Hi, I would like to make it impossible for users to change the contents of the authorized_keys-file. I just found out about the sshd_config setting: AuthorizedKeysFile /etc/ssh/authorized_keys/%u But even in that case that file has to be owned by the user, unless I set ``StrictModes no'' which would allow other nastyness. I would like to request that that file could also be owned by root, so I can make that file immutable for the user, even on filesystems which don't support the immutable flag, for example jfs on GNU/Linux. # Han -- \ / The two things that can get you into trouble quicker than )\__/( anything else are fast women and slow horses. |(oO)| \||/ Ts (OO) +vVv------vVv----------------------------------------------------------+
On Thu Jan 19 08:06:11 2006, Han Boetes wrote:> > Hi, > > I would like to make it impossible for users to change the > contents of the authorized_keys-file. > > I just found out about the sshd_config setting: > > AuthorizedKeysFile /etc/ssh/authorized_keys/%u > > But even in that case that file has to be owned by the user, > unless I set ``StrictModes no'' which would allow other > nastyness. I would like to request that that file could also be > owned by root, so I can make that file immutable for the user, > even on filesystems which don't support the immutable flag, for > example jfs on GNU/Linux. >That's already the case. The files can be owned by root, but they must be readable by the user. Either use a per-user group or POSIX ACLs to allow the user to read the contents. -- Iain Morgan
Hi --- Han Boetes <han at mijncomputer.nl> wrote:> But even in that case that file has to be owned by the user, > unless I set ``StrictModes no'' which would allow other > nastyness. I would like to request that that file could also be > owned by root, so I can make that file immutable for the user, > even on filesystems which don't support the immutable flag, for > example jfs on GNU/Linux.just checked the 4.1p1 source .. thats already there: auth.c(line 460): (st.st_uid != 0 && st.st_uid != uid) checks for root or user frank __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
no, it can be owned by root. On Thu, Jan 19, 2006 at 05:06:11PM +0100, Han Boetes wrote:> Hi, > > I would like to make it impossible for users to change the > contents of the authorized_keys-file. > > I just found out about the sshd_config setting: > > AuthorizedKeysFile /etc/ssh/authorized_keys/%u > > But even in that case that file has to be owned by the user, > unless I set ``StrictModes no'' which would allow other > nastyness. I would like to request that that file could also be > owned by root, so I can make that file immutable for the user, > even on filesystems which don't support the immutable flag, for > example jfs on GNU/Linux. > > > > > # Han > -- > \ / The two things that can get you into trouble quicker than > )\__/( anything else are fast women and slow horses. > |(oO)| > \||/ > Ts (OO) > +vVv------vVv----------------------------------------------------------+ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev