I'm attempting to get RSA authentication to work with OpenAFS. This requires placing the RSA key outside of AFS, and thus outside the user's home directory. I used the line AuthorizedKeysFile /home/%u/.ssh/authorized_keys to move the file out of the AFS home directory and into an "ssh only" directory such that it can be accessed by sshd without AFS tokens. This ends up failing however, with this debug output (from sshd -d): debug1: userauth-request for user (username) service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1359/10 (e=0) debug1: trying public key file /home/(username)/.ssh/authorized_keys Authentication refused: realpath /afs/ic-afs.arc.nasa.gov/admin/(username) failed: Permission denied Apparently OpenSSH is stat'ing the home directory, despite the fact that the files it should need are in another directory. When using AFS, the home directory will not be accessable until the login has gone through PAM and obtained a token. Is this not possible for a reason e.g. security, or is there the potential to change this?
AuthorizedKeysFile /etc/ssh/keys/%u does not access $HOME for me.
oh, i see, auth.c uses realpath(pw->pw_dir) to compare it against the configured path. perhaps drop the check against homedir if realpath(pw->pw_dir) fails?
I actually commented the test out and re-built OpenSSH last night. Although not an ideal fix, it seemed to work. Getting AFS to auth after that is another (unrelated) story, but this does solve the ssh part of the problem. Thanks!
fixed in -current
Mass change of RESOLVED bugs to CLOSED