1

On a local workstation I need to have a handful of users to be able to freely write in each other $HOME.

I KNOW this is a security breach and, in the specific situation, I do not care at all.

I have another server (not local to LAN) used mainly as SCM repo. The above mentioned users access server via ssh.

Unfortunately OpenSSH server does not like writable $HOMEs and I found no way to circumvent it (I expected to have some server-side param).

Can someone suggest a workaround?

runlevel0
  • 103
  • 4
ZioByte
  • 246
  • 3
  • 15
  • 1
    Please, try to explain better what is the requirement here, what are you trying to do; this sounds like unneeded pain with probably a better solution. – dawud Jul 03 '15 at 17:22
  • @dawud: There are a handful of developers working on this private machine and they need to exchange files and also edit files or compile code residing under a co-worker HOME, so their HOME is 0777. I tried convincing them to use some external place, but they wouldn't listen (and I do not want to force them). In this condition they are unable to use rsa authentication to access *another* machine (target or git server). – ZioByte Jul 10 '15 at 17:45
  • Either they are competent enough to provide a working environment for their own use, or they have to accept the solution given by whoever manages the systems. The solution is obvious: every user has a personal account and a clone of the repository. File exchanges out of the scope of the repository can happen on an SFTP server. Problem with ssh keys has gone away. – dawud Jul 10 '15 at 18:17

2 Answers2

2

My suggestion for a workaround: Put the authorized_keys file somewhere outside of the user's home directory, using the AuthorizedKeysFile directive in sshd's config file.

However, I'm a bit puzzled - the StrictModes directive should specifically do what you want. Does this not work as documented?

StrictModes

Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is "yes".

noitsbecky
  • 606
  • 3
  • 13
0

Yes: groups.

Make all the users the member of the same group, and make their $HOME directories some "workspace" folder group-writable.

Due to restrictions on the permissions that SSH will allow on the $HOME directories (as mentioned in the comments below), the only way to make this work would be to create a folder they can all access elsewhere, and perhaps place a link to it in each $HOME directory. This can be done automatically using the /etc/skel directory.

shearn89
  • 3,143
  • 2
  • 14
  • 39