[systemd-devel] ssh generator credentials do not work for non-root

Sat Feb 1 14:33:15 UTC 2025

systemd 257.2

ssh generator supports undocumented ssh.ephemeral-authorized_keys-all 
credential which is supposed to contain additional authorized keys:

>                         "ExecStart=-%s -i -o \"AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys\"\n"
>                         "StandardInput=socket\n"
>                         "ImportCredential=ssh.ephemeral-authorized_keys-all",

But it does not work with OpenSSH privilege separation because the 
process that tries to verify the keys does not have access to the 
imported credentials:

> bor at tw:~> LC_TIME=en systemctl --no-pager --full status sshd at 2-17440842\:22-2\:3906252923.service 
> ● sshd at 2-17440842:22-2:3906252923.service - OpenSSH Per-Connection Server Daemon (vsock:2:3906252923)
>      Loaded: loaded (/etc/systemd/system/sshd at .service; static)
>      Active: active (running) since Sat 2025-02-01 17:22:39 MSK; 3min 39s ago
>  Invocation: c276a01b4d344578bb3c11c5b6d09b43
> TriggeredBy: ● sshd-vsock.socket
>        Docs: man:systemd-ssh-generator(8)
>              man:sshd(8)
>     Process: 3198 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS)
>     Process: 3201 ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS (code=exited, status=0/SUCCESS)
>    Main PID: 3203 (sshd-session)
>       Tasks: 0 (limit: 2323)
>         CPU: 91ms
>      CGroup: /system.slice/system-sshd.slice/sshd at 2-17440842:22-2:3906252923.service
>              ‣ 3203 "sshd-session: bor [priv]"
> 
> Feb 01 17:22:39 tw systemd[1]: Starting OpenSSH Per-Connection Server Daemon (vsock:2:3906252923)...
> Feb 01 17:22:39 tw systemd[1]: Started OpenSSH Per-Connection Server Daemon (vsock:2:3906252923).
> Feb 01 17:22:39 tw sshd-session[3203]: Could not open user 'bor' authorized keys '/run/credentials/sshd at 2-17440842:22-2:3906252923.service/ssh.ephemeral-authorized_keys-all': Permission denied
> Feb 01 17:22:39 tw sshd-session[3203]: Could not open user 'bor' authorized keys '/run/credentials/sshd at 2-17440842:22-2:3906252923.service/ssh.ephemeral-authorized_keys-all': Permission denied
> Feb 01 17:22:39 tw sshd-session[3203]: Accepted publickey for bor from UNKNOWN port 65535 ssh2: RSA SHA256:90LqSlBQcQiTR0jcqtBFvYa5UuMxV0rfP9ZcYM2tX54
> Feb 01 17:22:39 tw sshd-session[3203]: pam_unix(sshd:session): session opened for user bor(uid=1001) by bor(uid=0)
> bor at tw:~> 
> 

Yes, the directory exists and contains the correct content. And I can 
ssh as root too. But the directory is accessible to root only:

> bor at tw:~> LC_TIME=en ls -l /run/credentials/
> -bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
> total 0
> drwx------ 2 root root 60 Feb  1 16:38 @system
> dr-x------ 2 root root 40 Feb  1 16:39 getty at tty1.service
> dr-x------ 2 root root 60 Feb  1 17:22 sshd at 2-17440842:22-2:3906252923.service
> dr-x------ 2 root root 40 Feb  1 16:38 systemd-journald.service
> bor at tw:~> 
> 

Do I miss something?