Bug 2678

Created attachment 2944 [details]
ssh client debug session - failure to login via pubKeyAuth

Overview:
PubKey Authentication fails when more than one user/group Filesystem ACL is set on any Path component to authorized_keys. Default ACLs are working fine.
This even applies, if the additional user/group ACL is the same as the current owner.
As soon as the additional user/group ACLs are removed, PubKey Auth works again.

Steps to reproduce:
$ setfacl -m 'user:alutools:rwx' /gmnt/var/alutoolbox

$ getfacl /gmnt/var/alutoolbox
getfacl: Removing leading '/' from absolute path names
# file: gmnt/var/alutoolbox
# owner: alutools
# group: alutools
user::rwx
user:alutools:rwx
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:extfran4:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

$ ls -la /gmnt/var/alutoolbox
total 23
drwxrwxr-x+  5 alutools alutools 4096 Feb 16 15:32 .
drwxr-xr-x  12 root     root     4096 Feb  2 16:16 ..
..
drwx------+  2 alutools alutools 4096 Feb 16 14:20 .ssh

$ ls -la /gmnt/var/alutoolbox/.ssh/authorized_keys
-rw-------+ 1 alutools alutools 794 Feb 16 14:29 /gmnt/var/alutoolbox/.ssh/authorized_keys


$ ssh -i path/to/key alutoolbox@localhost

Actual Results:
ssh fallback to password prompt after failed PubKey try (see debug.log attachment)

Expected Results:
ssh login with provided PubKey

Build Date & Hardware:
Thu 12 May 2016 06:52:35 AM CEST @ CentOS 6.8