Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: authorized_keys in /tmp/.ssh?

from [Alexander Klimov] Network Security [Permanent Link]
Subject: Re: authorized_keys in /tmp/.ssh?
Date: Thu, 19 Oct 2006 17:32:49 +0200 (IST) 
On Wed, 18 Oct 2006, Clem Taylor wrote:


/tmp is 1777, but /tmp/.ssh is 0700. When I attempt to login using a
key that is in authorized_keys, I get "sshd: Authentication refused:
bad ownership or modes for directory /tmp". If I change the
permissions of /tmp to 1755, then sshd will allow the login, but
this causes problems for things not running as root that need to
write to /tmp.

It seems that sshd is finding the absolute path of the
authorized_keys file and then stating the first path entry. I'm not
quite sure why it is checking the top level directory and not the
permissions of the directory that contains the authorized_keys.


Because someone can change the upper directory (rename its
subdirectory) and effectively replace your authorized_keys with
authorized_keys from some other directory: for example, if there are
/a/b/c and /a/d/c and one can change /a, he can rename /a/b -> /a/X
and /a/d -> /a/b -- even if he cannot change old /a/b, now /a/b/c is
his file.


I'd rather avoid having to separate tmpfs filesystems, so is there
an easy way to work around this problem? I'm using OpenSSH_3.9p1 and
OpenSSL 0.9.7e.


If you understand the security implications, simply edit
secure_filename in auth.c and remove the loop "for each component of
the canonical path, walking upwards".

-- 
Regards,
ASK
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: authorized_keys in /tmp/.ssh?, Benjamin Donnachie
Next by Date:  Re: Debugging SFTP for openSSH 4.4p1, Cam Macdonell
Previous by Thread:  Re: authorized_keys in /tmp/.ssh?, Emanuel Haupt
Next by Thread:  Re: authorized_keys in /tmp/.ssh?, Darren Tucker
Indexes:  [Date] [Thread] [Top] [All Lists]