Risk of StrictMode (but read only) - openssh

This is a discussion on Risk of StrictMode (but read only) - openssh ; Is there a risk associated with having authorized_keys files set to readable but "StrictMode no"? I am thinking particularly in the case of having public keys all centralized in a directory in /etc or something. Is it really a potential ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Risk of StrictMode (but read only)

  1. Risk of StrictMode (but read only)

    Is there a risk associated with having authorized_keys files set to readable but "StrictMode no"?

    I am thinking particularly in the case of having public keys all centralized in a directory in /etc or something.


    Is it really a potential hack vector if someone can read a public key, or is the only real danger if they were writable?

    ---
    Don Hoover
    dxh@yahoo.com
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: Risk of StrictMode (but read only)

    On Tue, Jul 15, 2008 at 07:51:00 -0700, Don Hoover wrote:
    > Is there a risk associated with having authorized_keys files set to readable but "StrictMode no"?
    >
    > I am thinking particularly in the case of having public keys all centralized in a directory in /etc or something.
    >
    >
    > Is it really a potential hack vector if someone can read a public key, or is the only real danger if they were writable?
    >
    > ---
    > Don Hoover
    > dxh@yahoo.com
    >


    If Your OS supports POSIX ACLs, you could set an acl on each
    authorized_keys file to make it readable by the user without having to
    turn off StrictModes. (On Linux, you may need to supply the acl mount
    option to enable POSIX ACL support.)

    --
    Iain Morgan
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread