sshd get path to authorized_keys file wrong

Barry Scott barry.scott at onelan.co.uk
Mon Jun 14 11:30:20 UTC 2010 

On Thursday 10 June 2010 20:32:50 Mike Williams wrote:
> On Thu, Jun 10, 2010 at 6:45 AM, Barry Scott <barry.scott at onelan.co.uk> wrote:
> > We are seeing an sshd_config that used to work on f12 failing on f13.
> >
> > When doing ssh root at host:
> > Jun 10 11:34:32 f12barry sshd[23030]: Failed publickey for root from 192.168.7.232 port 39169 ssh2
> >
> > Notice the public key file is //.ssh/authorized_keys.
> >
> > -------------------sshd_config--------------
> > Port 22
> 
> I have two suggestions and a couple comments for you.

This is a know bug with the openssh sources in F13.
There is a patched openssh that will hit updates soon.

> 1) comment out the line with AuthorizedKeysFile

The AuthorizedKeysFile lines is not parsed correctly. Its is always turned into
an abs path. This is the bug the the update will fix.

> 
>     In comparing your sshd_config with one from a working f13 system I
> noticed that I had that line commented out, when I uncommented I got a
> failure similar to what you mentioned.
> 
> 2) modify the AuthorizedKeysFile to match the line below (the %h
> causes sshd to look in $HOME/.ssh)
> 
> AuthorizedKeysFile      %h/.ssh/authorized_keys

I used:
  AuthorizedKeysFile      /%h/.ssh/authorized_keys

which works inspite of the bug.

> 
> Both of the above worked for me, after I broke the system by
> uncommenting the AutorizedKeysFile line.
> 
> Your log it lists port 39169, but the sshd_config you posted has Port
> 22 - I'm guessing what you posted as your sshd_config doesn't match
> what was in place when the log messages occurred.

That will be the clients port not the server port.

> 
> I never allow root login, it just seems like asking for big trouble.
> I always set PermitRootLogin no and use sudo or su - as needed after
> logging in as a normal user, which seems much safer.

In general I agree but in the case of the product this script
comes from its not. The user can turn off SSH from the
products web ui if they are concerned.

> Please post another message saying whether or not the
> AuthorizedKeysFile change(s) worked for you.

Done.

Barry

More information about the users mailing list