pubkey auth with NFS home on AIX

Mark D. Roth roth+openssh at feep.net
Wed Dec 12 07:01:33 EST 2001


On Mon Dec 10 21:28 2001 +0100, Markus Friedl wrote:
> On Mon, Dec 10, 2001 at 02:19:31PM -0600, Mark D. Roth wrote:
> > On Mon Dec 10 21:05 2001 +0100, Markus Friedl wrote:
> > > can someone confirm this:
> > > 
> > > http://bugzilla.mindrot.org/show_bug.cgi?id=29
> > > 
> > > Authentication refused: realpath /home/user/.ssh/authorized_keys failed: The file access permissions do not allow the specified action.
> > 
> > I haven't had time to look into this, but I started seeing it when I
> > upgraded from 2.9p2 to 2.9.9p2.  I haven't had time to check 3.x yet,
> > so I don't know if it's still broken...
> 
> well sshd switches uid/groups to the user before calling realpath(). 

I just dug a little deeper, and it looks like AIX is using the real
uid instead of the effective uid to determine NFS access.  sshd is
only changing the effective uid, presumably since it needs to reclaim
root privileges, but that's enough to cause the NFS problem.

Unfortunately, the only way I can think of to address this problem is
to fork a child process which can change its real uid to do the
realpath() check and report its findings back to the parent.  This is
a particularly inelegant (and inefficient) solution, so I'm hoping
someone else can think of something better...

-- 
Mark D. Roth <roth at feep.net>
http://www.feep.net/~roth/



More information about the openssh-unix-dev mailing list