I've got a bunch of "users" with no password/no way to log in, just to
keep services tidy and separated. Some of these have to connect to ssh
servers, therefore they require a .ssh/known_hosts. /etc/security thinks
this is a security risk and complains about it every night...


Index: etc/security
===================================================================
RCS file: /home/cvs/openbsd/src/etc/security,v
retrieving revision 1.88
diff -u -p -r1.88 security
--- etc/security	3 Jun 2009 14:45:39 -0000	1.88
+++ etc/security	21 Feb 2010 01:23:21 -0000
@@ -40,7 +40,7 @@ awk -F: '{
 			printf("Login %s is off but still has a valid shell and an entry in /etc/skey.\n", $1);
 		if (system("test -d "$9" -a ! -r "$9"") == 0)
 			printf("Login %s is off but still has valid shell and home directory is unreadable\n\t by root; cannot check for existence of alternate access files.\n", $1);
-		else if (system("for file in .ssh .rhosts .shosts .klogin; do if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done"))
+		else if (system("for file in .ssh/authorized_keys .rhosts .shosts .klogin; do if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done"))
 			 printf("Login %s is off but still has a valid shell and alternate access files in\n\t home directory are still readable.\n",$1);
 	}
 	if ($3 == 0 && $1 != "root")