Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
ssh sudo howto? or which home directory? [Was: Re: password prompt, but pki auth working!?...]
mstuff at read
Mar 8, 2009, 3:20 AM
Post #1 of 3 (5116 views)
Permalink
On 03/03/09 02:21, Greg Wooledge wrote:
> On Sat, Feb 28, 2009 at 03:13:06PM +1300, Morgan Read wrote:
>> So
>> Which environment variable does ssh use to determine where it looks for
>> it's keys? I assumed it would be HOME, but under sudo HOME is set to
>> the home directory of the user executing sudo not root's home.
>
> I happen to have 4.4p1 source lying about, so:
>
> pathnames.h:#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa"
>
> readconf.c:
> if (options->protocol & SSH_PROTO_2) {
> len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
> options->identity_files[options->num_identity_files] =
> xmalloc(len);
> snprintf(options->identity_files[options->num_identity_files++],
> len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
>
> len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
> options->identity_files[options->num_identity_files] =
> xmalloc(len);
> snprintf(options->identity_files[options->num_identity_files++],
> len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
> }
>
> So, at this point there's a string that contains "~/.ssh/id_rsa".
>
> ssh.c:
> if ((pw = getpwuid(original_real_uid)) == NULL)
> fatal("load_public_identity_files: getpwuid failed");
> if (gethostname(thishost, sizeof(thishost)) == -1)
> fatal("load_public_identity_files: gethostname: %s",
> strerror(errno));
> for (; i < options.num_identity_files; i++) {
> cp = tilde_expand_filename(options.identity_files[i],
> original_real_uid);
>
> where original_real_uid is set somewhere earlier in ssh.c. I won't
> try to track it down any further (especially since I'm looking at
> out-of-date sources), but it sure looks like it's evaluating the
> home directory based on the current uid or euid, rather than the
> contents of $HOME.


It appears none of the environment variables has any impact on where ssh
looks for it's keys. In desperation I ran:
[rsync@ ~]$ sudo LOGNAME=rsync USERNAME=rsync USER=rsync UID=351
EUID=351 GID=351 EGID=351 ssh -vvv root@morgansoldmachine.lan
...
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
...

Still ssh looks for keys in /root/ and not /home/rsync/

[rsync@ ~]$ sudo LOGNAME=rsync USERNAME=rsync USER=rsync UID=351
EUID=351 GID=351 EGID=351 env
HOSTNAME=morgansmachine.lan
TERM=xterm
HISTSIZE=1000
QTDIR=/usr/lib/qt-3.3
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:do=00;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=00;32:*.tar=00;31:*.tgz=00;31:*.svgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.lzma=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.dz=00;31:*.gz=00;31:*.bz2=00;31:*.tbz2=00;31:*.bz=00;31:*.tz=00;31:*.deb=00;31:*.rpm=00;31:*.jar=00;31:*.rar=00;31:*.ace=00;31:*.zoo=00;31:*.cpio=00;31:*.7z=00;31:*.rz=00;31:*.jpg=00;35:*.jpeg=00;35:*.gif=00;35:*.bmp=00;35:*.pbm=00;35:*.pgm=00;35:*.ppm=00;35:*.tga=00;35:*.xbm=00;35:*.xpm=00;35:*.tif=00;35:*.tiff=00;35:*.png=00;35:*.mng=00;35:*.pcx=00;35:*.mov=00;35:*.mpg=00;35:*.mpeg=00;35:*.m2v=00;35:*.mkv=00;35:*.ogm=00;35:*.mp4=00;35:*.m4v=00;35:*.mp4v=00;35:*.vob=00;35:*.qt=00;35:*.nuv=00;35:*.wmv=00;35:*.asf=00;35:*.rm=00;35:*.rmvb=00;35:*.flc=00;35:*.avi=00;35:*.fli=00;35:*.gl=00;35:*.dl=00;35:*.xcf=00;35:*.xwd=00;35:*.yuv=00;35:*.svg=00;35:*.aac=00;36:*.au=00;36:*.flac=00;3
6:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:
MAIL=/var/spool/mail/rsync
LANG=en_NZ.UTF-8
HOME=/home/rsync
SHELL=/bin/bash
LOGNAME=rsync
USER=rsync
USERNAME=rsync
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SUDO_COMMAND=/bin/env
SUDO_USER=rsync
SUDO_UID=351
SUDO_GID=351
EGID=351
GID=351
EUID=351
UID=351

And, this runs fine:
[rsync@ ~]$ ssh -vvv root@morgansoldmachine.lan
OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007
...
debug1: Next authentication method: publickey
debug1: Trying private key: /home/rsync/.ssh/identity
debug3: no such identity: /home/rsync/.ssh/identity
debug1: Trying private key: /home/rsync/.ssh/id_rsa
debug3: no such identity: /home/rsync/.ssh/id_rsa
debug1: Offering public key: /home/rsync/.ssh/id_dsa
debug3: send_pubkey_test
...


