https://www.puppet.com/community logo
Join Slack
Powered by
# voxpupuli
  • v
    what were in those fucking cereals this morning, fentanyl?
  • v
    this is insane
  • v
    anarcat: is there anything like SELinux or AppArmor on those systems that could interfere?
  • v
    apparmor, perhaps
  • v
    not selinux
  • v
    just for fun, can you change the order in AuthorizedKeysFile ?
  • v
    no apparmor
  • v
    yeah
  • v
    and maybe namei -l /etc/ssh/userkeys/$thefile /var/lib/misc/userkeys/$thefile /etc/ssh/userkeys/%thefile.more /etc/ssh/puppetkeys/$thefile
  • v
    nope, that's not it
  • v
    yeah the namei is fine
  • v
    755 all the way up to the 600 root:root file
  • v
    mhm
  • v
    changing the order still fails
  • v
    i'm going to strace sshd
  • v
    [pid 1989593] openat(AT_FDCWD, "/etc/ssh/puppetkeys/pgbackrest-weather-01", O_RDONLY|O_NONBLOCK) = -1 EACCES (Permission denied)
  • v
    ok, the puppetkeys/userkeys is a red herring
  • v
    if i move the file between the two, it still fails
  • v
    how did I not know about namei
  • v
    105422 <anarcat> let me reproduce, hold on
  • v
    okay so i don't know what happened 15 minutes ago
  • v
    ewoud: it's awesome!
  • v
    but now i'm 100% confident i can't ssh if i chmod 600
  • v
    i'm going to sshd -d
  • v
    who'd have thought that on Friday after 17:00 I'd still learn something new :P
  • v
    debug1: temporarily_use_uid: 115/123 (e=0/0)
  • v
    debug1: trying public key file /etc/ssh/userkeys/postgres
  • v
    Could not open user 'postgres' authorized keys '/etc/ssh/userkeys/postgres': Permission denied
  • v
    so this is what i'm talking about here
  • v
    see that temporarily_use_uid ?
1...628629630...648Latest