On Wed, 18 Oct 2006, Clem Taylor wrote:

> /tmp is 1777, but /tmp/.ssh is 0700. When I attempt to login using a
> key that is in authorized_keys, I get "sshd: Authentication refused:
> bad ownership or modes for directory /tmp". If I change the
> permissions of /tmp to 1755, then sshd will allow the login, but
> this causes problems for things not running as root that need to
> write to /tmp.
> It seems that sshd is finding the absolute path of the
> authorized_keys file and then stating the first path entry. I'm not
> quite sure why it is checking the top level directory and not the
> permissions of the directory that contains the authorized_keys.

Because someone can change the upper directory (rename its
subdirectory) and effectively replace your authorized_keys with
authorized_keys from some other directory: for example, if there are
/a/b/c and /a/d/c and one can change /a, he can rename /a/b -> /a/X
and /a/d -> /a/b -- even if he cannot change old /a/b, now /a/b/c is
his file.

> I'd rather avoid having to separate tmpfs filesystems, so is there
> an easy way to work around this problem? I'm using OpenSSH_3.9p1 and
> OpenSSL 0.9.7e.

If you understand the security implications, simply edit
secure_filename in auth.c and remove the loop "for each component of
the canonical path, walking upwards".