@dave_thompson_085's comment on the question really nails it, so expanding on this as to not leave this question without a formal answer:
In misc.c
, function safe_path()
states, as of 2023-06:
/*
* Check a given path for security. This is defined as all components
* of the path to the file must be owned by either the owner of
* of the file or root and no directories must be group or world writable.
*
* XXX Should any specific check be done for sym links ?
*
* Takes a file name, its stat information (preferably from fstat() to
* avoid races), the uid of the expected owner, their home directory and an
* error buffer plus max size as arguments.
*
* Returns 0 on success and -1 on failure
*/
int
safe_path(const char *name, struct stat *stp, const char *pw_dir,
uid_t uid, char *err, size_t errlen)
{
...
if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
(stp->st_mode & 022) != 0) {
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
return -1;
}
...
(similarly to each path component)
}
This function is called by safe_path_fd()
wrapper, and if considering both, their usage regarding authorized_keys
appears to be in auth_openfile()
from auth2-pubkeyfile.c
:
static FILE *
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
int log_missing, char *file_type)
{
...
if (strict_modes &&
safe_path_fd(fileno(f), file, pw, line, sizeof(line)) != 0) {
fclose(f);
logit("Authentication refused: %s", line);
auth_debug_add("Ignored %s: %s", file_type, line);
return NULL;
}
...
}
Where strict_modes
comes from StrictModes
option in sshd_config
In conclusion, answering your question:
Now, how can this even work a non-root user for /etc/ssh/authorized_keys if [...] does not allow to use [...] unless the parent folders are with permission 0700 and owned by the user [...] and the file is owned by the user and has permission 0600?
Or am I missing something?
You're misreading the requirements stated in sshd documentation
:
~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can
be used for logging in as this user. The format of this
file is described above. The content of the file is not
highly sensitive, but the recommended permissions are
read/write for the user, and not accessible by others.
If this file, the ~/.ssh directory, or the user's home
directory are writable by other users, then the file could
be modified or replaced by unauthorized users. In this
case, sshd will not allow it to be used unless the
StrictModes option has been set to “no”.
Note it never requires a strict 0600 for the authorized_keys
file, it merely recommends it. And for directories, it only requires each component not to be world-(or group-)writable, so they can be 0755 just fine. And that's why the code only checks for a 022
mask.
And, also looking at the code, root
is always allowed as the owner, both by sshd
and by the filesystem, so authorized_keys
can even be 0000
---------- root:root
(remember sshd process runs as root). This is unfortunately never explicitly said in the manual, but OTOH it also doesn't ever say that the file owner and the user logging in must match (the code does).
safe_path
inmisc.c
andplatform_sys_dir_uid
inplatform-misc.c
; the actual requirement is that the file and dirs (up to either the user's homedir or the root) are unwritable by other than owner and are owned by the desired uid OR ROOT (OR if configured at build time one other uid, which could e.g. be assigned for an sftp server)