openssh bugs - Apr 2018 - [Bug 2861] New: LDAP user with public key authentication showing AUTHSTATE=compat

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

            Bug ID: 2861
           Summary: LDAP user with public key authentication showing
                    AUTHSTATE=compat
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: PPC
                OS: AIX
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mayasha9 at in.ibm.com

Created attachment 3144
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3144&action=edit
ldapuser_log

Hello ,
Hope you are doing fine. I am using Openssh7.5_p1 on AIX Environment.I
have installed IBM LDAP filesets and tried to test SSH functionality
with LDAP user. I have created ldapuser and tried to login through that
user using public key authentication. After logging in , I have seen
that its environment variable AUTHSTATE is showing compat instead of
LDAP. In case of password based authentication , its showing LDAP which
is the right behavior. Can you please look into such issue. I am
sending logs too. Please let me know if you need some extra
information. 


Thanks & Regards
Mayank Sharma

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
The client side logs don't help here, instead what you are after might
be in the server-side logs (eg "/path/to/sshd -ddde -p 2022" to run it
on port 2022).

Looking at the code, it looks like sshd never sets AUTHSTATE, although
it will copy it into the shell child.  I think it'll be set by the
authenticate() call which does password auth, but that is does not get
called for publickey auth.

Given that it is not actually authenticating via LDAP what do you
expect it to do?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

--- Comment #2 from Mayank Sharma <mayasha9 at in.ibm.com> ---
Hi Darren,

Please find more details below - 

1. I have made a AIX-LDAP server and client setup

2. Now I created a LDAP user using the below command
   # mkuser -R LDAP ldapuser
   # passwd -R LDAP ldapuser

3. Now i tried password based authentication for this user and we get
the following environment variables set for this user.

$ ssh localhost
ldapuser at localhost's password:
Last unsuccessful login: Wed May  2 03:16:40 CDT 2018 on ssh from
127.0.0.1
Last login: Wed May  2 03:16:45 CDT 2018 on /dev/pts/3 from 127.0.0.1
.
.
.
$
$ env
...
AUTHSTATE=LDAP
...
$

4. Now I did the password less authentication setup using the below
commands -
   # su ldapuser
   # ssh-keygen
   # cp /home/ldapuser/.ssh/id_rsa.pub
/home/ldapuser/.ssh/authorized_keys

5. And tried to login. 

$ ssh localhost
Last unsuccessful login: Wed May  2 03:16:40 CDT 2018 on ssh from
127.0.0.1
Last login: Wed May  2 03:16:45 CDT 2018 on /dev/pts/3 from 127.0.0.1
.
.
.
$
$ env
...
AUTHSTATE=compat
...
$ 

As we can see in step 3, we have AUTHSTATE set to LDAP whereas in step
5 , AUTHSTATE is set to compat. The expectation is that the AUTHSTATE
should display LDAP irrespective of authentication
methods(password-less or password-based).

Please let me know if you need additional information.

I will further attach sshd logs.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

--- Comment #3 from Mayank Sharma <mayasha9 at in.ibm.com> ---
Created attachment 3146
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3146&action=edit
sshd password-based authentication logs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

--- Comment #4 from Mayank Sharma <mayasha9 at in.ibm.com> ---
Created attachment 3147
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3147&action=edit
sshd password-less authentication logs

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3147
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3147
sshd password-less authentication logs
>debug3: AIX/setauthdb set registry 'LDAP'
>debug1: AIX/loginsuccess: [...]
>debug3: aix_restoreauthdb: restoring old registry ''
[...]
>  AUTHSTATE=compat
It's calling setauthdb before all of the auth related functions and
AUTHSTATE doesn't get set, it certainly looks like it's the
authenticate() call that's setting it.
> The expectation is that the AUTHSTATE should display LDAP irrespective of
authentication methods(password-less or password-based).
Why would you expect that?  You're not authenticating via LDAP in that
case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2861

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Closing; no followup from reporter for 5+ years

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.