Key-based authentication fails when keys are in Samba directory

[Hugh Brown <hbrown at dyaptive dot com>]

I have Cygwin and OpenSSH set up on a number of Win2K machines.
Home directories for users are mounted via a FreeBSD-based Samba
server named Whistler.  SSH to the Win2K machines works without any
problems *except* for key-based authentication where the
~/.ssh/authorized_keys file is in a Samba-mounted home directory.

I found email from Brian Hayward
(http://sources.redhat.com/ml/cygwin/2003-10/msg00479.html) from a
couple of weeks ago, which seems pretty similar.  However, when I
try the solution (running "setfacl -m u:system:r-- ~ ~/.ssh
~/.ssh/authorized_keys", where ~ is a Samba-mounted home directory),
I get an error message that says "Function not implemented."  I
don't get this error message when I try it on a local home directoy,
like /home/administrator.  (I've also tried appending keys in
authorized_keys2 to authorized_keys, without any more success.)

I *have* been able to get key-based authentication to work if I set
up a home directory for the user on the Win2K machine.  In other
words, I change the home directory listed in /etc/passwd from
"//sambaserver/username" to "/home/username", create the directory,
and copy over the user's .ssh directory.  However, at this point
they no longer have access to their home directory, so it's less
than ideal.  And for the record, password-based authentication works
without any problem at all.

On the Samba server, some home directories are mounted via NFS from
other FreeBSD machines via amd, and some are on the machine itself;
this doesn't seem to make any difference -- key-based authentication
keeps failing.  

I thought it might be a problem with symlinks
(http://www.cygwin.com/faq/faq_4.html#SEC69).  To test, I tried
setting my home directory in Cygwin's /etc/passwd to a temporary
directory on Whistler (one that was not mounted via AMD, and had
no symbolic links at all) and copying the
.ssh directory in there; it still didn't work.

Here's the debug log from the ssh daemon when I try to log in:

debug1: userauth-request for user hbrown service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x100f4888
debug1: temporarily_use_uid: 13044/545 (e=18/18)
debug1: trying public key file //whistler/hbrown/.ssh/authorized_keys
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: (unprivileged)
debug1: temporarily_use_uid: 13044/545 (e=18/18)
debug1: trying public key file //whistler/hbrown/.ssh/authorized_keys2
debug1: restore_uid: (unprivileged)
debug3: mm_answer_keyallowed: key 0x100f4888 is disallowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for hbrown from 192.168.0.80 port 2621 ssh2
 
Directory permissions for ~hbrown, listed in Cygwin:

 $ ls -ld .ssh
 drwxr-xr-x    2 hbrown   Users           0 Oct 23 13:31 .ssh

 $ ls -ld .ssh/authorized_keys*
  -rw-r--r--    1 hbrown   Users        3894 Oct 23 16:08 .ssh/authorized_keys
  -rw-r--r--    1 hbrown   Users        1221 Oct 23 15:55 .ssh/authorized_keys2

And the options in sshd_config that are not commented out:

Port 22
StrictModes no
UsePrivilegeSeparation yes
Subsystem      sftp    /usr/sbin/sftp-server

Finally, I've attached the output of cygcheck -s -v -r.  

Thanks in advance for any help you can give me, and please let me
know if I've left anything out.

-- 
Hugh Brown
hbrown@dyaptive.com

Attachment: cygcheck.out
Description: Text document

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/