Bug 1349551
Summary: | OpenSSH complaining on file permissions of .ssh/authorized_keys | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leif Hedstrom <leif> |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | jjelen, kdudka, mattias.ellert, mgrepl, plautrba, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssh-7.2p2-8.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-25 19:22:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Leif Hedstrom
2016-06-23 16:21:45 UTC
This looks like pretty insecure setup. Do I see right, that every user, who stores his public key in his home directory can sudo? Nah ... there might be some more restriction in sudoers file, but still ... Never mind. This should certainly work according to manual page, regardless the option allow_user_owned_authorized_keys_file. I see the same behavior and it looks like a bug. It is trying to check twice against the same user (root). Probably another use case we don't have regression test yet. Jun 24 08:50:44 f24 sudo[17756]: trying public key file /home/user/.ssh/authorized_keys Jun 24 08:50:44 f24 sudo[17756]: auth_secure_filename: checking for uid: 0 Jun 24 08:50:44 f24 sudo[17756]: Authentication refused: bad ownership or modes for file /home/user/.ssh/authorized_keys Jun 24 08:50:44 f24 sudo[17756]: trying public key file /home/user/.ssh/authorized_keys Jun 24 08:50:44 f24 sudo[17756]: auth_secure_filename: checking for uid: 0 Jun 24 08:50:44 f24 sudo[17756]: Authentication refused: bad ownership or modes for file /home/user/.ssh/authorized_keys Reverting commit [1] will make it work again. Seems like there is some magic between the lines. I will check how can we do that better and issue update soon. Thank you for the report. [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=ea9421342eb381aa43eafd95bef298cbc8979368 This is bug in the patch [1] - you cannot call getpwuid twice and expect that the struct passwd returned from the first call will not be overwritten by the second call. openssh-7.2p2-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-75bde9f07a Thanks! And yes, I'm not recommending this setup, but in my case, this box has only one user in /home, me :). Oh, and of course sudoers ACLs are still in place (I hope / assume), restricting who can sudo in the first place (I use the wheel group membership, that's how old I am). openssh-7.2p2-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-75bde9f07a openssh-7.2p2-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |