[scponly] .ssh

Charles Fry scponly at frogcircus.org
Wed Feb 11 13:18:24 EST 2004 

> I think this issue has been covered on the scponly mailinglist some
> time ago. You'll have to search the archives to find the discussion.

The most recent discussion I found (which I should have looked for
sooner) was:

https://lists.ccs.neu.edu/pipermail/scponly/2004-January/000431.html

which seemed to indicate that this should no longer be problematic (at
least no one objected to that proposition).

> Basically, if the user has write access to his/her home directory, the
> user inherits the right to change some OpenSSH configuration via the
> $HOME/.ssh directory.  This is Bad.  See:
> 
> http://xforce.iss.net/xforce/xfdb/9913
>
> scpjailer follows the same rule documented in chroot_setup.sh.  That is,
> do not give the user write permission to ANYTHING in the chroot directory
> except possibly one subdirectory that is not the users $HOME.
> 
> I believe it is possible to setup OpenSSH in such a way to make it safe
> to give the user write access to his/her home directory (by limiting 
> or elminating the use of $HOME/.ssh), but I don't know the details for
> doing so.  Even so, this would probably be a global change that would likely 
> cause problems for non scponly users.

The post I cited above indicates that setting PermitUserEnvironment to
"no" (which is probably already the default) prevents ~/.ssh/environment
from being read, eliminating the weakness which you reference. Further,
this should by and large cause _no_ problems for non-scponly users.

In the previous thread on this subject, Ralf asked if there were
situations where it doesn't work to have only one writable subdirectory
under $HOME. The two reasons I need $HOME to be writable are:

1) Allow the creation of .courier (similar to .qmail) mail delivery
   control files.

2) Allow the automatic creation and later the manual modification of
   $HOME/.spamassassin.

Admittedly these issues could be worked around with some bit of
inconvenience, but inasmuch as it no longer appears necessary to limit
access to .ssh, I don't see why $HOME can't just be writable.

Thanks, Tony, for the pointers. They were most helpful.

Charles

-- 
His
Tomato
Was the mushy type
Until his beard
Grew over-ripe
Burma-Shave
http://frogcircus.org/burmashave/1952/his

More information about the scponly mailing list