a=rw causes SSH to reject all logins

Question

Opened this issue 11 years ago · 5 comments

Somehow I forgot about this behavior - sshd will reject all logins to git due to a=rw on ~git/.ssh/authorized_keys:

Jul 4 13:40:32 du sshd[3742]: Authentication refused: bad ownership or modes for file /home/git/.ssh/authorized_keys

There are three ways one could go about this:

Revert the change, advocate sudo as the only method.
Revert the change, advocate user to add their public key or a password to the git user and use it to upload keys. Adding their key could conflict if the user uses the same key to push, but I dislike the idea of requiring password authentication only.
Tell OpenSSH to not enforce the file permissions by inserting StrictModes no in /etc/ssh/sshd_config

Thoughts?

Answer 1 · 2013-07-04T21:14:42.000Z

The init is run as root. Can't we start a similar "service" as is done with the nginx reloader in dukko?

E.g. create a fifo, writeable by anyone, read contents as root, append received keys to authorized_keys as root.

Answer 2 · 2013-07-04T21:33:41.000Z

I hadn't thought of that, but I do like it.

Answer 3 · 2013-07-04T21:41:30.000Z

I think that's too heavy weight for gitreceive. We could think about doing that in Dokku though.

Personally I'm ok with using sudo for running key-upload ... Dokku can wrap this as necessary since it will need to anyway when using sshcommand.

Shall we revert the change?

Answer 4 · 2013-07-04T21:42:40.000Z

+1 on revert, for dokku more sophisticated auth key adding might be in place anyway (acl's etc)

Answer 5 · 2013-07-04T22:05:23.000Z

Apologies for the extra work folks