Bug 2955

Summary: Warning message StrictModes=yes and $HOME has g+w
Product: Portable OpenSSH Reporter: mkg
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm, dtucker
Priority: P5    
Version: 7.7p1   
Hardware: amd64   
OS: Linux   

Description mkg 2019-01-19 01:45:29 AEDT 
Motivation: I was unable to login to a server, which only allows SSH keys for authentication, because I had (accidentally) given g+w permissions to $HOME and StrictModes=yes in sshd. The MOTD is shown but then I was prompted for a password which I could not give because there is none. I finally contacted a sysadmin and he looked in the sshd logs to find the problem.

Suggestion: it would be nice to have a warning message, perhaps only shown with -v, that hints to check for that or other potential login issues so that the user has a means of starting to debug the problem.
Comment 1 Darren Tucker 2019-01-19 07:47:01 AEDT 
We actually do almost exactly what you are describing (including -v) except that the message is only sent after authentication (eg via password) because we try not to leak any authentication information to unauthenticated users.  Unfortunately since you didn't have any other method this didn't help you, but I don't see this as something that we should change, sorry.

$ chmod 777 ~/.ssh
$ ssh -v localhost
[...]
debug1: Offering public key: [...]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
dtucker@localhost's password: 
[...]
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/dtucker/.ssh
Last login: Sat Feb 24 00:47:25 2018 from 127.0.0.1
[...]
Comment 2 Damien Miller 2019-01-23 19:48:40 AEDT 
I agree with Darren here - we don't want to give this information to anyone who knocks on the front door; we can only give it to authenticated users and record it in the server's syslog.
Comment 3 Damien Miller 2021-04-23 15:10:01 AEST 
closing resolved bugs as of 8.6p1 release