bugzilla-daemon at bugzilla.mindrot.org
2017-May-07 12:41 UTC
[Bug 2713] New: Please provide a StrictModes-like setting (command line parameter) for ssh (client)
https://bugzilla.mindrot.org/show_bug.cgi?id=2713 Bug ID: 2713 Summary: Please provide a StrictModes-like setting (command line parameter) for ssh (client) Product: Portable OpenSSH Version: 7.5p1 Hardware: Other OS: Other Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: sascha-openssh-bugs at silbe.org Background: We're using rsync over ssh to mirror a directory tree to a set of remote servers, with rrsync as a forced command on the server side to restrict access to the target directory. An entire group of people as well as an automated process using a separate user account need to be able to perform the transfer. Some of the people involved also have unrestricted access. Because rrsync uses the target directory as the root of the accessible hierarchy, the paths to use for restricted and unrestricted access are different. So it makes a whole world of difference which private key is chosen. The very strict "only the user may be able to read the private key file" check hurts us quite a bit here. It's also OpenSSH enforcing its own policy that doesn't match our threat model at all. sshd has a way to explicitly disable those checks (StrictModes no) for authorized_keys, but the _client_ (of all things) refuses to load private keys that are group-readable (but not world-readable) with no way to tell it that, yes, this is exactly what we want and need. We're currently using the work-around of running "ssh-add - < foo/id_rsa", but that's just that: a work-around. Besides other things it requires ssh-agent to be running. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-May-07 14:48 UTC
[Bug 2713] Please provide a StrictModes-like setting (command line parameter) for ssh (client)
https://bugzilla.mindrot.org/show_bug.cgi?id=2713 Sascha Silbe <sascha-openssh-bugs at silbe.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Hardware|Other |All OS|Other |All -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Jul-07 09:28 UTC
[Bug 2713] Please provide a StrictModes-like setting (command line parameter) for ssh (client)
https://bugzilla.mindrot.org/show_bug.cgi?id=2713 --- Comment #1 from Sascha Silbe <sascha-openssh-bugs at silbe.org> --- Since GnuPG 2.1, gpg-agent (in SSH agent emulation mode) doesn't work with password-less keys anymore so our work-around of feeding the private key into ssh-add via stdin stopped working. The refusal of the OpenSSH client to use group-readable private keys is becoming a real pain; we have to stack up work-around upon work-around. How the private key should be protected is a matter of threat model and policy, not a technical matter. It's OK if OpenSSH warns the user about potentially unsafe permissions _by_ _default_, but it should not _force_ users to follow the OpenSSH developer's policy that matches the OpenSSH developer's threat model only. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-27 02:11 UTC
[Bug 2713] Please provide a StrictModes-like setting (command line parameter) for ssh (client)
https://bugzilla.mindrot.org/show_bug.cgi?id=2713 Amber Felts <amberfelts890 at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- OS|All |OpenBSD URL| |https://github.com/CrAzYgRl | |24/actions-learning-pathway | |/settings CC| |amberfelts890 at gmail.com Assignee|unassigned-bugs at mindrot.org |amberfelts890 at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-27 07:56 UTC
[Bug 2713] Please provide a StrictModes-like setting (command line parameter) for ssh (client)
https://bugzilla.mindrot.org/show_bug.cgi?id=2713 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org URL|https://github.com/CrAzYgRl | |24/actions-learning-pathway | |/settings | -- You are receiving this mail because: You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2714] New: Allow specifying a key description when loading from stdin
- [Bug 2677] New: Provide a way to set an environment variable from ssh_config
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- [PULL 0/5] virtio/s390 patches for -next
- [PULL 0/5] virtio/s390 patches for -next