Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111110201503.GD1683@altlinux.org>
Date: Fri, 11 Nov 2011 00:15:03 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: /etc/skel/.ssh/authorized_keys

On Thu, Nov 10, 2011 at 11:14:23PM +0400, Solar Designer wrote:
> On Wed, Nov 09, 2011 at 03:10:15PM +0400, gremlin@...mlin.ru wrote:
> > On 09-Nov-2011 14:56:44 +0400, Solar Designer wrote:
> >  > > +%post clients
> >  > > +mkdir -p -m 700 /etc/skel/.ssh
> >  > > +touch /etc/skel/.ssh/authorized_keys
> >  > What for? To provide safe permissions by default, even if one
> >  > adjusts the umask to be other than our default of 077?
> > 
> > Not necessarily. I normally do that for reasons of usability, as
> > I encourage users to authorize with keys, and they misspell the
> > file name too often.
> 
> Oh.  Understood.  But I don't feel this is a good enough reason to make
> the change in Owl.  It would be unclear where to stop with providing
> empty skel files for those potentially misspelled filenames.

Well, /etc/skel/.ssh/authorized_keys is very convenient.  On servers where
PasswordAuthentication is turned off (e.g. on all servers I care for),
~user/.ssh/authorized_keys is changed at least once (unless
AuthorizedKeysFile is also customized).  When ~user/.ssh/authorized_keys
is created by useradd, it allows to use tab completion and makes sysadmins
happy. ;)

In Sisyphus, this file contains a comment:
http://git.altlinux.org/gears/e/etcskel.git?p=etcskel.git;a=blob;f=etcskel/common/.ssh/authorized_keys


-- 
ldv

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.