diff options
Diffstat (limited to 'zarb-ml/mageia-discuss/20110925/005474.html')
| -rw-r--r-- | zarb-ml/mageia-discuss/20110925/005474.html | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/zarb-ml/mageia-discuss/20110925/005474.html b/zarb-ml/mageia-discuss/20110925/005474.html new file mode 100644 index 000000000..0bab74d9f --- /dev/null +++ b/zarb-ml/mageia-discuss/20110925/005474.html @@ -0,0 +1,111 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-discuss] password-less ssh + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20password-less%20ssh&In-Reply-To=%3C201109250449.35602.maarten%40rmail.be%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="005476.html"> + + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-discuss] password-less ssh</H1> + <B>Maarten Vanraes</B> + <A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20password-less%20ssh&In-Reply-To=%3C201109250449.35602.maarten%40rmail.be%3E" + TITLE="[Mageia-discuss] password-less ssh">maarten at rmail.be + </A><BR> + <I>Sun Sep 25 04:49:35 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="005476.html">[Mageia-discuss] Strange behavior after kernel update +</A></li> + + <LI> <B>Messages sorted by:</B> + <a href="date.html#5474">[ date ]</a> + <a href="thread.html#5474">[ thread ]</a> + <a href="subject.html#5474">[ subject ]</a> + <a href="author.html#5474">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Op zaterdag 24 september 2011 20:34:49 schreef Juergen Harms: +><i> On 09/24/2011 06:30 PM, Deri James wrote: +</I>><i> > It "StrictModes" is turned on in sshd_conf I assume the permissions of +</I>><i> > the link itself is checked +</I>><i> +</I>><i> StrictMode no or yes does not make any difference: password still +</I>><i> required if login from the laptop to the server +</I>><i> +</I>><i> > Another possibility is to set AuthorizedKeysFile to +</I>><i> > point to your file in /etc +</I>><i> +</I>><i> I did not try to put my user data to /etc ..., /etc is not a place for +</I>><i> user-specific data, and is specific to each OS partition. I tried (and +</I>><i> /common is not on my root file-system - the problem might be there) +</I>><i> +</I>><i> AuthorizedKeysFile /common/share/home/harms/.ssh/authorized_keys +</I>><i> +</I>><i> Result: password is still required; but there is an effect: a plain +</I>><i> /home/harms/.ssh/authorized_keys is not seen any more. +</I>><i> +</I>><i> +</I>><i> +</I>><i> Summary +</I>><i> - ssh does not correctly use an authorized_keys file if the target is a +</I>><i> symbolic link form $HOME/.ssh +</I>><i> - this problem only exists for sessions started from a laptop on a +</I>><i> desktop server, the other way round there is no problem +</I>><i> - this problem has only recently appeared +</I>><i> - using mount --bind for mounting $HOME/.ssh at on a template +</I>><i> directory results in correct behaviour +</I>><i> - twiddling /etc/ssh/sshd_conf (StrictMode, AuthorizedKeysFile) does +</I>><i> not produce satisfactory results. +</I>><i> +</I>><i> For me, there is a simple workaround which I now use: rather than +</I>><i> creating a link to my template file, I put a copy of the template data +</I>><i> into $HOME/.ssh/authorized_keys (extremely unfrequent modifications, no +</I>><i> problem to create a new copy in case the template data really change) +</I>><i> +</I>><i> The reason why I started this discussion is that there may be a faint +</I>><i> risk that an abnormal behaviour of ssh could create problems in +</I>><i> situations less obvious than a plain remote shell session - many +</I>><i> distributed applications use ssh "hidden" in the application. +</I>><i> +</I>><i> But since I am the only one to observe this problem, opening a bug is in +</I>><i> my opinion not justified. +</I> + +maybe it's a security feature, if it's a symlink it might point to somewhere +where other users have access to? or something? i'm just plain wildly guessing +here. + +Perhaps you can find the upstream changelog between those 2 versions and see if +this is documented somewhere. + +on top of that, you can ask the upstream if it's wanted to not allow symlinks +for authorizedkeyfiles... +</PRE> + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="005476.html">[Mageia-discuss] Strange behavior after kernel update +</A></li> + + <LI> <B>Messages sorted by:</B> + <a href="date.html#5474">[ date ]</a> + <a href="thread.html#5474">[ thread ]</a> + <a href="subject.html#5474">[ subject ]</a> + <a href="author.html#5474">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss +mailing list</a><br> +</body></html> |