Debian Bug report logs - #314347
openssh-client: "Bad owner or permissions on $HOME/.ssh/config" check too aggressive

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Branden Robinson <branden@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-client: "Bad owner or permissions on $HOME/.ssh/config" check too aggressive

Date: Wed, 15 Jun 2005 15:59:38 -0500

Package: openssh-client
Version: 1:4.1p1-3
Severity: important

Setting severity to important because this unexpectedly busted Subversion,
though I don't honestly believe it's a *critical* bug.

I just upgraded from sid as of about the time sarge released, and got a blitz
of new packages, including the new openssh-client package.

Here's a session transcript:

1148 {0} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ svn up
Bad owner or permissions on /home/branden/.ssh/config
svn: Connection closed unexpectedly
1149 {1} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ l -l $HOME/.ssh/config
-rw-rw-r--  1 branden branden 125 Jun 26  2004 /home/branden/.ssh/config
1150 {0} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ chmod 644 /home/branden/.ssh/config
1151 {0} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ svn up
At revision 220.

I think that check is excessively paranoid.  I can think of a few
possibilities for resolving this bug:

1) Have the ssh client check to see if usergroups are configured in
   adduser.  Perhaps not a great solution because 1) it's complicated, and
   2) this doesn't tell you anything about whether a particular user's
   account was created with this property or not.

2) Simply tolerate group-writable files if the group name in question is
   identical to the user name.

3) Alternatively or additionally to 2), ensure that the user is the only
   member of the group owning the group-writable file.

4) Step this fatal error down to a warning.  (I'd find it annoying,
   though.)

5) As part of the many migrations done to the new openssh world order, walk
   /home and chmod g-w on all .ssh/config files.  Some people might
   consider this intrusive, though, and it doesn't prevent the creation of
   new accounts with this problem.

6) Tell everybody in my position "tough cookie" and add a NEWS item
   advising people that the default umask with usergroups enabled in
   adduser is just bad news for .ssh/config.

In any case:

7) It would be nice if the ssh client would identify itself before spewing
that message; e.g.:

ssh: bad owner or permissions on /home/branden/.ssh/config

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.9-powerpc-smp
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages openssh-client depends on:
ii  adduser               3.63               Add and remove users and groups
ii  debconf [debconf-2.0] 1.4.51             Debian configuration management sy
ii  dpkg                  1.13.9             Package maintenance system for Deb
ii  libc6                 2.3.2.ds1-22       GNU C Library: Shared libraries an
ii  libedit2              2.9.cvs.20050518-2 BSD editline and history libraries
ii  libncurses5           5.4-6              Shared libraries for terminal hand
ii  libssl0.9.7           0.9.7g-1           SSL shared libraries
ii  zlib1g                1:1.2.2-4          compression library - runtime

-- no debconf information

Message #12 received at 314347@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Branden Robinson <branden@debian.org>, 314347@bugs.debian.org, Frederic Briere <fbriere@fbriere.net>, 314649@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#314347: openssh-client: "Bad owner or permissions on $HOME/.ssh/config" check too aggressive

Date: Sun, 3 Jul 2005 16:52:04 +0100

tags 314347 pending
thanks

On Wed, Jun 15, 2005 at 03:59:38PM -0500, Branden Robinson wrote:
> 1148 {0} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ svn up
> Bad owner or permissions on /home/branden/.ssh/config
> svn: Connection closed unexpectedly
> 1149 {1} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ l -l $HOME/.ssh/config
> -rw-rw-r--  1 branden branden 125 Jun 26  2004 /home/branden/.ssh/config
> 1150 {0} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ chmod 644 /home/branden/.ssh/config
> 1151 {0} branden@sisyphus:~/packages/xorg-x11/svn/trunk/debian$ svn up
> At revision 220.
> 
> I think that check is excessively paranoid.

Evidently I made all my ~/.ssh/config files mode 0644 ages ago for some
other reason, since I never noticed this change in behaviour ...

> I can think of a few possibilities for resolving this bug:
[...]
> 2) Simply tolerate group-writable files if the group name in question is
>    identical to the user name.
> 
> 3) Alternatively or additionally to 2), ensure that the user is the only
>    member of the group owning the group-writable file.

The combination of these two suggestions seems to be the best fix. I've
implemented this in CVS and sent a patch upstream.

