bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-27 11:17 UTC
[Bug 2861] New: LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 Bug ID: 2861 Summary: LDAP user with public key authentication showing AUTHSTATE=compat Product: Portable OpenSSH Version: 7.5p1 Hardware: PPC OS: AIX Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: mayasha9 at in.ibm.com Created attachment 3144 --> https://bugzilla.mindrot.org/attachment.cgi?id=3144&action=edit ldapuser_log Hello , Hope you are doing fine. I am using Openssh7.5_p1 on AIX Environment.I have installed IBM LDAP filesets and tried to test SSH functionality with LDAP user. I have created ldapuser and tried to login through that user using public key authentication. After logging in , I have seen that its environment variable AUTHSTATE is showing compat instead of LDAP. In case of password based authentication , its showing LDAP which is the right behavior. Can you please look into such issue. I am sending logs too. Please let me know if you need some extra information. Thanks & Regards Mayank Sharma -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-28 01:55 UTC
[Bug 2861] LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #1 from Darren Tucker <dtucker at dtucker.net> --- The client side logs don't help here, instead what you are after might be in the server-side logs (eg "/path/to/sshd -ddde -p 2022" to run it on port 2022). Looking at the code, it looks like sshd never sets AUTHSTATE, although it will copy it into the shell child. I think it'll be set by the authenticate() call which does password auth, but that is does not get called for publickey auth. Given that it is not actually authenticating via LDAP what do you expect it to do? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-02 09:34 UTC
[Bug 2861] LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 --- Comment #2 from Mayank Sharma <mayasha9 at in.ibm.com> --- Hi Darren, Please find more details below - 1. I have made a AIX-LDAP server and client setup 2. Now I created a LDAP user using the below command # mkuser -R LDAP ldapuser # passwd -R LDAP ldapuser 3. Now i tried password based authentication for this user and we get the following environment variables set for this user. $ ssh localhost ldapuser at localhost's password: Last unsuccessful login: Wed May 2 03:16:40 CDT 2018 on ssh from 127.0.0.1 Last login: Wed May 2 03:16:45 CDT 2018 on /dev/pts/3 from 127.0.0.1 . . . $ $ env ... AUTHSTATE=LDAP ... $ 4. Now I did the password less authentication setup using the below commands - # su ldapuser # ssh-keygen # cp /home/ldapuser/.ssh/id_rsa.pub /home/ldapuser/.ssh/authorized_keys 5. And tried to login. $ ssh localhost Last unsuccessful login: Wed May 2 03:16:40 CDT 2018 on ssh from 127.0.0.1 Last login: Wed May 2 03:16:45 CDT 2018 on /dev/pts/3 from 127.0.0.1 . . . $ $ env ... AUTHSTATE=compat ... $ As we can see in step 3, we have AUTHSTATE set to LDAP whereas in step 5 , AUTHSTATE is set to compat. The expectation is that the AUTHSTATE should display LDAP irrespective of authentication methods(password-less or password-based). Please let me know if you need additional information. I will further attach sshd logs. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-02 09:37 UTC
[Bug 2861] LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 --- Comment #3 from Mayank Sharma <mayasha9 at in.ibm.com> --- Created attachment 3146 --> https://bugzilla.mindrot.org/attachment.cgi?id=3146&action=edit sshd password-based authentication logs -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-02 09:39 UTC
[Bug 2861] LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 --- Comment #4 from Mayank Sharma <mayasha9 at in.ibm.com> --- Created attachment 3147 --> https://bugzilla.mindrot.org/attachment.cgi?id=3147&action=edit sshd password-less authentication logs -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-03 05:09 UTC
[Bug 2861] LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 --- Comment #5 from Darren Tucker <dtucker at dtucker.net> --- Comment on attachment 3147 --> https://bugzilla.mindrot.org/attachment.cgi?id=3147 sshd password-less authentication logs>debug3: AIX/setauthdb set registry 'LDAP' >debug1: AIX/loginsuccess: [...] >debug3: aix_restoreauthdb: restoring old registry ''[...]> AUTHSTATE=compatIt's calling setauthdb before all of the auth related functions and AUTHSTATE doesn't get set, it certainly looks like it's the authenticate() call that's setting it.> The expectation is that the AUTHSTATE should display LDAP irrespective of authentication methods(password-less or password-based).Why would you expect that? You're not authenticating via LDAP in that case. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 05:23 UTC
[Bug 2861] LDAP user with public key authentication showing AUTHSTATE=compat
https://bugzilla.mindrot.org/show_bug.cgi?id=2861 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #6 from Damien Miller <djm at mindrot.org> --- Closing; no followup from reporter for 5+ years -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.