On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris <lists@xxxxxxxxxx> wrote:
> On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
>> When you first attempt to login, sshd is running as root. It needs to
>> look at your NFS mounted home directory (which is often set for no
>> root squash) to get the public key. But because it is no root squash,
>
> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
> normally the default) means that phase is run as the destination user
> and not as root.
To clarify, the sshd listener runs as root and then drops privileges
once the user is authenticated.. The issue is specifically the root
squash across NFS filesystems which is normally set to disable root
privs on the mount (that, and noexec). I.e., even root has no privs
to validate the shared key.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