> 5) As part of the many migrations done to the new openssh world order, walk
>    /home and chmod g-w on all .ssh/config files.  Some people might
>    consider this intrusive, though, and it doesn't prevent the creation of
>    new accounts with this problem.

That would run into problems with NFS, too.

On Fri, Jun 17, 2005 at 12:59:45PM -0400, Frederic Briere wrote:
> I assume this is an attempt to make sure ~/.ssh/config is 0600 or
> something.

Actually, it's really to check that it's not *writable* by other
parties. The relevant ChangeLog entry says:

   - djm@cvs.openbsd.org 2004/04/18 23:10:26
     [readconf.c readconf.h ssh-keysign.c ssh.c]
     perform strict ownership and modes checks for ~/.ssh/config files,
     as these can be used to execute arbitrary programs; ok markus@
     NB. ssh will now exit when it detects a config with poor permissions

>   * There's no mention of this behavior in the documentation

ssh(1) says:

     $HOME/.ssh/config
             This is the per-user configuration file.  The file format
             and configuration options are described in ssh_config(5).
             Because of the potential for abuse, this file must have
             strict permissions: read/write for the user, and not
             accessible by others.

ssh_config(5) has similar text.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #21 received at 314347-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 314347-close@bugs.debian.org

Subject: Bug#314347: fixed in openssh 1:4.1p1-5

Date: Sun, 03 Jul 2005 12:47:09 -0400

Source: openssh
Source-Version: 1:4.1p1-5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.1p1-5_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.1p1-5_powerpc.udeb
openssh-client_4.1p1-5_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.1p1-5_powerpc.deb
openssh-server-udeb_4.1p1-5_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.1p1-5_powerpc.udeb
openssh-server_4.1p1-5_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.1p1-5_powerpc.deb
openssh_4.1p1-5.diff.gz
  to pool/main/o/openssh/openssh_4.1p1-5.diff.gz
openssh_4.1p1-5.dsc
  to pool/main/o/openssh/openssh_4.1p1-5.dsc
ssh-askpass-gnome_4.1p1-5_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.1p1-5_powerpc.deb
ssh_4.1p1-5_all.deb
  to pool/main/o/openssh/ssh_4.1p1-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 314347@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  3 Jul 2005 17:08:08 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.1p1-5
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 284874 314347 314625 314745 314956 315477 316636
Changes: 
 openssh (1:4.1p1-5) unstable; urgency=low
 .
   * Build-depend on libselinux1-dev on ppc64 too (closes: #314625).
   * Drop priority of ssh to extra to match the override file.
   * Make /usr/share/doc/openssh-server and /usr/share/doc/ssh symlinks to
     /usr/share/doc/openssh-client (closes: #314745).
   * Ship README.dns (closes: #284874).
   * Disable btmp logging, since Debian's /var/log/btmp has inappropriate
     permissions (closes: #314956).
   * Allow ~/.ssh/config to be group-writable, provided that the group in
     question contains only the file's owner (closes: #314347).
   * debconf template translations:
     - Update Brazilian Portuguese (thanks, André Luís Lopes;
       closes: #315477).
     - Add Vietnamese (thanks, Clytie Siddall; closes: #316636).
Files: 
 890cf12e80e2572c25119085403dd694 953 net standard openssh_4.1p1-5.dsc
 ef1be2198f448bf1254f72bbd03baff1 152888 net standard openssh_4.1p1-5.diff.gz
 1e36c40151eb227f8ae7129f030e0136 1048 net extra ssh_4.1p1-5_all.deb
 d09bc0385dad0a4be2be29e6e9d40f5d 572900 net standard openssh-client_4.1p1-5_powerpc.deb
 eb66a77886630060f67a6df360c269d6 216484 net optional openssh-server_4.1p1-5_powerpc.deb
 e68816101602a5e16442742488677760 77486 gnome optional ssh-askpass-gnome_4.1p1-5_powerpc.deb
 7cef5ffcba8acc3ba48ee6c2eea93b40 163182 debian-installer optional openssh-client-udeb_4.1p1-5_powerpc.udeb
 eadd7a3ca18e884e6101857eebfb2df3 171986 debian-installer optional openssh-server-udeb_4.1p1-5_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCyBBr9t0zAhD6TNERAv/dAJ9v8x/aOpQvuUu8oXRQNewpwKwhvQCcDVDf
d8rlFpONqV6lCwkBBRm6vng=
=Iuge
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.