3048 – ssh reads from the wrong directory in user namespace

Bug 3048 - ssh reads from the wrong directory in user namespace

Summary: ssh reads from the wrong directory in user namespace

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	7.9p1
Hardware:	amd64 Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-01 07:11 AEST by hholst80
Modified:	2019-08-01 21:10 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description hholst80 2019-08-01 07:11:45 AEST

ssh(1) says that

     -i identity_file
             Selects a file from which the identity (private key) for public key authentication is read.  The default is ~/.ssh/id_dsa,
             ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa.  Identity files may also be specified on a per-host basis in the con‐
             figuration file.  It is possible to have multiple -i options (and multiple identities specified in configuration files).
             If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate
             information from the filename obtained by appending -cert.pub to identity filenames.

but it seems it does something else

holst@hholst-lt:~$ unshare -r
root@hholst-lt:~# echo "~ expands to" ~ "and \$HOME is" $HOME
~ expands to /home/holst and $HOME is /home/holst
root@hholst-lt:~# ssh sdf.org
Could not create directory '/root/.ssh'.
load pubkey "/root/.ssh/id_rsa": Permission denied
load pubkey "/root/.ssh/id_rsa": Permission denied
load pubkey "/root/.ssh/id_dsa": Permission denied
load pubkey "/root/.ssh/id_dsa": Permission denied
load pubkey "/root/.ssh/id_ecdsa": Permission denied
load pubkey "/root/.ssh/id_ecdsa": Permission denied
load pubkey "/root/.ssh/id_ed25519": Permission denied
load pubkey "/root/.ssh/id_ed25519": Permission denied
load pubkey "/root/.ssh/id_xmss": Permission denied
load pubkey "/root/.ssh/id_xmss": Permission denied
The authenticity of host 'sdf.org (205.166.94.16)' can't be established.
ED25519 key fingerprint is SHA256:ZjwbO7AU8rHJExYrmZS2LqGZ7WfdoELfMrF54W92PYA.
Are you sure you want to continue connecting (yes/no)? n
Please type 'yes' or 'no': no
Host key verification failed.
root@hholst-lt:~#

Comment 1 Darren Tucker 2019-08-01 08:48:13 AEST

It uses the directory returned by the system's getpwnam(3) for the real userid of the ssh process.  Thus, if you are running it as root then it always looks in root's home directory.

https://github.com/openssh/openssh-portable/blob/master/ssh.c#L545

It's behaved like this for a long time.  I suspect its original intent was to prevent $HOME games in the case where the ssh binary was setuid, which was supported (although very infrequently actually used that way) up until recently.

Comment 2 hholst80 2019-08-01 21:10:05 AEST

Would a patch that changes this behavior be accepted as a fix? To use the environment variable I mean?