I have some users which have different $HOME directories than /home/.
The user homes are under /pkg/homeand /pkg owner is a different user, but all users have group access to /pkg. It seems that SSHD will restrict access to authorized_keys (e.g. /pkg/home/usera/.sshd/authorized_keys) because the user is not owner of the full path.
Is there any option for sshd_config to change this restriction?
It doesn't matter who owns /pkg/. If it would be owned by usera then you would have problems with userb etc. So it must be something else that prevents SSHD from using authorized_keys file. You have to check if this file is writable only by the owner and if it is owned by proper user. The same applies all parent directories.
It's all or nothing: if you turn the StrictModes option off, sshd will never check any file modes. There's no way to say that certain odd cases are ok, such as a group-writable directory (which is ok if the user is alone in the group).
OpenSSH checks the permissions and ownership of ~/.ssh/authorized_keys and its containing directories recursing upwards. However, it stops the comparison when it reaches the home directory. For example, in the classical arrangement where the authorization file is /home/joe/.ssh/authorized_keys and /home/joe is the user's home directory, only /home/joe/.ssh/authorized_keys, /home/joe/.ssh and /home/joe are checked.
So while your scenario is highly dubious (/pkg should be owned by root, with additional group permissions if required), it should not impact ssh.
If any symbolic links are involved, note that ssh expands all symlinks before starting its checks.
The system logs might have relevant information. Check if your failed login attempts cause any log message.
Check that your version of ssh performs the same checks as mine (I looked at the source of OpenSSH 5.5p1) by running a debug mode daemon on a custom port (sshd -d -p 2222). Use strace -f -efile sshd -d -p 2222 if necessary to check which files' permission the server checks. If these permission checks aren't the issue, adding more -d flags might throw some light.
If you have AppArmor, there's also the possibility that it is restricting the ssh server to reading files in users' .ssh directories. If you have AppArmor and home directories in a nonstandard location, you'll need to update AppArmor policies (not just for SSH). See Evince fails to start because it cannot read .Xauthority.
I had the same problem, using '/data' as base dir for the user directories. For me, it was not enough to run 'restorecon -R -v ~/.ssh'. First, I had to run
# semanage fcontext -a -e /home /data
as root, and then (also as root as the /data directory contained a root-owned directory)
# restorecon -R -v /data
In addition to the other answers, make sure to check the sshd logs and that the correct permissions are set on the folders and file:
$ chown usera /pkg/home/usera
$ chmod go-w /pkg/home/usera
$ chmod 700 /pkg/home/usera/.ssh
$ chmod 600 /pkg/home/usera/.ssh/authorized_keys
ls -ld /pkg /pkg/home /pkg/home/usera /pkg/home/usera/.ssh /pkg/home/usera/authorized_keysfor a problem user? – miracle173 Sep 13 '12 at 20:39