Bug 2384 - AllowUsers doesn't allow users sssd domain users with @ in
Summary: AllowUsers doesn't allow users sssd domain users with @ in
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 6.6p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-17 21:47 AEST by Björn Jacke
Modified: 2015-04-17 21:47 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2015-04-17 21:47:34 AEST 
sssd users from an active directory have the syntax accountname@domain.realm

they can also aliased to domain\accountname and optionally just to "accountname". In any case when you run getent on any of those names you get back the real username "accountname@domain.realm" like here:

# getent passwd bjacke
bjacke@comp.private:*:83542:100:bjacke:/home/comp.private/bjacke:/bin/bash

# getent passwd comp\\bjacke
bjacke@comp.private:*:83542:100:bjacke:/home/comp.private/bjacke:/bin/bash

I see two problems here:

1) even if users log on with the "full qualified name" accountname@domain.realm then it is not possible to limit logons via AllowUsers because the @ is a limiter for the hostname here and I don't see how the @ could be quoted or so.

2) if the user logs on with an alias name then sshd should normalize the name by asking nsswitch like in the above case, to see that bjacke is actually bjacke@comp.private

When I log on as bjacke (who is bjacke@comp.private really) in the sshd log I see:

Postponed keyboard-interactive for invalid user bjacke from 127.0.0.1

even though I set "AllowUsers bjacke". So maybe bjacke is normalized to the real "bjacke@comp.private" name and just the log output is confusing. But even then still the problem remains that there is no way to define a user with @ in AllowUsers...