ssh sudo howto? or which home directory? [Was: Re: password prompt, but pki auth working!?...]



On 03/03/09 02:21, Greg Wooledge wrote:
On Sat, Feb 28, 2009 at 03:13:06PM +1300, Morgan Read wrote:
So
Which environment variable does ssh use to determine where it looks for
it's keys? I assumed it would be HOME, but under sudo HOME is set to
the home directory of the user executing sudo not root's home.

I happen to have 4.4p1 source lying about, so:

pathnames.h:#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa"

readconf.c:
if (options->protocol & SSH_PROTO_2) {
len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
options->identity_files[options->num_identity_files] =
xmalloc(len);
snprintf(options->identity_files[options->num_identity_files++],
len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);

len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
options->identity_files[options->num_identity_files] =
xmalloc(len);
snprintf(options->identity_files[options->num_identity_files++],
len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
}

So, at this point there's a string that contains "~/.ssh/id_rsa".

ssh.c:
if ((pw = getpwuid(original_real_uid)) == NULL)
fatal("load_public_identity_files: getpwuid failed");
if (gethostname(thishost, sizeof(thishost)) == -1)
fatal("load_public_identity_files: gethostname: %s",
strerror(errno));
for (; i < options.num_identity_files; i++) {
cp = tilde_expand_filename(options.identity_files[i],
original_real_uid);

where original_real_uid is set somewhere earlier in ssh.c. I won't
try to track it down any further (especially since I'm looking at
out-of-date sources), but it sure looks like it's evaluating the
home directory based on the current uid or euid, rather than the
contents of $HOME.


It appears none of the environment variables has any impact on where ssh
looks for it's keys. In desperation I ran:
[rsync@ ~]$ sudo LOGNAME=rsync USERNAME=rsync USER=rsync UID=351
EUID=351 GID=351 EGID=351 ssh -vvv root@xxxxxxxxxxxxxxxxxxxxx
...
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
...

Still ssh looks for keys in /root/ and not /home/rsync/

[rsync@ ~]$ sudo LOGNAME=rsync USERNAME=rsync USER=rsync UID=351
EUID=351 GID=351 EGID=351 env
HOSTNAME=morgansmachine.lan
TERM=xterm
HISTSIZE=1000
QTDIR=/usr/lib/qt-3.3
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:do=00;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=00;32:*.tar=00;31:*.tgz=00;31:*.svgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.lzma=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.dz=00;31:*.gz=00;31:*.bz2=00;31:*.tbz2=00;31:*.bz=00;31:*.tz=00;31:*.deb=00;31:*.rpm=00;31:*.jar=00;31:*.rar=00;31:*.ace=00;31:*.zoo=00;31:*.cpio=00;31:*.7z=00;31:*.rz=00;31:*.jpg=00;35:*.jpeg=00;35:*.gif=00;35:*.bmp=00;35:*.pbm=00;35:*.pgm=00;35:*.ppm=00;35:*.tga=00;35:*.xbm=00;35:*.xpm=00;35:*.tif=00;35:*.tiff=00;35:*.png=00;35:*.mng=00;35:*.pcx=00;35:*.mov=00;35:*.mpg=00;35:*.mpeg=00;35:*.m2v=00;35:*.mkv=00;35:*.ogm=00;35:*.mp4=00;35:*.m4v=00;35:*.mp4v=00;35:*.vob=00;35:*.qt=00;35:*.nuv=00;35:*.wmv=00;35:*.asf=00;35:*.rm=00;35:*.rmvb=00;35:*.flc=00;35:*.avi=00;35:*.fli=00;35:*.gl=00;35:*.dl=00;35:*.xcf=00;35:*.xwd=00;35:*.yuv=00;35:*.svg=00;35:*.aac=00;36:*.au=00;36:*.flac=00;3
6:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:
MAIL=/var/spool/mail/rsync
LANG=en_NZ.UTF-8
HOME=/home/rsync
SHELL=/bin/bash
LOGNAME=rsync
USER=rsync
USERNAME=rsync
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
SUDO_COMMAND=/bin/env
SUDO_USER=rsync
SUDO_UID=351
SUDO_GID=351
EGID=351
GID=351
EUID=351
UID=351

And, this runs fine:
[rsync@ ~]$ ssh -vvv root@xxxxxxxxxxxxxxxxxxxxx
OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007
...
debug1: Next authentication method: publickey
debug1: Trying private key: /home/rsync/.ssh/identity
debug3: no such identity: /home/rsync/.ssh/identity
debug1: Trying private key: /home/rsync/.ssh/id_rsa
debug3: no such identity: /home/rsync/.ssh/id_rsa
debug1: Offering public key: /home/rsync/.ssh/id_dsa
debug3: send_pubkey_test
...


So, is there any other environment variable to try, and if not, where
does ssh derive it's "home" directory from?

Many thanks,
Morgan.
PS. Here's the whole of the various permutations:
http://www.read.org.nz/SudoEnvSsh.txt

--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora + freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora



Relevant Pages

  • Re: Opening ports in my firewall
    ... >> only with DSA keys, and not allowing manual password logins. ... - copy the .ssh directory to the new machine, if you control it, or ... Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org ...
    (comp.os.linux.security)
  • RE: sshd / ssh setup
    ... USA server and his windows/xp notebook to use SSH. ... followed sshd instruction and built ... and require users to submit keys. ...
    (freebsd-questions)
  • Re: SSH via Expect disconnects
    ... using autoexpect was the answer (please refer to thread ... >> I have received one suggestion that I explore the idea of using keys ... >> have poured through the manpage for Expect as well as SSH, ... >>> I am using an expect script to initiate an SSH session to another host ...
    (comp.lang.tcl)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... Man ssh ... ... Why is that, Peter? ... The firewall does help protect ... against someone stealing the keys and using them at another location. ...
    (comp.os.linux.misc)
  • Re: Ported tools and SSH
    ... auditors are grumbling about SSH because it stores its keys in the open. ... simple and steps can often be taken to meet security requirements. ... Consider first z/OS SSH as a server: ...
    (bit.listserv.ibm-main)