2497 – Add debugging information to ga_match() to show each attempted match

Bug 2497 - Add debugging information to ga_match() to show each attempted match

Summary: Add debugging information to ga_match() to show each attempted match

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.1p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-19 01:56 AEDT by Jakub Jelen
Modified:	2015-11-19 01:56 AEDT (History)
CC List:	0 users

See Also:

Attachments
verbose group match logging (469 bytes, patch) 2015-11-19 01:56 AEDT, Jakub Jelen	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jakub Jelen 2015-11-19 01:56:24 AEDT

Created attachment 2752 [details]
verbose group match logging

When using identity management it can be tricky to debug non-local users logins, especially in combination with many groups used, as described in our bugzilla [1] (related pull request on github [2]).

The actual problem is lying in sssd, but having this feature can help to debug and understand what is going on under the hood of sshd during login time and during group matching.

Steps to Reproduce:
1. Set 'AllowGroups test_group "domain user group"' to the /etc/ssh/sshd_config file
2. Set 'LogLevel Debug3' in the /etc/ssh/sshd_config file.
3. Restart sshd.
4. Attempt to log in with a user in the 'users' group.

Actual results:
5. Remain puzzled

Expected results:
5. Find out that the "domain user group" is never being pulled from the group list and so never matches.  Or something.


Original patch is by Paul Wayper

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1283011
[2] https://github.com/openssh/openssh-portable/pull/33