Hi Elias,
Elias Kueny <elias.ku...@posteo.net> skribis:
> The files are created with too open permissions, so ssh refuses to run:
>
> $ ssh xxx
> Bad owner or permissions on ~/.ssh/config
>
> $ ls -l .ssh
> lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys ->
> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
> lrwxrwxrwx 1 user users 52 Aug 14 18:17 config ->
> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf
Here’s what I see in a container:
--8<---------------cut here---------------start------------->8---
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config ->
/gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan 1 1970
/gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---
The relevant check in OpenSSH is this:
--8<---------------cut here---------------start------------->8---
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
(sb.st_mode & 022) != 0))
fatal("Bad owner or permissions on %s", filename);
--8<---------------cut here---------------end--------------->8---
That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:
--8<---------------cut here---------------start------------->8---
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan 1 1970
/gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---
So ‘ssh’ works fine outside the container, but not inside.
To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.
To be continued…
Ludo’.
