SSH directory ownership issue when authenticating with SSH agent

[janedenone]

I use pam_ssh_agent_auth to authenticate as root on my host

# /usr/local/etc/pam.d/sudo
auth            sufficient      pam_ssh_agent_auth.so file=~/.ssh/authorized_keys
auth        include        system

and it works on the surface. But /var/log/auth.log logs the following:

Dec  3 04:08:54 bsd sudo[79278]: pam_ssh_agent_auth: Authentication refused: bad ownership or modes for file /home/jan/.ssh/authorized_keys
Dec  3 04:08:54 bsd sudo[79278]: pam_ssh_agent_auth: Found matching ED25519 key: <redacted>
Dec  3 04:08:54 bsd sudo[79278]: pam_ssh_agent_auth: Authenticated (agent): `jan' as `jan' using /home/jan/.ssh/authorized_keys

The permissions on ~/.ssh/authorized_keys are set properly:

jan@bsd:~/.ssh $ ll
total 12
drwx------  2 jan jan - 512 Dec  2 09:22 ./
drwxr-xr-x  3 jan jan - 512 Dec  2 20:51 ../
-rw-------  1 jan jan - 103 Dec  2 09:22 authorized_keys

And despite the logged refusal, the authentication succeeds. What could be the problem here?

 

[cracauer@]

That's odd.

What are the permissions on the ~/.ssh directory itself?

 

[janedenone]

That's odd.

What are the permissions on the ~/.ssh directory itself?

700, as shown above.

 

[VladiBG]

chown jan:wheel /home/jan/.ssh/authorized_keys

chmod 640 /usr/jan/.ssh/authorized_keys

Also try to add "allow_user_owned_authorized_keys_file" in /usr/local/etc/pam.d/sudo
According to the man page it should be by default enabled when you are using ~/ or %h

"auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys allow_user_owned_authorized_keys_file"

 

[janedenone]

Also try to add "allow_user_owned_authorized_keys_file" in /usr/local/etc/pam.d/sudo
According to the man page it should be by default enabled when you are using ~/ or %h

Thank you – in the meantime, I had changed ~/.ssh/authorized_keys to /root/.ssh/authorized_keys, and the error message went away. Adding allow_user_owned_authorized_keys_file explicitly does not solve the problem, though.

Now that it is clear what causes the warning, I have two questions:

1. Why does the flag allow_user_owned_authorized_keys_file not work as described on the man page?
2. Why does the authentication succeed despite the refused authentication?