RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

If for some reason the group matching fails (e.g. the AllowGroups option is set but the user is not in a group listed), sshd logs information that the user is not in the group listed.  However, we don't see any information about what groups sshd sees the user as in, nor what patterns are being matched to.

This request for enhancement seeks to add this debugging information to the ga_match() function in groupaccess.c.

Version-Release number of selected component (if applicable):

6.6.1p1

How reproducible:

Always

Steps to Reproduce:
1. Set 'AllowGroups test_group "domain user group"' to the /etc/ssh/sshd_config file
2. Set 'LogLevel Debug3' in the /etc/ssh/sshd_config file.
3. Restart sshd.
4. Attempt to log in with a user in the 'users' group.

Actual results:

5. Remain puzzled

Expected results:

5. Find out that the "domain user group" is never being pulled from the group list and so never matches.  Or something.

Additional info:

Changing the component to openssh. If I understood the description correctly this is a request to improve the debug messages of sshd from the OpenSSH package, so nothing we can help with from the SSSD side. Feel free to move it back to SSSD if I failed to understand the request.

Hi Jakub, Sumit,

Yes, this is the container bug for the upstream suggestions for debugging in OpenSSH.

There is a related bug for sssd:

https://bugzilla.redhat.com/show_bug.cgi?id=1201977

Which was closed and linked to another bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1202245

but I don't understand why.  The problems in the given cases don't seem to be related to replication or HBAC processing.  I'm corresponding with Jakub Hrozek about this.

Hope this helps,

Paul

No, stupid me, 1201977 is not the bug I was looking for.  Maybe I didn't log a bug for it after all.  I'll fix that now.

https://bugzilla.redhat.com/show_bug.cgi?id=1273633

Hope this helps,

Paul

Nope, wrong again, this one:

https://bugzilla.redhat.com/show_bug.cgi?id=1283477

Hope this helps,

Paul

(In reply to Paul Wayper from comment #6)
> Nope, wrong again, this one:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1283477
> 
> Hope this helps,
> 
> Paul

This is a legitimate SSSD bug that needs more data (logs, cache dump) to proceed. Nothing specific to SSH.