| Summary: | ssh reads from the wrong directory in user namespace | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | hholst80 |
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | NEW --- | ||
| Severity: | normal | CC: | dtucker |
| Priority: | P5 | ||
| Version: | 7.9p1 | ||
| Hardware: | amd64 | ||
| OS: | Linux | ||
It uses the directory returned by the system's getpwnam(3) for the real userid of the ssh process. Thus, if you are running it as root then it always looks in root's home directory. https://github.com/openssh/openssh-portable/blob/master/ssh.c#L545 It's behaved like this for a long time. I suspect its original intent was to prevent $HOME games in the case where the ssh binary was setuid, which was supported (although very infrequently actually used that way) up until recently. Would a patch that changes this behavior be accepted as a fix? To use the environment variable I mean? |
ssh(1) says that -i identity_file Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa. Identity files may also be specified on a per-host basis in the con‐ figuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames. but it seems it does something else holst@hholst-lt:~$ unshare -r root@hholst-lt:~# echo "~ expands to" ~ "and \$HOME is" $HOME ~ expands to /home/holst and $HOME is /home/holst root@hholst-lt:~# ssh sdf.org Could not create directory '/root/.ssh'. load pubkey "/root/.ssh/id_rsa": Permission denied load pubkey "/root/.ssh/id_rsa": Permission denied load pubkey "/root/.ssh/id_dsa": Permission denied load pubkey "/root/.ssh/id_dsa": Permission denied load pubkey "/root/.ssh/id_ecdsa": Permission denied load pubkey "/root/.ssh/id_ecdsa": Permission denied load pubkey "/root/.ssh/id_ed25519": Permission denied load pubkey "/root/.ssh/id_ed25519": Permission denied load pubkey "/root/.ssh/id_xmss": Permission denied load pubkey "/root/.ssh/id_xmss": Permission denied The authenticity of host 'sdf.org (205.166.94.16)' can't be established. ED25519 key fingerprint is SHA256:ZjwbO7AU8rHJExYrmZS2LqGZ7WfdoELfMrF54W92PYA. Are you sure you want to continue connecting (yes/no)? n Please type 'yes' or 'no': no Host key verification failed. root@hholst-lt:~#