Allow ~/.ssh/authorized_keys and other secure files to be

group-writable, provided that the group in question contains only the
file's owner; this extends a patch previously applied to ~/.ssh/config
(closes: #581919).

1 files changed, 2 insertions, 4 deletions

diff --git a/auth-rhosts.c b/auth-rhosts.c
index 06ae7f0b9..f20278797 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
                 return 0;
         }
         if (options.strict_modes &&
-            ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-            (st.st_mode & 022) != 0)) {
+            !secure_permissions(&st, pw->pw_uid)) {
                 logit("Rhosts authentication refused for %.100s: "
                     "bad ownership or modes for home directory.", pw->pw_name);
                 auth_debug_add("Rhosts authentication refused for %.100s: "
@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
                  * allowing access to their account by anyone.
                  */
                 if (options.strict_modes &&
-                    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-                    (st.st_mode & 022) != 0)) {
+                    !secure_permissions(&st, pw->pw_uid)) {
                         logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
                             pw->pw_name, buf);
                         auth_debug_add("Bad file modes for %.200s", buf);