Bug 938

Summary: "AllowGroups" option and secondary user's groups limit
Product: Portable OpenSSH Reporter: Juri Malinovski <coil93>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED INVALID    
Severity: major    
Priority: P2    
Version: 3.9p1   
Hardware: ix86   
OS: Linux   
Attachments:
Description Flags
sshd -ddde output
none
Add some instrumentation to ga_match()
none
ga_match() debug output
none
Add debugging to ga_init.
none
ga_init() debug output
none
test program for getgrouplist none

Description Juri Malinovski 2004-10-03 03:11:39 AEST 
Linux Suse 9.1, nss_ldap version 215, pam_ldap version 169, openldap version 2.
2.17

OpenSSH can't handle more than 5 groups via pam_ldap authentication.

For example: user john has primary group gr1 and belongs to secondary groups 
gr2,gr3,gr4,gr5 in LDAP database.

sshd_config:
AllowGroups 5
UsePAM yes

/etc/pam.d/sshd
auth     required       pam_unix2.so    # set_secrpc
auth     required       pam_nologin.so
auth     required       pam_env.so
account  required       pam_unix2.so
account  required       pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session  required       pam_unix2.so    none # trace or debug
session  required       pam_limits.so

/etc/nsswitch.conf
passwd_compat:  ldap
group_compat:   ldap

root@localhost> id john
root@localhost> uid=1023(john) gid=10(gr1) groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5)

root@localhost> ssh -l john localhost
Password: *****
Have a lot of fan...
john@localhost>

Now add user john into additional group gr6
root@localhost> id john
root@localhost> uid=1023(john) gid=10(gr1) groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5),3456(gr6)

root@localhost> ssh -l john localhost
Password: *****
Password: *****
Password: *****
Permission denied (publickey, keyboard-interactive)
root@localhost>

sshd debug:
Oct  2 20:06:35 linux sshd[8856]: debug1: userauth-request for user john 
service ssh-connection method keyboard-interactive
Oct  2 20:06:35 linux sshd[8856]: debug1: attempt 3 failures 3
Oct  2 20:06:35 linux sshd[8856]: debug2: input_userauth_request: try 
method keyboard-interactive
Oct  2 20:06:35 linux sshd[8856]: debug1: keyboard-interactive devs
Oct  2 20:06:35 linux sshd[8856]: debug1: auth2_challenge: user=john devs=
Oct  2 20:06:35 linux sshd[8856]: debug1: kbdint_alloc: devices 'pam'
Oct  2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices 
pam
Oct  2 20:06:35 linux sshd[8856]: debug2: kbdint_next_device: devices 
<empty>
Oct  2 20:06:35 linux sshd[8856]: debug1: auth2_challenge_start: trying 
authentication method 'pam'
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_init_ctx entering
Oct  2 20:06:35 linux PAM-warn[8860]: function=[pam_sm_authenticate] 
service=[sshd] terminal=[ssh] user=[john] ruser=[<unknown>] 
rhost=[127.0.0.1]
Oct  2 20:06:35 linux sshd[8860]: debug3: PAM: sshpam_thread_conv 
entering, 1 messages
Oct  2 20:06:35 linux sshd[8860]: debug3: ssh_msg_send: type 1
Oct  2 20:06:35 linux sshd[8860]: debug3: ssh_msg_recv entering
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_query entering
Oct  2 20:06:35 linux sshd[8856]: debug3: ssh_msg_recv entering
Oct  2 20:06:35 linux sshd[8856]: Postponed keyboard-interactive for 
invalid user john from 127.0.0.1 port 32986 ssh2
Oct  2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices 
<empty>Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_free_ctx 
entering
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup 
entering
Oct  2 20:06:35 linux sshd[8856]: Failed keyboard-interactive/pam for 
invalid user john from 127.0.0.1 port 32986 ssh2
Oct  2 20:06:35 linux sshd[8856]: Connection closed by 127.0.0.1
Oct  2 20:06:35 linux sshd[8856]: debug1: do_cleanup
Oct  2 20:06:35 linux sshd[8856]: debug1: PAM: cleanup
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup
Comment 1 Darren Tucker 2004-10-06 20:01:31 AEST 
Please attach (note: use create attachment do not paste it into the text field),
 a full debug trace from the server (/path/to/sshd -ddde).

Also, does the problem occur with 'UsePAM no" ?
Comment 2 Juri Malinovski 2004-10-09 05:57:42 AEST 
Created attachment 727 [details]
sshd -ddde output

With "UsePAM no" auth ok
Comment 3 Darren Tucker 2004-10-09 12:42:28 AEST 
Created attachment 728 [details]
Add some instrumentation to ga_match()

The user is being denied in the early stages (getpwnamallow) which is before
PAM is even initialized.  I can't figure out why sshd would behave differently
with and without PAM in this case.  I could imagine something in nss_ldap
causing it but in that case UsePAM should make no difference.

Attached is a patch that adds some debugging output to the group match
function.  Please apply it and run sshd in debug mode twice, once where it
works and once where it doesn't, then compare the "ga_match" sections of the
debug output and attach them to the bug (substitute the real group names for
fake ones if you need to, as long as you do it consistently :-).
Comment 4 Juri Malinovski 2004-10-09 21:42:39 AEST 
Created attachment 729 [details]
ga_match() debug output
Comment 5 Juri Malinovski 2004-10-09 21:50:46 AEST 
Comment on attachment 729 [details]
ga_match() debug output

Now auth failed with "UsePAM no" if user has access into g6 group
Comment 6 Darren Tucker 2004-10-09 22:21:09 AEST 
Created attachment 730 [details]
Add debugging to ga_init.

OK, so from that output it looks like either the OS is returning incomplete
data from getgrouplist or sshd's ga_init is not populating the groups_byname
list correctly.

Attached is another patch to add some debugging to ga_init, please apply and
run sshd in debug mode again and attach the ga_init bits.

It looks like it's not a PAM problem, anyway.
Comment 7 Juri Malinovski 2004-10-10 19:59:24 AEST 
Created attachment 731 [details]
ga_init() debug output
Comment 8 Darren Tucker 2004-10-10 20:47:13 AEST 
Created attachment 732 [details]
test program for getgrouplist

It appears that getgrouplist() is returning an incomplete list (with
duplicates) on your system.  Attached is a small test program that outputs the
contents of the list.  Does the group list output by it match the gids output
by the ga_init debugging?  eg:

$ gcc grouptest.c
$ ./a.out root
root 0 1 2 3 4 6 10
Comment 9 Juri Malinovski 2004-10-10 21:16:45 AEST 
Yes...that's right

>./a.out jm 
>jm 11 1107 1170 0 0 0 

ga_init() lookup
11
1107
1170
0
0
0
Comment 10 Darren Tucker 2004-10-10 21:26:06 AEST 
Yep, your getgrouplist is broken and you'll need to speak to your OS vendor
about it.
Comment 11 Juri Malinovski 2004-10-11 01:15:01 AEST 
The problem was in wrong nsswitch.conf, generated by Yast :E
Comment 12 Darren Tucker 2006-10-07 11:37:23 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.