[NBLUG/talk] SSH not letting me login
Eric Eisenhart
eric at nblug.org
Wed Nov 3 17:48:45 PST 2004
On Wed, Nov 03, 2004 at 04:53:09PM -0800, Dave Sisley wrote:
> I'm reading this as meaning that someone could just replace
> directory c (and all it contains) with evildir (now renamed c,
> to fool me). Now evildir is a subdirectory of b, right?
Yes, exactly.
> In short, ssh is insisting that the .ssh file in my home directory
> be protected by protecting the entire tree, all the way to the top
> (or the root, rather).
>
> So the message I got about my home dir would have mentioned another
> directory in the tree, had I mucked up the permissions any higher
> in the chain.
Yes, I think so.
The "secure_filename" function in
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?rev=HEAD
shows exactly how this is done.
Though, upon actually *looking* at the code, I find that they've got an
optimization in place so that, technically, it doesn't quite do that.
Instead, after expanding the path into the real path (resolving any
symlinks), it stops checking for permissions problems after it's done
checking your home directory's permissions. From looking at the revision
log, it looks like that change was required in order for the permissions
checks to work on systems where the home directory is on AFS (change was
made between revisions 1.24 and 1.25). If you were to store your actual
.ssh directory outside of your home directory and symlink to that location,
then sshd would, indeed, traverse the entire path one component at a time up
to "/".
Also, it actually first opens the file, then checks permissions on the
opened filehandle, then checks all the directories, starting at the lowest
one.
If you run sshd with debug level 3 ("-ddd") , you'll see what
secure_filename is checking as it does it.
--
Eric Eisenhart
NBLUG Co-Founder & Director-At-Large
The North Bay Linux Users Group
http://nblug.org/
eric at nblug.org, IRC: Freiheit at freenode, AIM: falschfreiheit, ICQ: 48217244
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://nblug.org/pipermail/talk/attachments/20041103/24d2ebea/attachment.pgp
More information about the talk
mailing list