#163202 ssh: ssh with public key authentication seems paranoid about home dir permissions

#163202#5
Date:
2002-10-03 12:44:38 UTC
From:
To:
I tried to set up ssh with public key authentication but it turned out
to be impossible without changing the permissions of my home directory.
While this is not a major obstacle, figuring out what the permissions
ought to be was less than obvious.

Turns out that chmod 2700 and 2711 ~ is okay, while anything with read
permissions for group is unacceptable. (I'm speculating a bit here
because I haven't done exhaustive testing [*].)

This bug is probably a packaging error, seeing as the owner=group
convention is somewhat specific to Debian (and Red Hat, IIRC) while
the upstream edition of SSH probably wants to continue to be paranoid
about group-readable home directories.

Troubleshooting this was hard because there is no fair warning -- it
took me a while to notice the error messages in auth.log. It would be
ideal if the error could be displayed on the terminal of the user who
is attempting to log in (I fail to see how this could open up any
major security problems).

So I'd like to see

 1) the Debian package fixed so that group ownership checks are
    ignored if the group ID is equal to the user's login ID (and/or
    the user ID is in the interval defined to be reserved for local
    users as per Debian policy)

 2) any home directory permission requirements clearly documented

 3) permission warnings to be displayed to the user who is trying to
    log in, and getting rejected because of permission problems

 4) tangentially, the behavior when permissions are wrong is a bit
    strange when it comes to prompting for a password. Specifically,
    if I have added the key with ssh-add, I will get three password
    prompts:

    1. when the authorization agent's public key is checked and rejected,
       it will ask for the key's passphrase -- to no avail, it's not the
       lack of a passphrase which is causing the rejection

    2. falls back to using the regular identity key, same thing again
       (even if the agent was trying the identity key originally!)

    3. and then finally fall back to regular password authentication
       (which doesn't suffer from problems with home directory checks)

    See also BTS bug #157138.

That's a tall order; if you'd like me to break it up into smaller
bugs, write back and I'll see what I can do.

/* era */

[*] The only link where I can test this is a GPRS connection running
at approximately 9,600 bps. The simple command "ssh there echo moo"
takes on the order of three minutes to complete. I've run about ten of
those tests ...

#163202#10
Date:
2002-10-04 06:49:37 UTC
From:
To:
On Thu, 03 Oct 2002 15:44:38 +0300, era eriksson <era@iki.fi> wrote:
 > I tried to set up ssh with public key authentication but it turned out
 > to be impossible without changing the permissions of my home directory.

Sorry for leaving out a couple of "obvious" details.

The home directory on the host I'm trying to log in +to+ were the ones
which were problematic. I haven't looked at how SSH behaves when the
originating client's home directory permissions are lax; presumably
you get roughly the same behavior (but at least hopefully a
user-visible warning).

The message I get in /var/log/auth.log is

Oct  3 14:50:06 there sshd[26047]: Authentication refused: bad ownership or modes for directory /home/era

Even with ssh -d none of this is visible to the client who is trying
to connect, which makes this awfully hard to troubleshoot for a normal
user (who might not even have permissions to look at /var/log/auth.log).

/* era */

#163202#15
Date:
2026-06-02 07:31:57 UTC
From:
To:
Hello era,
thank you for this detailed report and analysis.

The report is quite old and I can say that the behavior you described is
today better documented (see StrictModes for example). It is intended.

Also your report mix up several issues and feature requests. Please
check the latest version of SSH and feel free to open fresh tickets, but
only one per issue/feature.

Regards,
Christian