openssh unix dev - Oct 2024 - A question about LDAP Public Key authentication with openssh 9.8p1

Hi openssh community,

I am very new to the source code of openssh and trying to make the LDAP
Public Key authentication work. I found that I need to change a line in the
monitor.c to make it work, I would like to ask the community whether this
is desirable at all.

1. I have created a pair of RSA private key and public key
2. I have setup the public key to the remote LDAP server, as the
sshPublicKey attribute for a particular user
3. This user does not exist on a device running linux with openssh 9.8p1
4. On this device, the sshd_config contains the AuthorizedKeysCommand
option to call a script which further invokes the ldapsearch command to
fetch users' sshPublicKey attribute from the LDAP server
5. From my home PC, I try to login the device with a particular user, with
the ssh -i option with the private key

Ok, now this is what happens:
1. Given that the user is only defined on the LDAP server, but not on the
device, the getpwnamallow (in auth.c) > getpwnam() will return NULL

2. Back to the mm_answer_pwnamallow (in monitor.c), it will call fakepw()
to fake a struct passwd descriptor for such non-local user, as in the
bellow snippet of code:

        if (pwent == NULL) {
                if ((r = sshbuf_put_u8(m, 0)) != 0)
                        fatal_fr(r, "assemble fakepw");
                authctxt->pw = fakepw();
                goto out;
        }

        allowed = 1;
        authctxt->pw = pwent;
        authctxt->valid = 1;

Note that it will goto out to bailout immediately, that is to say, without
setting authctxt->valid = 1.

3. After enabling sshd debug logs, I got below two error messages:

sshd-session[1889]: debug2: userauth_pubkey: invalid user testuser querying
public key rsa-sha2-512 <RSA pub key>
sshd-session[1889]: debug2: userauth_pubkey: disabled because of invalid
user [preauth]

In particharl, the latter was generated by the below code:

                if (!authctxt->valid || authctxt->user == NULL) {
                        debug2_f("disabled because of invalid user");
                        goto done;
                }

4. Putting the #2 and #3 points above together, that "goto out;" line
will
make the non-local user unable to login the device, despite of the fact
that its RSA public key has been setup properly on the remote LDAP server,
and the device's PAM settings has been set to use pam_ldap.so for
authentication

5. If I comment off that "goto out;" line, the LDAP public key
authentication for remote users could begin to work. and from
sshd-session's debug logs, I can see the  script specified by the
AuthorizedKeysCommands option could finally be invoked.

Ok, my questions are:
1. Why do I have to comment off that "goto out;" line to make the LDAP
public key auth work for remote users?
2. How should the LDAP public key auth work in the first place (without any
code changes for the openssh)?
3. If I have to comment off that "goto out;" line, which
sets authctxt->valid = 1, would this create a vulnerability for the sshd
server?

Many many thanks for reading my email!

Best regards,
Harry

On 12/10/2024 12:04, Qingtao Cao wrote:
> 4. Putting the #2 and #3 points above together, that "goto out;"
line will
> make the non-local user unable to login the device, despite of the fact
> that its RSA public key has been setup properly on the remote LDAP server
Suppose that user were allowed to login: what UID, GID and home 
directory would you expect them to be assigned?

Don't you still need something like nss_ldap or sssd to perform the 
username mapping? And if you had that, getpwnam() would not return NULL.