Qingtao Cao
2024-Oct-12 11:04 UTC
A question about LDAP Public Key authentication with openssh 9.8p1
Hi openssh community, I am very new to the source code of openssh and trying to make the LDAP Public Key authentication work. I found that I need to change a line in the monitor.c to make it work, I would like to ask the community whether this is desirable at all. 1. I have created a pair of RSA private key and public key 2. I have setup the public key to the remote LDAP server, as the sshPublicKey attribute for a particular user 3. This user does not exist on a device running linux with openssh 9.8p1 4. On this device, the sshd_config contains the AuthorizedKeysCommand option to call a script which further invokes the ldapsearch command to fetch users' sshPublicKey attribute from the LDAP server 5. From my home PC, I try to login the device with a particular user, with the ssh -i option with the private key Ok, now this is what happens: 1. Given that the user is only defined on the LDAP server, but not on the device, the getpwnamallow (in auth.c) > getpwnam() will return NULL 2. Back to the mm_answer_pwnamallow (in monitor.c), it will call fakepw() to fake a struct passwd descriptor for such non-local user, as in the bellow snippet of code: if (pwent == NULL) { if ((r = sshbuf_put_u8(m, 0)) != 0) fatal_fr(r, "assemble fakepw"); authctxt->pw = fakepw(); goto out; } allowed = 1; authctxt->pw = pwent; authctxt->valid = 1; Note that it will goto out to bailout immediately, that is to say, without setting authctxt->valid = 1. 3. After enabling sshd debug logs, I got below two error messages: sshd-session[1889]: debug2: userauth_pubkey: invalid user testuser querying public key rsa-sha2-512 <RSA pub key> sshd-session[1889]: debug2: userauth_pubkey: disabled because of invalid user [preauth] In particharl, the latter was generated by the below code: if (!authctxt->valid || authctxt->user == NULL) { debug2_f("disabled because of invalid user"); goto done; } 4. Putting the #2 and #3 points above together, that "goto out;" line will make the non-local user unable to login the device, despite of the fact that its RSA public key has been setup properly on the remote LDAP server, and the device's PAM settings has been set to use pam_ldap.so for authentication 5. If I comment off that "goto out;" line, the LDAP public key authentication for remote users could begin to work. and from sshd-session's debug logs, I can see the script specified by the AuthorizedKeysCommands option could finally be invoked. Ok, my questions are: 1. Why do I have to comment off that "goto out;" line to make the LDAP public key auth work for remote users? 2. How should the LDAP public key auth work in the first place (without any code changes for the openssh)? 3. If I have to comment off that "goto out;" line, which sets authctxt->valid = 1, would this create a vulnerability for the sshd server? Many many thanks for reading my email! Best regards, Harry
Brian Candler
2024-Oct-12 11:13 UTC
A question about LDAP Public Key authentication with openssh 9.8p1
On 12/10/2024 12:04, Qingtao Cao wrote:> 4. Putting the #2 and #3 points above together, that "goto out;" line will > make the non-local user unable to login the device, despite of the fact > that its RSA public key has been setup properly on the remote LDAP serverSuppose that user were allowed to login: what UID, GID and home directory would you expect them to be assigned? Don't you still need something like nss_ldap or sssd to perform the username mapping? And if you had that, getpwnam() would not return NULL.
Maybe Matching Threads
- A question about LDAP Public Key authentication with openssh 9.8p1
- Puzzled about PAM support in OpenSSH-3.7.1p2
- A question about LDAP Public Key authentication with openssh 9.8p1
- A question about LDAP Public Key authentication with openssh 9.8p1
- user creation before authentication