problem with ssh, suid, ssh-keysign, and identity file

[shadedecho]

I have a simple c++ program that i've written which forks a process, calls ssh so it can execute a remote command, and relies on root's private key (by passing the command line switch -i/root/.ssh/id_dsa) to be able to make the ssh connection without a password prompt.

i have set the c++ program to be SUID root. When I execute my program while logged in as root, everything works fine.

when I change to another non-root user, and try to run the command, ssh throws out an warning that the identity file i am referring to could not be found. So then I try not specifying the identity file in my program, hoping that ssh will just find the right root cert to use. I don't get that warning about the identity file being missing, but it still tries to prompt me for that password.

so, putting back in the reference for the identity file into my execvp() command, now I try to set ssh as SUID root. try again, still same thing.

so i try enabling "ssh-keysign" (with "EnableSSHKeysign yes" in my ssh_config file). I then also set ssh-keysign binary to be SUID root. I try my program again, and again, I get the same inability for my non-root login account to execute a program that wants to use ssh and root's identity file.

I have verified that my program is in fact running SUID root, by having it write out a file to /tmp and checking it's perms, it's owned by root:root.

So, what can I do to get my program to get the ssh login to use root's identity file when the logged in user is non-root?

(and yes, yes, yes, I do understand the security implications of what I am trying to do)

 

[shadedecho]

i further changed my c++ program to actually open and dump the contents of the /root/.ssh/id_dsa file, to prove that it had access to that file (via SUID) even when run by a non-root user. It was able to dump them just fine.

However, ssh/ssh-keysign still refused to let me use that file.

So, then I was wondering if ssh/ssh-keysign add an additional layer of security by looking at the environment variables for the current user account and home-dir to determine it's home dir matches the specified identity file, to prevent .ssh/ dirs not in that logged in user's home. I tried changing the $USER, $LOGNAME, and $HOME environment variables at my login prompt, and then executing my program, and still got the same issue.

Lastly, I tried copying the /root/.ssh/id_dsa file (same exact ownership/perms) to like /tmp, and changing my program to try and use that file location instead. This time, under the non-root login account, when I executed my program, it asked me to enter the passphrase for the file /tmp/id_dsa. There is no passphrase for that file, and there never was one. I also don't need to use it when working with that file while logged in as root, so this new behavior further confuses me.

What I'm left to assume right now is that ssh/ssh-keysign are somehow intentionally disabling this kind of activity, and that I may have no choice but to either work around this differently or manually modify the ssh client. It just seems that they will not access the file no matter what I do.

Can anyone shed some light on why?