in large env
Importance: Low
Robert Hajime Lanning wrote:
Actually if the .ssh directory is owned by root (and everything in it)
with the user not having write access to it, the user cannot delete the
.ssh directory.
I have just confirmed this on Linux. You neglected to mention that
the user can rename such a directory, which (while not removing the
actual contents of those files) accomplishes the desired effect none-
theless as the user can proceed to create their own .ssh directory.
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.
http://www.cryptomail.org/ Ensure your right to privacy.
Traditional email messages are not secure. They are sent as
clear-text and thus are readable by anyone with the motivation
to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
