On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris <lists at spuddy.org> wrote: > On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote: >> When you first attempt to login, sshd is running as root. It needs to >> look at your NFS mounted home directory (which is often set for no >> root squash) to get the public key. But because it is no root squash, > > Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is > normally the default) means that phase is run as the destination user > and not as root. To clarify, the sshd listener runs as root and then drops privileges once the user is authenticated.. The issue is specifically the root squash across NFS filesystems which is normally set to disable root privs on the mount (that, and noexec). I.e., even root has no privs to validate the shared key.