bugzilla-daemon at mindrot.org
2023-Jan-27 13:17 UTC
[Bug 3528] New: ls hangs when using ldap groups
https://bugzilla.mindrot.org/show_bug.cgi?id=3528 Bug ID: 3528 Summary: ls hangs when using ldap groups Product: Portable OpenSSH Version: 8.2p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: sftp-server Assignee: unassigned-bugs at mindrot.org Reporter: kasper_steengaard at hotmail.com On Ubuntu 20.04.4 LTS Configured the sftp server with chrootDirectory like so: /etc/ssh/sshd_config ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp internal-sftp -l DEBUG GSSAPIAuthentication yes Match Group MyGroup ChrootDirectory /mychroot ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no My /etc/nsswitch contains group: files systemd sss ldap Users accessing the sftp is authenticated agains an AD, but the access groups comes from another LDAP server. When I login to the sftp server and execute a ls command it takes way too long. I did a strace on the sftp process, in which I can see it tries to access the following files. openat(AT_FDCWD, "/run/systemd/userdb/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) stat("/etc/ldap.conf", 0x7ffea7282230) = -1 ENOENT (No such file or directory) stat("/etc/resolv.conf", 0x7ffea7282770) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) I figured out that if an empty ldap.conf is placed in /mychroot/etc/ the ls command responds fast, and the access control (based on the LDAP groups) is still working (I made sure to do a sss_cache -E to clear cache between tests) The ldap server is defined in /etc/ldap.conf with a fqdn that is resolved by the DNS server. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jan-30 06:37 UTC
[Bug 3528] ls hangs in internal-sftp when using ldap groups
https://bugzilla.mindrot.org/show_bug.cgi?id=3528 Kaper <kasper_steengaard at hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ls hangs when using ldap |ls hangs in internal-sftp |groups |when using ldap groups -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-10 03:53 UTC
[Bug 3528] ls hangs in internal-sftp when using ldap groups
https://bugzilla.mindrot.org/show_bug.cgi?id=3528 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Generally, sshd has no visibility into or control over what libc/NSS does behind the scenes to implement getpwuid() etc. So if you've configured your libc/NSS to use pipes/sockets/network resources that are unavailable in the chroot there is nothing that sshd or sftp-server can really do to solve this. Typically, fixing this means configuring libc/NSS to properly both inside and outside the chroot, but by the 2nd last paragraph it looks like you figured this out already. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:40 UTC
[Bug 3528] ls hangs in internal-sftp when using ldap groups
https://bugzilla.mindrot.org/show_bug.cgi?id=3528 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- OpenSSH 9.3 has been released. Close resolved bugs -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- Samba 4.7 don't start on F27
- Reproducible SIGSEGV when Dovecot 2.3 compiled against glibc-2.28
- Reproducible SIGSEGV when Dovecot 2.3 compiled against glibc-2.28
- Reproducible SIGSEGV when Dovecot 2.3 compiled against glibc-2.28
- doveconf complains No matches on !include conf.d/* line but still writes out contents in conf.d