Bug 2099203

Summary: Cannot perform ssh login using pubkey when poly-instantiation is enabled
Product: Red Hat Enterprise Linux 9 Reporter: Renaud Métrich <rmetrich>
Component: pamAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED DEFERRED QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: aboscatt, atikhono, jpazdziora, lvrabec, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-13 21:29:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2091979    

Description Renaud Métrich 2022-06-20 10:08:39 UTC 
Description of problem:

This is a sub-BZ of BZ #2091979

When poly-instantiation is enabled, users cannot login using a public key because at the time authenticating is performed, sshd reads "regular home dir for the user" (e.g. /home/user) instead of poly-instantiated one (e.g. /home/user/user.inst/unconfined_u...).

Version-Release number of selected component (if applicable):

pam-1.5.1-9.el9.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Enable poly-instantiation for users and with poly-instantiated home directory (/etc/security/namespace.conf)

  Start pam_namespace.service unit to create the required temporary dirs.

2. Copy the pubkey to the user's home dir using "ssh-copy-id"

  $ ssh-copy-id user1@vm-poly9
  ...
  user1@vm-poly9's password: <passwd
  ...

3. Try connecting password-less

Actual results:

Password requested

Expected results:

No password requested

Additional info:

strace shows sshd reads /home/user1/.ssh/authorized_keys (which doesn't exist and is not accessible by the user anyway) instead of poly-instantiated one (/home/user1/user1.inst/unconfined_u\:object_r\:user_home_dir_t\:s0-s0\:c0.c1023_user1/.ssh/authorized_keys):

# strace -fttTvyy -s 128 -o /tmp/sshd.strace -p $(cat /run/sshd.pid)
strace: Process 705 attached
strace: Process 1286 attached
strace: Process 1287 attached
^C

# grep authorized_keys /tmp/sshd.strace 
1286  12:06:43.615529 openat(AT_FDCWD, "/home/user1/.ssh/authorized_keys", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory) <0.000062>
1286  12:06:43.622310 openat(AT_FDCWD, "/home/user1/.ssh/authorized_keys", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory) <0.000005>