Bug 1283011

Summary: RFE: add debugging in openssh group matching code
Product: Red Hat Enterprise Linux 7 Reporter: Paul Wayper <pwayper>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: medium    
Version: 7.1CC: cww, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sbose, tmraz
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-24 19:41:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Wayper 2015-11-18 03:01:52 UTC 
Description of problem:

If for some reason the group matching fails (e.g. the AllowGroups option is set but the user is not in a group listed), sshd logs information that the user is not in the group listed.  However, we don't see any information about what groups sshd sees the user as in, nor what patterns are being matched to.

This request for enhancement seeks to add this debugging information to the ga_match() function in groupaccess.c.

Version-Release number of selected component (if applicable):

6.6.1p1

How reproducible:

Always

Steps to Reproduce:
1. Set 'AllowGroups test_group "domain user group"' to the /etc/ssh/sshd_config file
2. Set 'LogLevel Debug3' in the /etc/ssh/sshd_config file.
3. Restart sshd.
4. Attempt to log in with a user in the 'users' group.

Actual results:

5. Remain puzzled

Expected results:

5. Find out that the "domain user group" is never being pulled from the group list and so never matches.  Or something.

Additional info:
Comment 2 Sumit Bose 2015-11-18 08:52:32 UTC 
Changing the component to openssh. If I understood the description correctly this is a request to improve the debug messages of sshd from the OpenSSH package, so nothing we can help with from the SSSD side. Feel free to move it back to SSSD if I failed to understand the request.
Comment 4 Paul Wayper 2015-11-19 04:05:26 UTC 
Hi Jakub, Sumit,

Yes, this is the container bug for the upstream suggestions for debugging in OpenSSH.

There is a related bug for sssd:

https://bugzilla.redhat.com/show_bug.cgi?id=1201977

Which was closed and linked to another bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1202245

but I don't understand why.  The problems in the given cases don't seem to be related to replication or HBAC processing.  I'm corresponding with Jakub Hrozek about this.

Hope this helps,

Paul
Comment 5 Paul Wayper 2015-11-19 05:19:56 UTC 
No, stupid me, 1201977 is not the bug I was looking for.  Maybe I didn't log a bug for it after all.  I'll fix that now.

https://bugzilla.redhat.com/show_bug.cgi?id=1273633

Hope this helps,

Paul
Comment 6 Paul Wayper 2015-11-19 05:21:16 UTC 
Nope, wrong again, this one:

https://bugzilla.redhat.com/show_bug.cgi?id=1283477

Hope this helps,

Paul
Comment 7 Jakub Hrozek 2015-11-19 08:53:58 UTC 
(In reply to Paul Wayper from comment #6)
> Nope, wrong again, this one:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1283477
> 
> Hope this helps,
> 
> Paul

This is a legitimate SSSD bug that needs more data (logs, cache dump) to proceed. Nothing specific to SSH.