bugzilla-daemon at bugzilla.mindrot.org
2017-Feb-16 15:32 UTC
[Bug 2678] New: PubKey Authentication fails when more than one user/group ACL is set on any Path component to authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2678 Bug ID: 2678 Summary: PubKey Authentication fails when more than one user/group ACL is set on any Path component to authorized_keys Product: Portable OpenSSH Version: 5.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: dario.vieli at swisscom.com Created attachment 2944 --> https://bugzilla.mindrot.org/attachment.cgi?id=2944&action=edit ssh client debug session - failure to login via pubKeyAuth Overview: PubKey Authentication fails when more than one user/group Filesystem ACL is set on any Path component to authorized_keys. Default ACLs are working fine. This even applies, if the additional user/group ACL is the same as the current owner. As soon as the additional user/group ACLs are removed, PubKey Auth works again. Steps to reproduce: $ setfacl -m 'user:alutools:rwx' /gmnt/var/alutoolbox $ getfacl /gmnt/var/alutoolbox getfacl: Removing leading '/' from absolute path names # file: gmnt/var/alutoolbox # owner: alutools # group: alutools user::rwx user:alutools:rwx group::r-x mask::r-x other::r-x default:user::rwx default:user:extfran4:rwx default:group::r-x default:mask::rwx default:other::r-x $ ls -la /gmnt/var/alutoolbox total 23 drwxrwxr-x+ 5 alutools alutools 4096 Feb 16 15:32 . drwxr-xr-x 12 root root 4096 Feb 2 16:16 .. .. drwx------+ 2 alutools alutools 4096 Feb 16 14:20 .ssh $ ls -la /gmnt/var/alutoolbox/.ssh/authorized_keys -rw-------+ 1 alutools alutools 794 Feb 16 14:29 /gmnt/var/alutoolbox/.ssh/authorized_keys $ ssh -i path/to/key alutoolbox at localhost Actual Results: ssh fallback to password prompt after failed PubKey try (see debug.log attachment) Expected Results: ssh login with provided PubKey Build Date & Hardware: Thu 12 May 2016 06:52:35 AM CEST @ CentOS 6.8 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-19 05:30 UTC
[Bug 2678] PubKey Authentication fails when more than one user/group ACL is set on any Path component to authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2678 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Please record a debug trace from the server for a failed connection and attach it here. The client logs are not going to be of much use I'm afraid. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.