Hi,
I would like to make it impossible for users to change the
contents of the authorized_keys-file.
I just found out about the sshd_config setting:
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
But even in that case that file has to be owned by the user,
unless I set ``StrictModes no'' which would allow other
nastyness. I would like to request that that file could also be
owned by root, so I can make that file immutable for the user,
even on filesystems which don't support the immutable flag, for
example jfs on GNU/Linux.
# Han
--
\ / The two things that can get you into trouble quicker than
)\__/( anything else are fast women and slow horses.
|(oO)|
\||/
Ts (OO)
+vVv------vVv----------------------------------------------------------+
On Thu Jan 19 08:06:11 2006, Han Boetes wrote:> > Hi, > > I would like to make it impossible for users to change the > contents of the authorized_keys-file. > > I just found out about the sshd_config setting: > > AuthorizedKeysFile /etc/ssh/authorized_keys/%u > > But even in that case that file has to be owned by the user, > unless I set ``StrictModes no'' which would allow other > nastyness. I would like to request that that file could also be > owned by root, so I can make that file immutable for the user, > even on filesystems which don't support the immutable flag, for > example jfs on GNU/Linux. >That's already the case. The files can be owned by root, but they must be readable by the user. Either use a per-user group or POSIX ACLs to allow the user to read the contents. -- Iain Morgan
Hi --- Han Boetes <han at mijncomputer.nl> wrote:> But even in that case that file has to be owned by the user, > unless I set ``StrictModes no'' which would allow other > nastyness. I would like to request that that file could also be > owned by root, so I can make that file immutable for the user, > even on filesystems which don't support the immutable flag, for > example jfs on GNU/Linux.just checked the 4.1p1 source .. thats already there: auth.c(line 460): (st.st_uid != 0 && st.st_uid != uid) checks for root or user frank __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
no, it can be owned by root. On Thu, Jan 19, 2006 at 05:06:11PM +0100, Han Boetes wrote:> Hi, > > I would like to make it impossible for users to change the > contents of the authorized_keys-file. > > I just found out about the sshd_config setting: > > AuthorizedKeysFile /etc/ssh/authorized_keys/%u > > But even in that case that file has to be owned by the user, > unless I set ``StrictModes no'' which would allow other > nastyness. I would like to request that that file could also be > owned by root, so I can make that file immutable for the user, > even on filesystems which don't support the immutable flag, for > example jfs on GNU/Linux. > > > > > # Han > -- > \ / The two things that can get you into trouble quicker than > )\__/( anything else are fast women and slow horses. > |(oO)| > \||/ > Ts (OO) > +vVv------vVv----------------------------------------------------------+ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev