[scponly] protecting ~/.ssh
Thomas Wana
thomas at wana.at
Mon Apr 11 15:09:58 EDT 2005
Hi,
Dimitri Papadopoulos-Orfanos wrote:
> Note that having non-writable home directories does not look like a
> solution, since a ~/.ssh subdirectory is already present and has to
> belong to the user, with specific permissions.
The following permissions work fine for me:
i:/opt/wogri_chroot# ll
total 44
drwxr-xr-x 11 root root 4096 Nov 29 00:30 ./
drwxr-xr-x 7 root root 4096 Mar 22 11:12 ../
drwxr-x--- 2 root users 4096 Nov 29 23:10 .ssh/
drwxr-xr-x 2 root root 4096 Sep 23 2004 bin/
drwxr-xr-x 2 root root 4096 Sep 23 2004 dev/
drwxr-xr-x 2 root root 4096 Sep 23 2004 etc/
drwxr-xr-x 8 wogri users 4096 Apr 1 05:00 incoming/
drwxr-xr-x 2 root root 4096 Sep 23 2004 lib/
drwxrwxrwx 2 root root 4096 Oct 14 04:21 tmp/
drwxr-xr-x 5 root root 4096 Dec 1 21:58 usr/
i:/opt/wogri_chroot# ll .ssh
total 12
drwxr-x--- 2 root users 4096 Nov 29 23:10 ./
drwxr-xr-x 11 root root 4096 Nov 29 00:30 ../
-rw-r--r-- 1 root root 2855 Nov 29 22:52 authorized_keys
The user (wogri, group users) only gets read permissions on the
.ssh directory, that seems to be sufficient.
Tom
More information about the scponly
mailing list