Bug 1283011 - RFE: add debugging in openssh group matching code
Summary: RFE: add debugging in openssh group matching code
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.1
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-18 03:01 UTC by Paul Wayper
Modified: 2019-09-12 09:19 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-24 19:41:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Paul Wayper 2015-11-18 03:01:52 UTC 
Description of problem:

If for some reason the group matching fails (e.g. the AllowGroups option is set but the user is not in a group listed), sshd logs information that the user is not in the group listed.  However, we don't see any information about what groups sshd sees the user as in, nor what patterns are being matched to.

This request for enhancement seeks to add this debugging information to the ga_match() function in groupaccess.c.

Version-Release number of selected component (if applicable):

6.6.1p1

How reproducible:

Always

Steps to Reproduce:
1. Set 'AllowGroups test_group "domain user group"' to the /etc/ssh/sshd_config file
2. Set 'LogLevel Debug3' in the /etc/ssh/sshd_config file.
3. Restart sshd.
4. Attempt to log in with a user in the 'users' group.

Actual results:

5. Remain puzzled

Expected results:

5. Find out that the "domain user group" is never being pulled from the group list and so never matches.  Or something.

Additional info:
Comment 2 Sumit Bose 2015-11-18 08:52:32 UTC 
Changing the component to openssh. If I understood the description correctly this is a request to improve the debug messages of sshd from the OpenSSH package, so nothing we can help with from the SSSD side. Feel free to move it back to SSSD if I failed to understand the request.
Comment 4 Paul Wayper 2015-11-19 04:05:26 UTC 
Hi Jakub, Sumit,

Yes, this is the container bug for the upstream suggestions for debugging in OpenSSH.

There is a related bug for sssd:

https://bugzilla.redhat.com/show_bug.cgi?id=1201977

Which was closed and linked to another bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1202245

but I don't understand why.  The problems in the given cases don't seem to be related to replication or HBAC processing.  I'm corresponding with Jakub Hrozek about this.

Hope this helps,

Paul
Comment 5 Paul Wayper 2015-11-19 05:19:56 UTC 
No, stupid me, 1201977 is not the bug I was looking for.  Maybe I didn't log a bug for it after all.  I'll fix that now.

https://bugzilla.redhat.com/show_bug.cgi?id=1273633

Hope this helps,

Paul
Comment 6 Paul Wayper 2015-11-19 05:21:16 UTC 
Nope, wrong again, this one:

https://bugzilla.redhat.com/show_bug.cgi?id=1283477

Hope this helps,

Paul
Comment 7 Jakub Hrozek 2015-11-19 08:53:58 UTC 
(In reply to Paul Wayper from comment #6)
> Nope, wrong again, this one:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1283477
> 
> Hope this helps,
> 
> Paul

This is a legitimate SSSD bug that needs more data (logs, cache dump) to proceed. Nothing specific to SSH.
Note You need to log in before you can comment on or make changes to this bug.