Hi, quick patch to ssh-copy-id to make it set the file modes more correctly. Thanks, Matthew --- contrib/ssh-copy-id.orig Thu Sep 27 21:47:44 2001 +++ contrib/ssh-copy-id Thu Sep 27 21:47:52 2001 @@ -33,7 +33,7 @@ exit 1 fi -{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> .ssh/authori zed_keys ; chmod g-w . .ssh .ssh/authorized_keys" +{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> .ssh/authori zed_keys ; chmod go-w . .ssh .ssh/authorized_keys" cat <<EOF Now try logging into the machine, with "ssh '$1'", and check in: -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org
mouring at etoh.eviladmin.org
2001-Oct-03 17:59 UTC
[PATCH] ssh-copy-id should do chmod go-w
Technically should it not be 'chmod 600' just to ensure we have all permissions right. - Ben On 27 Sep 2001, Matthew Vernon wrote:> Hi, > > quick patch to ssh-copy-id to make it set the file modes more > correctly. > > Thanks, > > Matthew > --- contrib/ssh-copy-id.orig Thu Sep 27 21:47:44 2001 > +++ contrib/ssh-copy-id Thu Sep 27 21:47:52 2001 > @@ -33,7 +33,7 @@ > exit 1 > fi > > -{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> > .ssh/authori > zed_keys ; chmod g-w . .ssh .ssh/authorized_keys" > +{ eval "$GET_ID" ; } | ssh $1 "test -d .ssh || mkdir .ssh ; cat >> > .ssh/authori > zed_keys ; chmod go-w . .ssh .ssh/authorized_keys" > > cat <<EOF > Now try logging into the machine, with "ssh '$1'", and check in: > > -- > "At least you know where you are with Microsoft." > "True. I just wish I'd brought a paddle." > http://www.debian.org >
Doesn't the authorized_keys have to be world readable? Just checking.. Eric -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Wednesday, October 03, 2001 1:36 PM Cc: openssh-unix-dev at mindrot.org Subject: Re: [PATCH] ssh-copy-id should do chmod go-w On Wed, 3 Oct 2001, Peter W wrote:> > chmod 700 .ssh; chmod 600 .ssh/authorized_keys > > > > makes more sense. Changing ~/ permissions is a local policy issue, andI> > know I get peaved when something changes my policy without asking. > > What about simply setting the umask to 077 before doing anything? If the > user has existing files/dirs, they won't be changed, but any new stuffwould> be safely created. >Best idea I've seen so far. If no one scream...this is what the new line will look like: { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat>> .ssh/authorized_keys"- Ben
Ah.. maybe I'm not as paranoid as I should be. Thanks for the info. Eric -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Wednesday, October 03, 2001 1:58 PM To: openssh-unix-dev at mindrot.org Subject: RE: [PATCH] ssh-copy-id should do chmod go-w $ ls -l .ssh/authorized_keys2 -rw------- 1 mouring users 237 Sep 4 17:43 .ssh/authorized_keys2 It does? =) Could have fooled my UNIX boxes. <smile> - Ben On Wed, 3 Oct 2001, Ladner, Eric (CLAD) wrote:> Doesn't the authorized_keys have to be world readable? > > Just checking.. > > Eric > > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Wednesday, October 03, 2001 1:36 PM > Cc: openssh-unix-dev at mindrot.org > Subject: Re: [PATCH] ssh-copy-id should do chmod go-w > > > > > On Wed, 3 Oct 2001, Peter W wrote: > > > > chmod 700 .ssh; chmod 600 .ssh/authorized_keys > > > > > > makes more sense. Changing ~/ permissions is a local policy issue,and> I > > > know I get peaved when something changes my policy without asking. > > > > What about simply setting the umask to 077 before doing anything? If the > > user has existing files/dirs, they won't be changed, but any new stuff > would > > be safely created. > > > > Best idea I've seen so far. > > If no one scream...this is what the new line will look like: > > { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat > >> .ssh/authorized_keys" > > - Ben > > >