So, is there any other environment variable to try, and if not, where
does ssh derive it's "home" directory from?

Many thanks,
Morgan.
PS. Here's the whole of the various permutations:
http://www.read.org.nz/SudoEnvSsh.txt

--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora + freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora
Re: ssh sudo howto? or which home directory? [Was: Re: password prompt, but pki auth working!?...] [ In reply to ]
code at pizzashack
Mar 11, 2009, 10:23 AM
Post #2 of 3 (4913 views)
Permalink
On Sun, Mar 08, 2009 at 11:20:09PM +1300, Morgan Read wrote:
> On 03/03/09 02:21, Greg Wooledge wrote:
> > where original_real_uid is set somewhere earlier in ssh.c. I won't
> > try to track it down any further (especially since I'm looking at
> > out-of-date sources), but it sure looks like it's evaluating the
> > home directory based on the current uid or euid, rather than the
> > contents of $HOME.
>
> It appears none of the environment variables has any impact on where ssh
> looks for it's keys.

I think that's what Greg just told you. :)

But I have to ask, if the rsync user's keys are the ones you're trying
to use, and the remote root user has those keys in its authorized_keys
file, why are you bothering with the sudo? If it's because you need
root permissions for the local end of the process, then it seems like
the right thing to do is use root's keys, or have the sudo process
load the rsync user's keys by specifying the identity on the ssh
command line. (It's also possible to play games with ssh-agent, but I
won't go there.) If you specify the key to use outright, there's no
confusion about which key will be tried...

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D
Re: ssh sudo howto? or which home directory? [Was: Re: password prompt, but pki auth working!?...] [ In reply to ]
mstuff at read
Mar 21, 2009, 3:06 PM
Post #3 of 3 (4833 views)
Permalink
On 12/03/09 06:23, Derek Martin wrote:
> On Sun, Mar 08, 2009 at 11:20:09PM +1300, Morgan Read wrote:
>> On 03/03/09 02:21, Greg Wooledge wrote:
>>> where original_real_uid is set somewhere earlier in ssh.c. I won't
>>> try to track it down any further (especially since I'm looking at
>>> out-of-date sources), but it sure looks like it's evaluating the
>>> home directory based on the current uid or euid, rather than the
>>> contents of $HOME.
>> It appears none of the environment variables has any impact on where ssh
>> looks for it's keys.
>
> I think that's what Greg just told you. :)
Hmm, oh well... I figured he meant to set $UID or $EUID as an
environment variable. Never mind...

> But I have to ask, if the rsync user's keys are the ones you're trying
> to use, and the remote root user has those keys in its authorized_keys
> file, why are you bothering with the sudo? If it's because you need
> root permissions for the local end of the process, then it seems like
> the right thing to do is use root's keys, or have the sudo process
Well, that would kind of defeat the whole purpose of setting up the
rsync account - which was to avoid having root and all it's privileges
accessable from another machine without any futher authentication. I
just wanted one particular service accessable with those privileges.

> load the rsync user's keys by specifying the identity on the ssh
I guess that was the bit of sage advice that's shone some light into the
dark hole I've been floundering around in! Thanks!!!

[rsync@morgansmachine ~]$ sudo ssh -i /home/rsync/.ssh/id_dsa -vvv
root@morgansoldmachine
...
debug1: Next authentication method: publickey
debug1: Offering public key: /home/rsync/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 434
debug2: input_userauth_pk_ok: fp
d5:bf:66:35:9a:50:0d:7e:d2:fa:ec:05:c8:bb:d0:20
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).

Happiness:))


[root@morgansoldmachine ~]# ssh -t rsync@morgansmachine sudo ssh -i
/home/rsync/.ssh/id_dsa root@morgansoldmachine
Last login: Sun Mar 22 10:55:41 2009 from morgansmachine.lan
[root@morgansoldmachine ~]# logout

Connection to morgansoldmachine closed.
Connection to morgansmachine closed.
[root@morgansoldmachine ~]#

Works
But yet:
[root@morgansoldmachine ~]# ssh -t rsync@morgansmachine sudo rsync -n
--rsh=’/usr/bin/ssh -i /home/rsync/.ssh/id_dsa’ /etc
root@morgansoldmachine:/media/bigdisk/morgansmachine/etc
rsync: Failed to exec \#342\#200\#231/usr/bin/ssh: No such file or
directory (2)
rsync error: error in IPC code (code 14) at pipe.c(84) [sender=3.0.5]
rsync: writefd_unbuffered failed to write 4 bytes [sender]: Broken pipe (32)
rsync error: error in IPC code (code 14) at io.c(1509) [sender=3.0.5]
Connection to morgansmachine closed.
[root@morgansoldmachine ~]#

Doesn't work...
Oh well, I guess that's for another list...


Thanks,
Morgan.
--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora + freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal