[follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication

Jan Just Keijser janjust at cisco.com
Wed Apr 4 23:32:03 EST 2001 

> the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to read
> to determine whether RSA authentications are allowed. My bet about what's
> happening is this:
>
> sshd runs as euid root, gid 0
> auth-rsa.c switches to euid janjust, but does not change the egid using
> setegid()
> euid janjust, gid 0 does *NOT* have access to the directory /local/home with
> permissions 750
> the stat() call walks down the path of the file and runs into this permission
> problem and bails out, even though the user would have access to directories
> and files below the troublesome /local/home directory.
>

I should've accepted bets :-) :

when I add the following (ugly) hack:

        gid_t old_gid;

        /* no user given */
        if (pw == NULL)
                return 0;

        /* Temporarily use the user's uid. */
        old_gid = getegid();
        if (setegid(pw->pw_gid) < 0 )
        {
            packet_send_debug("setegid(%d) failed: %s!", pw->pw_gid, strerror(
errno ) );
        }
        temporarily_use_uid(pw->pw_uid);

        /* The authorized keys. */
        snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
                 _PATH_SSH_USER_PERMITTED_KEYS);

        /* Fail quietly if file does not exist */
        if (stat(file, &st) < 0) {
                packet_send_debug("euid = %d egid = %d", geteuid(), getegid()
);
                packet_send_debug("stat() returned error: %s", strerror(errno)
);
                /* Restore the privileged uid. */
                restore_uid();
                setegid(old_gid);
                packet_send_debug("Could not stat %.900s.", file);
                return 0;
        }

i.e. I save the current gid and then set the egid to pw->pw_gid then the stat()
call on $HOME/.ssh/authorized_keys works without problems (yes, I changed the
permission back to 750 - the unpatched sshd is broken again); you have to do
setegid BEFORE seteuid, coz once you're a mere user you're not allowed to do
this anymore (as I found out the hard way).

A proper fix would be to add this to uidswap.c, I guess...

share and enjoy,

JJK / Jan Just Keijser
Cisco Systems International BV

More information about the openssh-unix-dev mailing list