Bug 732203

Summary: ssh authentication fails: "bad ownership or modes for directory /var/lib/monkeysphere/authorized_keys"
Product: [Fedora] Fedora Reporter: Sascha Silbe <sascha-web-bugzilla.redhat.com>
Component: monkeysphereAssignee: Patrick Uiterwijk <puiterwijk>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: bernie+fedora, jeff, mnowak, puiterwijk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-27 09:54:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sascha Silbe 2011-08-20 17:14:26 UTC 
Description of problem:

After setting up monkeysphere to create /var/lib/monkeysphere/authorized_keys/* and configuring sshd to use these files, logging in with one of those keys fails. This is because sshd is rather fascist regarding who may write the authorized_keys files. In Debian (where monkeysphere is known to work) both /var/lib/monkeysphere and /var/lib/monkeysphere/authorized_keys are owned by root:root (mode 0755), whereas in Fedora they are owned by monkeysphere:monkeysphere (mode 0755).


Version-Release number of selected component (if applicable):
0.35-3.fc14.noarch


How reproducible:
Always


Steps to Reproduce:
1. Set up monkeysphere (watch out for #732191).
2. Add "AuthorizedKeysFile2 /var/lib/monkeysphere/authorized_keys/%u" [sic] and "LogLevel DEBUG" to /etc/ssh/sshd_config.
3. Restart sshd.
4. Try to log in via ssh using one of the monkeysphere managed keys for the user.
5. Check /var/log/secure for error messages.
  
Actual results:
Logging in via ssh fails. Error messages in /var/log/secure:

Aug 20 16:51:09 bs-f14-i386 sshd[26329]: Authentication refused: bad ownership or modes for directory /var/lib/monkeysphere/authorized_keys
Aug 20 16:51:09 bs-f14-i386 sshd[26329]: Authentication refused: bad ownership or modes for directory /var/lib/monkeysphere/authorized_keys



Expected results:
Logging in via ssh works. No error message in /var/log/secure.


Additional info:
After fixing ownership of /var/lib/monkeysphere/authorized_keys _and_ /var/lib/monkeysphere logging in via ssh works fine.
Comment 1 Patrick Uiterwijk 2012-07-12 07:53:28 UTC 
I have just taken over this package from orphaned state, and will be looking into this bug, and fixing it, soon.
Comment 2 Patrick Uiterwijk 2012-07-18 11:44:10 UTC 
The fix for this bug should be landing in updates-testing soon.
Comment 3 Fedora Update System 2012-07-18 11:59:26 UTC 
monkeysphere-0.35-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/monkeysphere-0.35-5.fc16
Comment 4 Fedora Update System 2012-07-18 11:59:43 UTC 
monkeysphere-0.35-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/monkeysphere-0.35-5.fc17
Comment 5 Fedora Update System 2012-07-19 08:59:31 UTC 
Package monkeysphere-0.35-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing monkeysphere-0.35-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10773/monkeysphere-0.35-5.fc16
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-07-27 09:54:15 UTC 
monkeysphere-0.35-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-07-27 09:54:52 UTC 
monkeysphere-0.35-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.