[Bug 220] New: sshd fails to read other users authorized_keys over nfs as root

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Apr 17 19:33:25 EST 2002 

http://bugzilla.mindrot.org/show_bug.cgi?id=220

           Summary: sshd fails to read other users authorized_keys over nfs
                    as root
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: All
               URL: http://www.hut.fi/cc/
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: ska at cc.hut.fi


Dear openssh developers,

We're about to switch several hundred Unix/Linux hosts from the
traditional sshd 1.2.31 to OpenSSH, but we have noticed a
major problem in the way authorized keys authentication is
performed by sshd.

For security reasons the nfs server does not grant root
permissions to most workstation mounts.

Home directories are located on nfs mounted disks.

Here's an example how root fails to read other users file:

# cat ~pseudouser/.ssh/authorized_keys > /dev/null
cat: 0652-050 Cannot open /pseudo/pseudouser/.ssh/authorized_keys.
# su - pseudouser
$ cat ~pseudouser/.ssh/authorized_keys > /dev/null
$

On /var/adm/syslog/auth the error looks like this:
"Apr 15 18:02:12 foobar sshd[23892]: Authentication refused:
realpath /pseudo/pseudouser/.ssh/authorized_keys failed:
Permission denied"

So the problem with OpenSSH:s implementation of sshd is:
-
sshd expects to be able to read public authorized_keys file from
other user's home directory as root user.
-

Other implementations of sshd have no similar problem
since user id is changed appropriately to the user trying to
authenticate with rsa or other key.

Problem has been verified to occur on following platforms:
- 3.0.2p1 / Solaris 8
- 3.0.2p1 / AIX 4.3.2
- 3.2cvs / AIX 4.3.2

Most likely the problem will appear on other architectures as well.

I suggest checking functions like temporarily_use_uid().

A patch for 3.0.2p1 is needed as well as for 3.2cvs.

Sincerely,

Samuli Kajantola
Unix administrator
Helsinki University of Technology, Computing Centre



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list