From c970cb9052f85a7570f8003f598cc95fccf70601 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 20 Apr 2004 20:12:53 +1000 Subject: [PATCH] - djm@cvs.openbsd.org 2004/04/19 13:02:40 [ssh.1 ssh_config.5] document strict permission checks on ~/.ssh/config; prompted by, with & ok jmc@ --- ChangeLog | 6 +++++- ssh.1 | 4 +++- ssh_config.5 | 7 +++---- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index a06931c6e..0dfc4bebc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ perform strict ownership and modes checks for ~/.ssh/config files, as these can be used to execute arbitrary programs; ok markus@ NB. ssh will now exit when it detects a config with poor permissions + - djm@cvs.openbsd.org 2004/04/19 13:02:40 + [ssh.1 ssh_config.5] + document strict permission checks on ~/.ssh/config; prompted by, + with & ok jmc@ - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for above change 20040419 @@ -1014,4 +1018,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3324 2004/04/20 10:11:57 djm Exp $ +$Id: ChangeLog,v 1.3325 2004/04/20 10:12:53 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 31eb66c97..053fedd28 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.183 2004/04/19 13:02:40 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -885,6 +885,8 @@ the convenience of the user. This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . +Because of the potential for abuse, this file must have strict permissions: +read/write for the user, and not accessible by others. .It Pa $HOME/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the diff --git a/ssh_config.5 b/ssh_config.5 index 05581ece4..75637e316 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.30 2004/04/19 13:02:40 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -729,9 +729,8 @@ The format of this file is described above. This file is used by the .Nm ssh client. -This file does not usually contain any sensitive information, -but the recommended permissions are read/write for the user, and not -accessible by others. +Because of the potential for abuse, this file must have strict permissions: +read/write for the user, and not accessible by others. .It Pa /etc/ssh/ssh_config Systemwide configuration file. This file provides defaults for those