[Bug 1817967] [NEW] 16.04.6 LTS OpenSSH-Server requires 0705 directory privileges for pubkey auth

Nathan dundir at gmail.com
Wed Feb 27 22:17:32 UTC 2019 

Public bug reported:

Many servers are set up to simplify and centralize ssh key management
within a single directory.

This is typically done with the line "AuthorizedKeysFile /somedir/%u".
Much online discussion suggests placing the destination in
/etc/ssh/authorized_keys/%u with 0700 on the authorized_keys folder and
0600 or 0644 on the separate public key-files, StrictTypes is enabled
and is supposed to check for the 0700 and 0600 permissions... but
doesn't appear to be working?.

The current supported version for SSH on 16.04.6 LTS appears to be:
OpenSSH_7.2p2 Ubuntu-4ubuntu2.7, OpenSSL 1.0.2g  1 Mar 2016


Under this configuration, standard key-based authentication is unable to complete without the key directory having at least 0705 on the directory, 0700 fails, and 0644 on the files is sufficient regardless.

This was tested on a 16.04.6 LTS release instance created on Linode.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1817967

Title:
  16.04.6 LTS OpenSSH-Server requires 0705 directory privileges for
  pubkey auth

Status in openssh package in Ubuntu:
  New

Bug description:
  Many servers are set up to simplify and centralize ssh key management
  within a single directory.

  This is typically done with the line "AuthorizedKeysFile /somedir/%u".
  Much online discussion suggests placing the destination in
  /etc/ssh/authorized_keys/%u with 0700 on the authorized_keys folder
  and 0600 or 0644 on the separate public key-files, StrictTypes is
  enabled and is supposed to check for the 0700 and 0600 permissions...
  but doesn't appear to be working?.

  The current supported version for SSH on 16.04.6 LTS appears to be:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.7, OpenSSL 1.0.2g  1 Mar 2016

  
  Under this configuration, standard key-based authentication is unable to complete without the key directory having at least 0705 on the directory, 0700 fails, and 0644 on the files is sufficient regardless.

  This was tested on a 16.04.6 LTS release instance created on Linode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1817967/+subscriptions

More information about the foundations-bugs mailing list