[Bug 412] New: AuthorizedKeysFile assumes home directory access upon authentication

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=412

           Summary: AuthorizedKeysFile assumes home directory access upon
                    authentication
           Product: Portable OpenSSH
           Version: 3.1p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: barrows at email.arc.nasa.gov


I'm attempting to get RSA authentication to work with OpenAFS. This requires
placing the RSA key outside of AFS, and thus outside the user's home directory.
I used the line 

AuthorizedKeysFile      /home/%u/.ssh/authorized_keys

to move the file out of the AFS home directory and into an "ssh only" directory
such that it can be accessed by sshd without AFS tokens. This ends up failing
however, with this debug output (from sshd -d):

debug1: userauth-request for user (username) service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1359/10 (e=0)
debug1: trying public key file /home/(username)/.ssh/authorized_keys
Authentication refused: realpath /afs/ic-afs.arc.nasa.gov/admin/(username)
failed: Permission denied

Apparently OpenSSH is stat'ing the home directory, despite the fact that the
files it should need are in another directory. When using AFS, the home
directory will not be accessable until the login has gone through PAM and
obtained a token. Is this not possible for a reason e.g. security, or is there
the potential to change this?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.