bugzilla-daemon at mindrot.org
2004-Oct-02 17:11 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938
Summary: "AllowGroups" option and secondary user's
groups limit
Product: Portable OpenSSH
Version: 3.9p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: coil93 at mail.ee
Linux Suse 9.1, nss_ldap version 215, pam_ldap version 169, openldap version 2.
2.17
OpenSSH can't handle more than 5 groups via pam_ldap authentication.
For example: user john has primary group gr1 and belongs to secondary groups
gr2,gr3,gr4,gr5 in LDAP database.
sshd_config:
AllowGroups 5
UsePAM yes
/etc/pam.d/sshd
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so
/etc/nsswitch.conf
passwd_compat: ldap
group_compat: ldap
root at localhost> id john
root at localhost> uid=1023(john) gid=10(gr1)
groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5)
root at localhost> ssh -l john localhost
Password: *****
Have a lot of fan...
john at localhost>
Now add user john into additional group gr6
root at localhost> id john
root at localhost> uid=1023(john) gid=10(gr1)
groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5),3456(gr6)
root at localhost> ssh -l john localhost
Password: *****
Password: *****
Password: *****
Permission denied (publickey, keyboard-interactive)
root at localhost>
sshd debug:
Oct 2 20:06:35 linux sshd[8856]: debug1: userauth-request for user john
service ssh-connection method keyboard-interactive
Oct 2 20:06:35 linux sshd[8856]: debug1: attempt 3 failures 3
Oct 2 20:06:35 linux sshd[8856]: debug2: input_userauth_request: try
method keyboard-interactive
Oct 2 20:06:35 linux sshd[8856]: debug1: keyboard-interactive devs
Oct 2 20:06:35 linux sshd[8856]: debug1: auth2_challenge: user=john devsOct 2
20:06:35 linux sshd[8856]: debug1: kbdint_alloc: devices 'pam'
Oct 2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices
pam
Oct 2 20:06:35 linux sshd[8856]: debug2: kbdint_next_device: devices
<empty>
Oct 2 20:06:35 linux sshd[8856]: debug1: auth2_challenge_start: trying
authentication method 'pam'
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_init_ctx entering
Oct 2 20:06:35 linux PAM-warn[8860]: function=[pam_sm_authenticate]
service=[sshd] terminal=[ssh] user=[john] ruser=[<unknown>]
rhost=[127.0.0.1]
Oct 2 20:06:35 linux sshd[8860]: debug3: PAM: sshpam_thread_conv
entering, 1 messages
Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_send: type 1
Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_recv entering
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_query entering
Oct 2 20:06:35 linux sshd[8856]: debug3: ssh_msg_recv entering
Oct 2 20:06:35 linux sshd[8856]: Postponed keyboard-interactive for
invalid user john from 127.0.0.1 port 32986 ssh2
Oct 2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices
<empty>Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_free_ctx
entering
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup
entering
Oct 2 20:06:35 linux sshd[8856]: Failed keyboard-interactive/pam for
invalid user john from 127.0.0.1 port 32986 ssh2
Oct 2 20:06:35 linux sshd[8856]: Connection closed by 127.0.0.1
Oct 2 20:06:35 linux sshd[8856]: debug1: do_cleanup
Oct 2 20:06:35 linux sshd[8856]: debug1: PAM: cleanup
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-06 10:01 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|"AllowGroups" option and
|"AllowGroups" option and
|secondary user's groups |secondary user's groups
|limit |limit
------- Additional Comments From dtucker at zip.com.au 2004-10-06 20:01 -------
Please attach (note: use create attachment do not paste it into the text field),
a full debug trace from the server (/path/to/sshd -ddde).
Also, does the problem occur with 'UsePAM no" ?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-08 19:57 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From coil93 at mail.ee 2004-10-09 05:57 ------- Created an attachment (id=727) --> (http://bugzilla.mindrot.org/attachment.cgi?id=727&action=view) sshd -ddde output With "UsePAM no" auth ok ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-09 02:42 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From dtucker at zip.com.au 2004-10-09 12:42 ------- Created an attachment (id=728) --> (http://bugzilla.mindrot.org/attachment.cgi?id=728&action=view) Add some instrumentation to ga_match() The user is being denied in the early stages (getpwnamallow) which is before PAM is even initialized. I can't figure out why sshd would behave differently with and without PAM in this case. I could imagine something in nss_ldap causing it but in that case UsePAM should make no difference. Attached is a patch that adds some debugging output to the group match function. Please apply it and run sshd in debug mode twice, once where it works and once where it doesn't, then compare the "ga_match" sections of the debug output and attach them to the bug (substitute the real group names for fake ones if you need to, as long as you do it consistently :-). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-09 11:42 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From coil93 at mail.ee 2004-10-09 21:42 ------- Created an attachment (id=729) --> (http://bugzilla.mindrot.org/attachment.cgi?id=729&action=view) ga_match() debug output ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-09 11:50 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From coil93 at mail.ee 2004-10-09 21:50 ------- (From update of attachment 729) Now auth failed with "UsePAM no" if user has access into g6 group ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-09 12:21 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From dtucker at zip.com.au 2004-10-09 22:21 ------- Created an attachment (id=730) --> (http://bugzilla.mindrot.org/attachment.cgi?id=730&action=view) Add debugging to ga_init. OK, so from that output it looks like either the OS is returning incomplete data from getgrouplist or sshd's ga_init is not populating the groups_byname list correctly. Attached is another patch to add some debugging to ga_init, please apply and run sshd in debug mode again and attach the ga_init bits. It looks like it's not a PAM problem, anyway. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-09 12:21 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Component|PAM support |sshd
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-10 09:59 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From coil93 at mail.ee 2004-10-10 19:59 ------- Created an attachment (id=731) --> (http://bugzilla.mindrot.org/attachment.cgi?id=731&action=view) ga_init() debug output ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-10 10:47 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From dtucker at zip.com.au 2004-10-10 20:47 ------- Created an attachment (id=732) --> (http://bugzilla.mindrot.org/attachment.cgi?id=732&action=view) test program for getgrouplist It appears that getgrouplist() is returning an incomplete list (with duplicates) on your system. Attached is a small test program that outputs the contents of the list. Does the group list output by it match the gids output by the ga_init debugging? eg: $ gcc grouptest.c $ ./a.out root root 0 1 2 3 4 6 10 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-10 11:16 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From coil93 at mail.ee 2004-10-10 21:16 ------- Yes...that's right>./a.out jm >jm 11 1107 1170 0 0 0ga_init() lookup 11 1107 1170 0 0 0 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-10 11:26 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |INVALID
------- Additional Comments From dtucker at zip.com.au 2004-10-10 21:26 -------
Yep, your getgrouplist is broken and you'll need to speak to your OS vendor
about it.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Oct-10 15:15 UTC
[Bug 938] "AllowGroups" option and secondary user's groups limit
http://bugzilla.mindrot.org/show_bug.cgi?id=938 ------- Additional Comments From coil93 at mail.ee 2004-10-11 01:15 ------- The problem was in wrong nsswitch.conf, generated by Yast :E ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.