From 496d02798584b873bb7d28fa96ed3b11dc95ba25 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 30 Aug 2006 01:07:00 +0000 Subject: - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 [sshd.8] Add more detail about what permissions are and aren't accepted for authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ --- sshd.8 | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 778ea906..522279ee 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $ +.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -681,9 +681,23 @@ rlogin/rsh. .It ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described above. -This file is not highly sensitive, but the recommended +The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .Pp +If this file, the +.Pa ~/.ssh +directory, or the user's home directory are writable +by other users, then the file could be modified or replaced by unauthorized +users. +In this case, +.Nm +will not allow it to be used unless the +.Cm StrictModes +option has been set to +.Dq no . +The recommended permissions can be set by executing +.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys . +.Pp .It ~/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with -- cgit v1.2.1