a=rw causes SSH to reject all logins
Opened this issue · 5 comments
Somehow I forgot about this behavior - sshd will reject all logins to git
due to a=rw
on ~git/.ssh/authorized_keys
:
Jul 4 13:40:32 du sshd[3742]: Authentication refused: bad ownership or modes for file /home/git/.ssh/authorized_keys
There are three ways one could go about this:
- Revert the change, advocate sudo as the only method.
- Revert the change, advocate user to add their public key or a password to the
git
user and use it to upload keys. Adding their key could conflict if the user uses the same key to push, but I dislike the idea of requiring password authentication only. - Tell OpenSSH to not enforce the file permissions by inserting
StrictModes no
in/etc/ssh/sshd_config
Thoughts?
The init
is run as root. Can't we start a similar "service" as is done with the nginx
reloader in dukko?
E.g. create a fifo, writeable by anyone, read contents as root, append received keys to authorized_keys
as root.
I hadn't thought of that, but I do like it.
I think that's too heavy weight for gitreceive. We could think about doing that in Dokku though.
Personally I'm ok with using sudo for running key-upload ... Dokku can wrap this as necessary since it will need to anyway when using sshcommand.
Shall we revert the change?
+1 on revert, for dokku more sophisticated auth key adding might be in place anyway (acl's etc)
Apologies for the extra work folks