openssh bugs - Jan 2019 - [Bug 2955] New: Warning message StrictModes=yes and $HOME has g+w

https://bugzilla.mindrot.org/show_bug.cgi?id=2955

            Bug ID: 2955
           Summary: Warning message StrictModes=yes and $HOME has g+w
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mkg at vt.edu

Motivation: I was unable to login to a server, which only allows SSH
keys for authentication, because I had (accidentally) given g+w
permissions to $HOME and StrictModes=yes in sshd. The MOTD is shown but
then I was prompted for a password which I could not give because there
is none. I finally contacted a sysadmin and he looked in the sshd logs
to find the problem.

Suggestion: it would be nice to have a warning message, perhaps only
shown with -v, that hints to check for that or other potential login
issues so that the user has a means of starting to debug the problem.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2955

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
We actually do almost exactly what you are describing (including -v)
except that the message is only sent after authentication (eg via
password) because we try not to leak any authentication information to
unauthenticated users.  Unfortunately since you didn't have any other
method this didn't help you, but I don't see this as something that we
should change, sorry.

$ chmod 777 ~/.ssh
$ ssh -v localhost
[...]
debug1: Offering public key: [...]
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
dtucker at localhost's password: 
[...]
debug1: Remote: Ignored authorized keys: bad ownership or modes for
directory /home/dtucker/.ssh
Last login: Sat Feb 24 00:47:25 2018 from 127.0.0.1
[...]

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2955

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
I agree with Darren here - we don't want to give this information to
anyone who knocks on the front door; we can only give it to
authenticated users and record it in the server's syslog.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2955

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.