[follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication

Jan Just Keijser janjust at cisco.com
Wed Apr 4 23:09:19 EST 2001 

the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to read
to determine whether RSA authentications are allowed. My bet about what's
happening is this:

sshd runs as euid root, gid 0
auth-rsa.c switches to euid janjust, but does not change the egid using
setegid()
euid janjust, gid 0 does *NOT* have access to the directory /local/home with
permissions 750
the stat() call walks down the path of the file and runs into this permission
problem and bails out, even though the user would have access to directories
and files below the troublesome /local/home directory.


HTH,

JJK

Markus Friedl wrote:

> the stat() on which file?
>
> On Wed, Apr 04, 2001 at 02:06:56PM +0200, Jan Just Keijser wrote:
> > hmmm, I found the problem and managed to fix it, but I am not sure if this
> > isn't broken:
> >
> > using gdb, I found that sshd fails to stat the 'authorized_keys' files,
> > which was in /local/home/janjust/.ssh/authorized_keys. Here were the
> > permissions for the directories and files leading to that file:
> >
> > drwxr-sr-x  11 root     root         4096 Mar 20 15:57 /local
> > drwxr-s---   3 root     users        4096 Jan 18 11:24 /local/home
> > drwxr-sr-x  27 janjust  users        4096 Apr  4 13:34 /local/home/janjust
> > drwx------   2 janjust  users        4096 Apr  4 13:12
> > /local/home/janjust/.ssh
> > -rw-------   1 janjust  users        1357 Jan 16 10:39
> > /local/home/janjust/.ssh/authorized_keys
> >
> > the error that stat() returned is 'Permission denied'. After changing the
> > permissions to
> >
> > drwxr-sr-x  11 root     root         4096 Mar 20 15:57 /local
> > drwxr-sr-x   3 root     users        4096 Jan 18 11:24 /local/home
> > drwxr-sr-x  27 janjust  users        4096 Apr  4 13:59 /local/home/janjust
> > drwx------   2 janjust  users        4096 Apr  4 13:12
> > /local/home/janjust/.ssh
> > -rw-------   1 janjust  users        1357 Jan 16 10:39
> > /local/home/janjust/.ssh/authorized_keys
> >
> > (i.e. I changed the permissions on /local/home !) everything is working
> > fine. That's bizar, and I wonder where this is broken - not in OpenSSH
> > probably, more likely somewhere in glibc...
> >
> > comments, any one?
> >
> > TIA,
> >
> > JJK / Jan Just Keijser
> > Cisco Systems International BV

More information about the openssh-unix-dev mailing list