I tried to set up ssh with public key authentication but it turned out
to be impossible without changing the permissions of my home directory.
While this is not a major obstacle, figuring out what the permissions
ought to be was less than obvious.
Turns out that chmod 2700 and 2711 ~ is okay, while anything with read
permissions for group is unacceptable. (I'm speculating a bit here
because I haven't done exhaustive testing [*].)
This bug is probably a packaging error, seeing as the owner=group
convention is somewhat specific to Debian (and Red Hat, IIRC) while
the upstream edition of SSH probably wants to continue to be paranoid
about group-readable home directories.
Troubleshooting this was hard because there is no fair warning -- it
took me a while to notice the error messages in auth.log. It would be
ideal if the error could be displayed on the terminal of the user who
is attempting to log in (I fail to see how this could open up any
major security problems).
So I'd like to see
1) the Debian package fixed so that group ownership checks are
ignored if the group ID is equal to the user's login ID (and/or
the user ID is in the interval defined to be reserved for local
users as per Debian policy)
2) any home directory permission requirements clearly documented
3) permission warnings to be displayed to the user who is trying to
log in, and getting rejected because of permission problems
4) tangentially, the behavior when permissions are wrong is a bit
strange when it comes to prompting for a password. Specifically,
if I have added the key with ssh-add, I will get three password
prompts:
1. when the authorization agent's public key is checked and rejected,
it will ask for the key's passphrase -- to no avail, it's not the
lack of a passphrase which is causing the rejection
2. falls back to using the regular identity key, same thing again
(even if the agent was trying the identity key originally!)
3. and then finally fall back to regular password authentication
(which doesn't suffer from problems with home directory checks)
See also BTS bug #157138.
That's a tall order; if you'd like me to break it up into smaller
bugs, write back and I'll see what I can do.
/* era */
[*] The only link where I can test this is a GPRS connection running
at approximately 9,600 bps. The simple command "ssh there echo moo"
takes on the order of three minutes to complete. I've run about ten of
those tests ...