3528 – ls hangs in internal-sftp when using ldap groups

Bug 3528 - ls hangs in internal-sftp when using ldap groups

Summary: ls hangs in internal-sftp when using ldap groups

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sftp-server (show other bugs)
Version:	8.2p1
Hardware:	All Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-28 00:17 AEDT by Kaper
Modified:	2023-03-17 13:40 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kaper 2023-01-28 00:17:54 AEDT

On Ubuntu 20.04.4 LTS
Configured the sftp server with chrootDirectory like so:

/etc/ssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp -l DEBUG
GSSAPIAuthentication yes

Match Group MyGroup
  ChrootDirectory /mychroot
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no


My /etc/nsswitch contains 
group:   files systemd sss ldap

Users accessing the sftp is authenticated agains an AD, but the access groups comes from another LDAP server.


When I login to the sftp server and execute a ls command it takes way too long. 

I did a strace on the sftp process, in which I can see it tries to access the following files.

openat(AT_FDCWD, "/run/systemd/userdb/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
stat("/etc/ldap.conf", 0x7ffea7282230)  = -1 ENOENT (No such file or directory)
stat("/etc/resolv.conf", 0x7ffea7282770) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)


I figured out that if an empty ldap.conf is placed in /mychroot/etc/ the ls command responds fast, and the access control (based on the LDAP groups) is still working (I made sure to do a sss_cache -E to clear cache between tests)
 
The ldap server is defined in /etc/ldap.conf with a fqdn that is resolved by the DNS server.

Comment 1 Damien Miller 2023-02-10 14:53:16 AEDT

Generally, sshd has no visibility into or control over what libc/NSS does behind the scenes to implement getpwuid() etc. 

So if you've configured your libc/NSS to use pipes/sockets/network resources that are unavailable in the chroot there is nothing that sshd or sftp-server can really do to solve this.

Typically, fixing this means configuring libc/NSS to properly both inside and outside the chroot, but by the 2nd last paragraph it looks like you figured this out already.

Comment 2 Damien Miller 2023-03-17 13:40:06 AEDT

OpenSSH 9.3 has been released. Close resolved bugs