openssh bugs - Feb 2017 - [Bug 2678] New: PubKey Authentication fails when more than one user/group ACL is set on any Path component to authorized_keys

https://bugzilla.mindrot.org/show_bug.cgi?id=2678

            Bug ID: 2678
           Summary: PubKey Authentication fails when more than one
                    user/group ACL is set on any Path component to
                    authorized_keys
           Product: Portable OpenSSH
           Version: 5.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dario.vieli at swisscom.com

Created attachment 2944
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2944&action=edit
ssh client debug session - failure to login via pubKeyAuth

Overview:
PubKey Authentication fails when more than one user/group Filesystem
ACL is set on any Path component to authorized_keys. Default ACLs are
working fine.
This even applies, if the additional user/group ACL is the same as the
current owner.
As soon as the additional user/group ACLs are removed, PubKey Auth
works again.

Steps to reproduce:
$ setfacl -m 'user:alutools:rwx' /gmnt/var/alutoolbox

$ getfacl /gmnt/var/alutoolbox
getfacl: Removing leading '/' from absolute path names
# file: gmnt/var/alutoolbox
# owner: alutools
# group: alutools
user::rwx
user:alutools:rwx
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:extfran4:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

$ ls -la /gmnt/var/alutoolbox
total 23
drwxrwxr-x+  5 alutools alutools 4096 Feb 16 15:32 .
drwxr-xr-x  12 root     root     4096 Feb  2 16:16 ..
..
drwx------+  2 alutools alutools 4096 Feb 16 14:20 .ssh

$ ls -la /gmnt/var/alutoolbox/.ssh/authorized_keys
-rw-------+ 1 alutools alutools 794 Feb 16 14:29
/gmnt/var/alutoolbox/.ssh/authorized_keys


$ ssh -i path/to/key alutoolbox at localhost

Actual Results:
ssh fallback to password prompt after failed PubKey try (see debug.log
attachment)

Expected Results:
ssh login with provided PubKey

Build Date & Hardware:
Thu 12 May 2016 06:52:35 AM CEST @ CentOS 6.8

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2678

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Please record a debug trace from the server for a failed connection and
attach it here. The client logs are not going to be of much use I'm
afraid.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.