[Bug 2678] New: PubKey Authentication fails when more than one user/group ACL is set on any Path component to authorized_keys
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Feb 17 02:32:35 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2678
Bug ID: 2678
Summary: PubKey Authentication fails when more than one
user/group ACL is set on any Path component to
authorized_keys
Product: Portable OpenSSH
Version: 5.3p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: dario.vieli at swisscom.com
Created attachment 2944
--> https://bugzilla.mindrot.org/attachment.cgi?id=2944&action=edit
ssh client debug session - failure to login via pubKeyAuth
Overview:
PubKey Authentication fails when more than one user/group Filesystem
ACL is set on any Path component to authorized_keys. Default ACLs are
working fine.
This even applies, if the additional user/group ACL is the same as the
current owner.
As soon as the additional user/group ACLs are removed, PubKey Auth
works again.
Steps to reproduce:
$ setfacl -m 'user:alutools:rwx' /gmnt/var/alutoolbox
$ getfacl /gmnt/var/alutoolbox
getfacl: Removing leading '/' from absolute path names
# file: gmnt/var/alutoolbox
# owner: alutools
# group: alutools
user::rwx
user:alutools:rwx
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:extfran4:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
$ ls -la /gmnt/var/alutoolbox
total 23
drwxrwxr-x+ 5 alutools alutools 4096 Feb 16 15:32 .
drwxr-xr-x 12 root root 4096 Feb 2 16:16 ..
..
drwx------+ 2 alutools alutools 4096 Feb 16 14:20 .ssh
$ ls -la /gmnt/var/alutoolbox/.ssh/authorized_keys
-rw-------+ 1 alutools alutools 794 Feb 16 14:29
/gmnt/var/alutoolbox/.ssh/authorized_keys
$ ssh -i path/to/key alutoolbox at localhost
Actual Results:
ssh fallback to password prompt after failed PubKey try (see debug.log
attachment)
Expected Results:
ssh login with provided PubKey
Build Date & Hardware:
Thu 12 May 2016 06:52:35 AM CEST @ CentOS 6.8
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list