ssh sudo howto? or which home directory? [Was: Re: password prompt, but pki auth working!?...]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/03/09 02:21, Greg Wooledge wrote:
> On Sat, Feb 28, 2009 at 03:13:06PM +1300, Morgan Read wrote:
>> So
>> Which environment variable does ssh use to determine where it looks for
>> it's keys?  I assumed it would be HOME, but under sudo HOME is set to
>> the home directory of the user executing sudo not root's home.
> 
> I happen to have 4.4p1 source lying about, so:
> 
> pathnames.h:#define _PATH_SSH_CLIENT_ID_RSA             ".ssh/id_rsa"
> 
> readconf.c:
>                 if (options->protocol & SSH_PROTO_2) {
>                         len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
>                         options->identity_files[options->num_identity_files] =
>                             xmalloc(len);
>                         snprintf(options->identity_files[options->num_identity_files++],
>                             len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
> 
>                         len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
>                         options->identity_files[options->num_identity_files] =
>                             xmalloc(len);
>                         snprintf(options->identity_files[options->num_identity_files++],
>                             len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
>                 }
> 
> So, at this point there's a string that contains "~/.ssh/id_rsa".
> 
> ssh.c:
>         if ((pw = getpwuid(original_real_uid)) == NULL)
>                 fatal("load_public_identity_files: getpwuid failed");
>         if (gethostname(thishost, sizeof(thishost)) == -1)
>                 fatal("load_public_identity_files: gethostname: %s",
>                     strerror(errno));
>         for (; i < options.num_identity_files; i++) {
>                 cp = tilde_expand_filename(options.identity_files[i],
>                     original_real_uid);
> 
> where original_real_uid is set somewhere earlier in ssh.c.  I won't
> try to track it down any further (especially since I'm looking at
> out-of-date sources), but it sure looks like it's evaluating the
> home directory based on the current uid or euid, rather than the
> contents of $HOME.


It appears none of the environment variables has any impact on where ssh
looks for it's keys.  In desperation I ran:
[rsync@ ~]$ sudo LOGNAME=rsync USERNAME=rsync USER=rsync UID=351
EUID=351 GID=351 EGID=351 ssh -vvv root@xxxxxxxxxxxxxxxxxxxxx
...
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
...

Still ssh looks for keys in /root/ and not /home/rsync/

[rsync@ ~]$ sudo LOGNAME=rsync USERNAME=rsync USER=rsync UID=351
EUID=351 GID=351 EGID=351 env
HOSTNAME=morgansmachine.lan
TERM=xterm
HISTSIZE=1000
QTDIR=/usr/lib/qt-3.3
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:do=00;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=00;32:*.tar=00;31:*.tgz=00;31:*.svgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.lzma=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.dz=00;31:*.gz=00;31:*.bz2=00;31:*.tbz2=00;31:*.bz=00;31:*.tz=00;31:*.deb=00;31:*.rpm=00;31:*.jar=00;31:*.rar=00;31:*.ace=00;31:*.zoo=00;31:*.cpio=00;31:*.7z=00;31:*.rz=00;31:*.jpg=00;35:*.jpeg=00;35:*.gif=00;35:*.bmp=00;35:*.pbm=00;35:*.pgm=00;35:*.ppm=00;35:*.tga=00;35:*.xbm=00;35:*.xpm=00;35:*.tif=00;35:*.tiff=00;35:*.png=00;35:*.mng=00;35:*.pcx=00;35:*.mov=00;35:*.mpg=00;35:*.mpeg=00;35:*.m2v=00;35:*.mkv=00;35:*.ogm=00;35:*.mp4=00;35:*.m4v=00;35:*.mp4v=00;35:*.vob=00;35:*.qt=00;35:*.nuv=00;35:*.wmv=00;35:*.asf=00;35:*.rm=00;35:*.rmvb=00;35:*.flc=00;35:*.avi=00;35:*.fli=00;35:*.gl=00;35:*.dl=00;35:*.xcf=00;35:*.xwd=00;35:*.yuv=00;35:*.svg=00;35:*.aac=00;36:*.au=00;36:*.flac=00;3
6:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:
MAIL=/var/spool/mail/rsync
LANG=en_NZ.UTF-8
HOME=/home/rsync
SHELL=/bin/bash
LOGNAME=rsync
USER=rsync
USERNAME=rsync
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SUDO_COMMAND=/bin/env
SUDO_USER=rsync
SUDO_UID=351
SUDO_GID=351
EGID=351
GID=351
EUID=351
UID=351

And, this runs fine:
[rsync@ ~]$ ssh -vvv root@xxxxxxxxxxxxxxxxxxxxx
OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007
...
debug1: Next authentication method: publickey
debug1: Trying private key: /home/rsync/.ssh/identity
debug3: no such identity: /home/rsync/.ssh/identity
debug1: Trying private key: /home/rsync/.ssh/id_rsa
debug3: no such identity: /home/rsync/.ssh/id_rsa
debug1: Offering public key: /home/rsync/.ssh/id_dsa
debug3: send_pubkey_test
...


So, is there any other environment variable to try, and if not, where
does ssh derive it's "home" directory from?

Many thanks,
Morgan.
PS.  Here's the whole of the various permutations:
http://www.read.org.nz/SudoEnvSsh.txt

-- 
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora + freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux