Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2011 15:10:15 +0400
From: gremlin@...mlin.ru
To: owl-dev@...ts.openwall.com
Subject: Re: /etc/skel/.ssh/authorized_keys

On 09-Nov-2011 14:56:44 +0400, Solar Designer wrote:

 > > diff -ruN openssh.orig/openssh.spec openssh/openssh.spec
 > > --- openssh.orig/openssh.spec   2011-04-12 12:52:35 +0400
 > > +++ openssh/openssh.spec        2011-11-09 12:02:28 +0400
 > > @@ -210,6 +210,10 @@
 > >  # create ghosts
 > >  touch %buildroot/etc/ssh/ssh_host_{,rsa_,dsa_}key{,.pub}
 > >  
 > > +%post clients
 > > +mkdir -p -m 700 /etc/skel/.ssh
 > > +touch /etc/skel/.ssh/authorized_keys
 > What for? To provide safe permissions by default, even if one
 > adjusts the umask to be other than our default of 077?

Not necessarily. I normally do that for reasons of usability, as
I encourage users to authorize with keys, and they misspell the
file name too often.

 > Why in %post rather than in %install and %files?

To avoid conflicts. The ${subj} may contain preset keys on some
systems (trivial example: VPS with virtual HTTP sites operated
by one person) - and it hardly is the "%config(noreplace)" file.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
<gremlin  gremlin  ru>
GPG key ID: 0xBA52B364, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 920D 3BCE 930A CF01 A591 541C 6C6D 286E BA52 B364

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