On Thu, Jun 23, 2011 at 06:53:05PM +0100, Jim Rippon wrote:
On Thu, 23 Jun 2011 17:06:32 +0100, Chris G wrote:
I just spent a long time diagnosing why I couldn't get a public key ssh login to work. It eventually transpired that ssh doesn't allow one to have group write permission on one's home diectory.
That's *not* the permission on the .ssh directory, it's the permission on the one above that.
A quick Google search confirms that this is the case, ssh refuses to do public key authentication if the user's home directory has group write permission on it.
With write permissions on the parent directory, you could conceivably change the permissions on .ssh - I believe its this behaviour that sshd is trying to avoid
I can't see any way to disable this (turning StrictModes off seems to disable too much) and I don't really understand the reason for it either.
I only want group write set on one particular user, can anyone suggest a way to allow ssh public-key login to that user?
I get around this by changing the authorized_keys location and placing the accepted keys in /etc/ssh/authorized_keys/%u by adding the following in sshd_config - I place it along with the "PubkeyAuthentication Yes" line for my own sanity:
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
Thanks, that seems like a reasonable way to go.