time to fix silly ssh bug

Adam Jackson ajax at redhat.com
Tue Jun 19 15:17:49 UTC 2012


On 6/19/12 11:02 AM, Kevin Kofler wrote:
> Neal Becker wrote:
>> Jun 19 09:44:41 nbecker5 sshd[25418]: Authentication refused: bad
>> ownership or modes for directory /home/nbecker
>
> Looks like a new change in OpenSSH then, which is IMHO a regression, unless
> there's a clear security vulnerability being addressed there.

So, having actually bothered to read and think about the code now, the 
thing it's addressing is that if we're in the same group I can rename 
directories in your ~.  If there are any other files you own but I can 
write to (in directories I can write to), then I can clobber them with 
my pubkey and rename them to authorized_keys.  If there's another 
directory you own but I can write to, I can install that directory as 
your ~/.ssh.  Then I ssh to the machine with my own pubkey and suddenly 
I can log in as you.

Which isn't normally a thing, the way we work, because the group that 
owns your ~/.ssh is composed solely of you.  But sshd doesn't do the 
getgrent() thing to verify that, so it has no choice but to assume that 
group-writable directories are potential uid escalation attacks.

The code's not wrong, it's just perhaps not as right as it could be.

That said, since one's ~ is normally group-owned by a group consisting 
solely of one user, defaulting it to 755 instead of 775 would make sshd 
happy without any real side effects.

- ajax


More information about the devel mailing list