ssh generator credentials do not work for non-root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

systemd 257.2
ssh generator supports undocumented ssh.ephemeral-authorized_keys-all credential which is supposed to contain additional authorized keys: 


                        "ExecStart=-%s -i -o \"AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys\"\n"
                        "StandardInput=socket\n"
                        "ImportCredential=ssh.ephemeral-authorized_keys-all",
But it does not work with OpenSSH privilege separation because the process that tries to verify the keys does not have access to the imported credentials:
bor@tw:~> LC_TIME=en systemctl --no-pager --full status sshd@2-17440842\:22-2\:3906252923.service ● sshd@2-17440842:22-2:3906252923.service - OpenSSH Per-Connection Server Daemon (vsock:2:3906252923) 
     Loaded: loaded (/etc/systemd/system/sshd@.service; static)
     Active: active (running) since Sat 2025-02-01 17:22:39 MSK; 3min 39s ago
 Invocation: c276a01b4d344578bb3c11c5b6d09b43
TriggeredBy: ● sshd-vsock.socket
       Docs: man:systemd-ssh-generator(8)
             man:sshd(8)
    Process: 3198 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS)
    Process: 3201 ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 3203 (sshd-session)
      Tasks: 0 (limit: 2323)
        CPU: 91ms
     CGroup: /system.slice/system-sshd.slice/sshd@2-17440842:22-2:3906252923.service
             ‣ 3203 "sshd-session: bor [priv]"

Feb 01 17:22:39 tw systemd[1]: Starting OpenSSH Per-Connection Server Daemon (vsock:2:3906252923)...
Feb 01 17:22:39 tw systemd[1]: Started OpenSSH Per-Connection Server Daemon (vsock:2:3906252923).
Feb 01 17:22:39 tw sshd-session[3203]: Could not open user 'bor' authorized keys '/run/credentials/sshd@2-17440842:22-2:3906252923.service/ssh.ephemeral-authorized_keys-all': Permission denied
Feb 01 17:22:39 tw sshd-session[3203]: Could not open user 'bor' authorized keys '/run/credentials/sshd@2-17440842:22-2:3906252923.service/ssh.ephemeral-authorized_keys-all': Permission denied
Feb 01 17:22:39 tw sshd-session[3203]: Accepted publickey for bor from UNKNOWN port 65535 ssh2: RSA SHA256:90LqSlBQcQiTR0jcqtBFvYa5UuMxV0rfP9ZcYM2tX54
Feb 01 17:22:39 tw sshd-session[3203]: pam_unix(sshd:session): session opened for user bor(uid=1001) by bor(uid=0)
bor@tw:~>
Yes, the directory exists and contains the correct content. And I can ssh as root too. But the directory is accessible to root only: 


bor@tw:~> LC_TIME=en ls -l /run/credentials/
-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
total 0
drwx------ 2 root root 60 Feb  1 16:38 @system
dr-x------ 2 root root 40 Feb  1 16:39 getty@tty1.service
dr-x------ 2 root root 60 Feb  1 17:22 sshd@2-17440842:22-2:3906252923.service
dr-x------ 2 root root 40 Feb  1 16:38 systemd-journald.service
bor@tw:~> 

Do I miss something?
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux