After upgrading from F23 to F24, I'm having an issue with sudo and OpenSSH / ssh-agent based authentication. Whereas before, I'd be able to sudo without password with my ssh-agent credentials and ~/.ssh/authorized_keys (as setup in PAM), I'm now unable to do so. The logs show: Jun 23 10:18:57 loki sudo[4843]: Authentication refused: bad ownership or modes for file /home/leif/.ssh/authorized_keys Jun 23 10:18:57 loki sudo[4843]: Authentication refused: bad ownership or modes for file /home/leif/.ssh/authorized_keys Jun 23 10:18:57 loki sudo[4843]: Authentication refused: bad ownership or modes for file /home/leif/.ssh/authorized_keys Jun 23 10:18:57 loki sudo[4843]: Authentication refused: bad ownership or modes for file /home/leif/.ssh/authorized_keys However, my dir and files are correct, I'm pretty sure: loki (10:19) 273/0 $ pwd /home/leif loki (10:19) 274/0 $ ls -ld . drwxr-xr-x 1 leif users 2910 Jun 21 23:35 ./ loki (10:19) 275/0 $ ls -ld .ssh drwx------ 1 leif users 322 Jun 22 18:54 .ssh/ loki (10:19) 276/0 $ ls -l .ssh/authorized_keys -rw------- 1 leif users 740 Dec 15 2010 .ssh/authorized_keys My config for sudo in PAM is #%PAM-1.0 auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so session include system-auth
This looks like pretty insecure setup. Do I see right, that every user, who stores his public key in his home directory can sudo? Nah ... there might be some more restriction in sudoers file, but still ... Never mind. This should certainly work according to manual page, regardless the option allow_user_owned_authorized_keys_file. I see the same behavior and it looks like a bug. It is trying to check twice against the same user (root). Probably another use case we don't have regression test yet. Jun 24 08:50:44 f24 sudo[17756]: trying public key file /home/user/.ssh/authorized_keys Jun 24 08:50:44 f24 sudo[17756]: auth_secure_filename: checking for uid: 0 Jun 24 08:50:44 f24 sudo[17756]: Authentication refused: bad ownership or modes for file /home/user/.ssh/authorized_keys Jun 24 08:50:44 f24 sudo[17756]: trying public key file /home/user/.ssh/authorized_keys Jun 24 08:50:44 f24 sudo[17756]: auth_secure_filename: checking for uid: 0 Jun 24 08:50:44 f24 sudo[17756]: Authentication refused: bad ownership or modes for file /home/user/.ssh/authorized_keys Reverting commit [1] will make it work again. Seems like there is some magic between the lines. I will check how can we do that better and issue update soon. Thank you for the report. [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=ea9421342eb381aa43eafd95bef298cbc8979368
This is bug in the patch [1] - you cannot call getpwuid twice and expect that the struct passwd returned from the first call will not be overwritten by the second call.
openssh-7.2p2-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-75bde9f07a
Thanks! And yes, I'm not recommending this setup, but in my case, this box has only one user in /home, me :).
Oh, and of course sudoers ACLs are still in place (I hope / assume), restricting who can sudo in the first place (I use the wheel group membership, that's how old I am).
openssh-7.2p2-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-75bde9f07a
openssh-7.2p2-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.