Bug 1283011 - RFE: add debugging in openssh group matching code
RFE: add debugging in openssh group matching code
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh (Show other bugs)
All Linux
medium Severity high
: rc
: ---
Assigned To: Jakub Jelen
BaseOS QE Security Team
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-11-17 22:01 EST by Paul Wayper
Modified: 2016-10-24 15:41 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-10-24 15:41:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Wayper 2015-11-17 22:01:52 EST
Description of problem:

If for some reason the group matching fails (e.g. the AllowGroups option is set but the user is not in a group listed), sshd logs information that the user is not in the group listed.  However, we don't see any information about what groups sshd sees the user as in, nor what patterns are being matched to.

This request for enhancement seeks to add this debugging information to the ga_match() function in groupaccess.c.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Set 'AllowGroups test_group "domain user group"' to the /etc/ssh/sshd_config file
2. Set 'LogLevel Debug3' in the /etc/ssh/sshd_config file.
3. Restart sshd.
4. Attempt to log in with a user in the 'users' group.

Actual results:

5. Remain puzzled

Expected results:

5. Find out that the "domain user group" is never being pulled from the group list and so never matches.  Or something.

Additional info:
Comment 2 Sumit Bose 2015-11-18 03:52:32 EST
Changing the component to openssh. If I understood the description correctly this is a request to improve the debug messages of sshd from the OpenSSH package, so nothing we can help with from the SSSD side. Feel free to move it back to SSSD if I failed to understand the request.
Comment 4 Paul Wayper 2015-11-18 23:05:26 EST
Hi Jakub, Sumit,

Yes, this is the container bug for the upstream suggestions for debugging in OpenSSH.

There is a related bug for sssd:


Which was closed and linked to another bug:


but I don't understand why.  The problems in the given cases don't seem to be related to replication or HBAC processing.  I'm corresponding with Jakub Hrozek about this.

Hope this helps,

Comment 5 Paul Wayper 2015-11-19 00:19:56 EST
No, stupid me, 1201977 is not the bug I was looking for.  Maybe I didn't log a bug for it after all.  I'll fix that now.


Hope this helps,

Comment 6 Paul Wayper 2015-11-19 00:21:16 EST
Nope, wrong again, this one:


Hope this helps,

Comment 7 Jakub Hrozek 2015-11-19 03:53:58 EST
(In reply to Paul Wayper from comment #6)
> Nope, wrong again, this one:
> https://bugzilla.redhat.com/show_bug.cgi?id=1283477
> Hope this helps,
> Paul

This is a legitimate SSSD bug that needs more data (logs, cache dump) to proceed. Nothing specific to SSH.

Note You need to log in before you can comment on or make changes to this bug.