openssh unix dev - May 2017 - ls hangs in internal-sftp for LDAP users

I'm using 7.2p2-4ubuntu2.1

I have the same exact problem as described in the first comment in
https://bugzilla.mindrot.org/show_bug.cgi?id=1573

Initially, my ldap server hostname and IP is only in /etc/hosts, not in
the configured resolver. I can't use the real IP as a workaround in
ldap.conf because of the TLS configuration which cares about the hostname.

At the time I add the host name and IP in the resolver, the issue goes away.

So, I'm a bit worried to be forced to declare a record in my DNS to
enable SFTP listing ? There should be another way isn't ?

I also tried to copy /etc/hosts to etc/hosts in the folder specified by
ChrootDirectory directive with no more success.

Notice : it happens only for ldap users, not local users

Any help welcome,

Regards,

In the process of writing this email, I forgot saying hello to you all.
Rather impolite for someone who looks for help.

My apologies.

Cheers

Le 12/05/2017 ? 12:06, mh at ow2.org a ?crit :
> I'm using 7.2p2-4ubuntu2.1
> 
> I have the same exact problem as described in the first comment in
> https://bugzilla.mindrot.org/show_bug.cgi?id=1573
> 
> Initially, my ldap server hostname and IP is only in /etc/hosts, not in
> the configured resolver. I can't use the real IP as a workaround in
> ldap.conf because of the TLS configuration which cares about the hostname.
> 
> At the time I add the host name and IP in the resolver, the issue goes
away.
> 
> So, I'm a bit worried to be forced to declare a record in my DNS to
> enable SFTP listing ? There should be another way isn't ?
> 
> I also tried to copy /etc/hosts to etc/hosts in the folder specified by
> ChrootDirectory directive with no more success.
> 
> Notice : it happens only for ldap users, not local users
> 
> Any help welcome,
> 
> Regards,
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

On 2017-05-12T12:07, mh at ow2.org <mh at ow2.org>
wrote:
> I'm using 7.2p2-4ubuntu2.1
> 
> I have the same exact problem as described in the first comment in
> https://bugzilla.mindrot.org/show_bug.cgi?id=1573
> 
> Initially, my ldap server hostname and IP is only in /etc/hosts, not in
> the configured resolver. I can't use the real IP as a workaround in
> ldap.conf because of the TLS configuration which cares about the hostname.
> 
> At the time I add the host name and IP in the resolver, the issue goes
away.
> 
> So, I'm a bit worried to be forced to declare a record in my DNS to
> enable SFTP listing ? There should be another way isn't ?
> 
> I also tried to copy /etc/hosts to etc/hosts in the folder specified by
> ChrootDirectory directive with no more success.
> 
> Notice : it happens only for ldap users, not local users
There should be a /etc/nsswitch.conf in your chroot where you can
configure where users and hostnames should be looked up. E.g. to prevent
LDAP lookups altogether you could configure the respective two lines to
read:
passwd:		files
group:		files
i.e. drop the 'ldap' option there. To check why /etc/hosts isn't
being
used you can look if hosts: has 'files dns' or just 'dns'
altogether
behind it.

But in general I would recommend putting all your hostnames into DNS
properly, in my experience this avoids all kinds of headaches with all
kinds of software. And leave /etc/hosts as empty as possible, because
that always grows inconsistent over time.



Ciao,

Alexander Wuerstlein.

Le 12/05/2017 ? 12:47, Alexander Wuerstlein a ?crit :
> On 2017-05-12T12:07, mh at ow2.org <mh at ow2.org> wrote:
>> I'm using 7.2p2-4ubuntu2.1
>>
>> I have the same exact problem as described in the first comment in
>> https://bugzilla.mindrot.org/show_bug.cgi?id=1573
>>
>> Initially, my ldap server hostname and IP is only in /etc/hosts, not in
>> the configured resolver. I can't use the real IP as a workaround in
>> ldap.conf because of the TLS configuration which cares about the
hostname.
>>
>> At the time I add the host name and IP in the resolver, the issue goes
away.
>>
>> So, I'm a bit worried to be forced to declare a record in my DNS to
>> enable SFTP listing ? There should be another way isn't ?
>>
>> I also tried to copy /etc/hosts to etc/hosts in the folder specified by
>> ChrootDirectory directive with no more success.
>>
>> Notice : it happens only for ldap users, not local users
> 
> There should be a /etc/nsswitch.conf in your chroot where you can
> configure where users and hostnames should be looked up. E.g. to prevent
> LDAP lookups altogether you could configure the respective two lines to
> read:
> passwd:		files
> group:		files
> i.e. drop the 'ldap' option there. To check why /etc/hosts
isn't being
> used you can look if hosts: has 'files dns' or just 'dns'
altogether
> behind it.
> 
> But in general I would recommend putting all your hostnames into DNS
> properly, in my experience this avoids all kinds of headaches with all
> kinds of software. And leave /etc/hosts as empty as possible, because
> that always grows inconsistent over time.
> 
> 
Thanks Alexander,

I'll try the nsswitch.conf suggestion. Until then I've noticed the
following : while the ldap hostname is into the DNS, if I also put a the
corresponding line to etc/hosts in the chroot the hang happens again. So
the hosts file in the chroot is red somehow.

But if it reads the hosts file propertly, what is the problem then ?

I'm a bit confused. Have a good we :)