This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 627057

Summary: SSH_Filter usage undocumented, not intuitive
Product: [Fedora] Fedora Reporter: Brian LaMere <brianlamere>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: jchadima, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-25 13:31:27 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Brian LaMere 2010-08-24 20:01:49 EDT
Description of problem:

openssh-ldap group filter is undocumented

Version-Release number of selected component (if applicable):

openssh-ldap-5.6p1-1.fc15.i686

How reproducible:


Steps to Reproduce:
1. setting SSH_Filter to the group dn, the group cn, and just the naked group name itself does not seem to work
2.
3.
  
Actual results:

Running:
/usr/libexec/openssh/ssh-ldap-helper -f /etc/openldap/ldap.conf -s %u

produces no results.

Expected results:

members of the SSH_Filter group should function

Additional info:

I know this isn't a bug, but it isn't documented at all that I can see and I can't determine the "correct" thing to put there.

Note that the ldap server is 389 Directory Server, and the nss info is being served by sssd.  The user mapping works fine, and ssh-ldap-helper gets keys if I remove the filter completely.  If necessary, I can simply add the following line to pam.d/system-auth, to have the desired result - would just like to do it with the way you seem to be intending.

auth        requisite     pam_succeed_if.so user ingroup (groupname) quiet_success
Comment 1 Jan F. Chadima 2010-08-25 07:31:41 EDT
The filter syntax is a plain LDAP filter syntax, this string is pasted as is at the end of the search string.
Comment 2 Brian LaMere 2010-08-25 13:31:27 EDT
running "ssh-ldap-helper -vvv" I see where I was confused; like you said, it's just being added to the filter.

debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=testuser)(&(cn=testgroup)(objectClass=posixgroup)))

Obviously ldap doesn't do joins, so there's nothing that can be added to the filter to search for secondary groups; the posixAccount objectclass doesn't even have a "secondarygroups" attribute.

This can be closed; SSH_Filter is used for something different than what I thought.  I can just use AllowGroups in sshd_config instead, or the pam_succeed_if add to system-auth
Comment 3 Jan F. Chadima 2010-08-26 03:36:37 EDT
If you have an idea how make the documentation better, send it, please.