Project

General

Profile

Bug #2098

users created by 'useradd -m' can't use ssh keys

Added by Piotr Jasiukajtis almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
OS/Net (Kernel and Userland)
Target version:
-
Start date:
2012-02-09
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Tested on oi_151a.
If user was created by useradd -m, it's impossible to log in using ssh key.

server# useradd -s /bin/bash -d /export/home/user4 -m user4
server# cp -r /export/home/user2/.ssh /export/home/user4/
server# passwd user4
New Password: 
Re-enter new Password: 
passwd: password successfully changed for user4

client:> ssh user4@remotehost
Password: 
Last login: Thu Feb  9 20:57:17 2012 from 10.10.10.123
OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September 2011

client:> logout

server# zfs destory rpool/export/home/user4
server# zfs create rpool/export/home/user4
server# cp -r /export/home/user2/.ssh /export/home/user4/

client:> ssh user4@remotehost
Last login: Thu Feb  9 20:57:17 2012 from 10.10.10.123
OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September 2011
-bash-4.0$ 

History

#1

Updated by Piotr Jasiukajtis almost 8 years ago

The issue here is that 'useradd -m' sets incorrect group access mode for a user home directory.

A quick workaround:

chmod g-w /export/home/user4 
#2

Updated by Rich Lowe almost 8 years ago

This works fine here, what's root's umask?

Anything in the way of inheritable ACLs may also matter, I guess.

#3

Updated by Rich Lowe almost 8 years ago

Yeah, we explicitly mkdir with 0775, but in general root's umask would mask of the group write bit.

I'm not immediately sure of why we would default group write though, so we probably should stop doing it anyway.

You may want to investigate why your root user has an unusually permissive umask, though.

#4

Updated by Rich Lowe almost 8 years ago

This is a bug in an OI modification

http://hg.openindiana.org/sustaining/oi_151a/illumos-gate/rev/ab3ee8f52941

On line 98, S_IRWXG should not be included, chmod, of course, does not honour umask.
(the mkdir call is fine, but could perhaps be cleaned up too)

#5

Updated by Rich Lowe almost 8 years ago

  • Project changed from illumos gate to OpenIndiana Distribution
  • Category deleted (cmd - userland programs)
#6

Updated by Rich Lowe almost 8 years ago

  • Category set to OS/Net (Kernel and Userland)
#7

Updated by Albert Lee almost 8 years ago

If we want to be consistent:

mode_t cmask = umask(0);
(void) umask(cmask);
(Second call is because umask(0) has side effects, yuck).
...
chmod(... & ~cmask);

#8

Updated by Jon Tibble over 7 years ago

  • Status changed from New to Resolved

Fixed in prestable2

Also available in: Atom PDF