openssh bugs - Jan 2023 - [Bug 3528] New: ls hangs when using ldap groups

https://bugzilla.mindrot.org/show_bug.cgi?id=3528

            Bug ID: 3528
           Summary: ls hangs when using ldap groups
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kasper_steengaard at hotmail.com

On Ubuntu 20.04.4 LTS
Configured the sftp server with chrootDirectory like so:

/etc/ssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp -l DEBUG
GSSAPIAuthentication yes

Match Group MyGroup
  ChrootDirectory /mychroot
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no


My /etc/nsswitch contains 
group:   files systemd sss ldap

Users accessing the sftp is authenticated agains an AD, but the access
groups comes from another LDAP server.


When I login to the sftp server and execute a ls command it takes way
too long. 

I did a strace on the sftp process, in which I can see it tries to
access the following files.

openat(AT_FDCWD, "/run/systemd/userdb/",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or
directory)
stat("/etc/ldap.conf", 0x7ffea7282230)  = -1 ENOENT (No such file or
directory)
stat("/etc/resolv.conf", 0x7ffea7282770) = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"},
110)
= -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such
file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such
file or directory)


I figured out that if an empty ldap.conf is placed in /mychroot/etc/
the ls command responds fast, and the access control (based on the LDAP
groups) is still working (I made sure to do a sss_cache -E to clear
cache between tests)

The ldap server is defined in /etc/ldap.conf with a fqdn that is
resolved by the DNS server.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3528

Kaper <kasper_steengaard at hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|ls hangs when using ldap    |ls hangs in internal-sftp
                   |groups                      |when using ldap groups

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3528

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Generally, sshd has no visibility into or control over what libc/NSS
does behind the scenes to implement getpwuid() etc. 

So if you've configured your libc/NSS to use pipes/sockets/network
resources that are unavailable in the chroot there is nothing that sshd
or sftp-server can really do to solve this.

Typically, fixing this means configuring libc/NSS to properly both
inside and outside the chroot, but by the 2nd last paragraph it looks
like you figured this out already.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3528

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.