Home / server / Questions / 703363
Accepted
ZioByte
Asked: 2015-07-04 05:48:07 +0800 CST

OpenSSH: allow users with writeable HOME to use public key authentication

  • 772

On a local workstation I need to have a handful of users to be able to freely write in each other $HOME.

I KNOW this is a security breach and, in the specific situation, I do not care at all.

I have another server (not local to LAN) used mainly as SCM repo. The above mentioned users access server via ssh.

Unfortunately OpenSSH server does not like writable $HOMEs and I found no way to circumvent it (I expected to have some server-side param).

Can someone suggest a workaround?

ssh

2 Answers

  1. Best Answer

    My suggestion for a workaround: Put the authorized_keys file somewhere outside of the user's home directory, using the AuthorizedKeysFile directive in sshd's config file.

    However, I'm a bit puzzled - the StrictModes directive should specifically do what you want. Does this not work as documented?

    StrictModes

    Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is "yes".

    • 2

  2. Yes: groups.

    Make all the users the member of the same group, and make their $HOME directories some "workspace" folder group-writable.

    Due to restrictions on the permissions that SSH will allow on the $HOME directories (as mentioned in the comments below), the only way to make this work would be to create a folder they can all access elsewhere, and perhaps place a link to it in each $HOME directory. This can be done automatically using the /etc/skel directory.

    • 0