[Bug 220] New: sshd fails to read other users authorized_keys over nfs as root
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Apr 17 19:33:25 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=220
Summary: sshd fails to read other users authorized_keys over nfs
as root
Product: Portable OpenSSH
Version: 3.0.2p1
Platform: All
URL: http://www.hut.fi/cc/
OS/Version: All
Status: NEW
Severity: major
Priority: P1
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: ska at cc.hut.fi
Dear openssh developers,
We're about to switch several hundred Unix/Linux hosts from the
traditional sshd 1.2.31 to OpenSSH, but we have noticed a
major problem in the way authorized keys authentication is
performed by sshd.
For security reasons the nfs server does not grant root
permissions to most workstation mounts.
Home directories are located on nfs mounted disks.
Here's an example how root fails to read other users file:
# cat ~pseudouser/.ssh/authorized_keys > /dev/null
cat: 0652-050 Cannot open /pseudo/pseudouser/.ssh/authorized_keys.
# su - pseudouser
$ cat ~pseudouser/.ssh/authorized_keys > /dev/null
$
On /var/adm/syslog/auth the error looks like this:
"Apr 15 18:02:12 foobar sshd[23892]: Authentication refused:
realpath /pseudo/pseudouser/.ssh/authorized_keys failed:
Permission denied"
So the problem with OpenSSH:s implementation of sshd is:
-
sshd expects to be able to read public authorized_keys file from
other user's home directory as root user.
-
Other implementations of sshd have no similar problem
since user id is changed appropriately to the user trying to
authenticate with rsa or other key.
Problem has been verified to occur on following platforms:
- 3.0.2p1 / Solaris 8
- 3.0.2p1 / AIX 4.3.2
- 3.2cvs / AIX 4.3.2
Most likely the problem will appear on other architectures as well.
I suggest checking functions like temporarily_use_uid().
A patch for 3.0.2p1 is needed as well as for 3.2cvs.
Sincerely,
Samuli Kajantola
Unix administrator
Helsinki University of Technology, Computing Centre
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list