Bug 455062 - search order in nsswitch.conf triggers openssh/pam/ldap bug
search order in nsswitch.conf triggers openssh/pam/ldap bug
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-11 15:03 EDT by Dimitri Maziuk
Modified: 2008-07-14 04:16 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-14 04:16:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dimitri Maziuk 2008-07-11 15:03:27 EDT
Description of problem:
This is a bit convoluted, it involves openldap, ssh, pam and nsswitch.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create an LDAP user "testldap".
2. Run system-config-authentication on machine "urchin" and enable LDAP.
3. Create a local user "testlocal" on urchin.
  
Actual results:

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testldap@urchin
testldap@urchin's password:
Last login: Fri Jul 11 13:55:23 2008 from yellowtail.bmrb.wisc.edu
-bash-3.2$ whoami
dmaziuk
-bash-3.2$ logout
Connection to urchin closed.

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testlocal@urchin
testlocal@urchin's password:
Last login: Fri Jul 11 12:56:12 2008 from yellowtail.bmrb.wisc.edu
testlocal@urchin:~$ whoami
testlocal


Expected results:

4. Edit /etc/nsswitch.conf and change 
  passwd:     files ldap
  shadow:     files ldap
to
  passwd:     ldap files
  shadow:     ldap files

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testldap@urchin
testldap@urchin's password:
Last login: Fri Jul 11 12:55:46 2008 from yellowtail.bmrb.wisc.edu
-bash-3.2$ whoami
testldap
-bash-3.2$ logout
Connection to urchin closed.

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testlocal@urchin
testlocal@urchin's password:
Last login: Fri Jul 11 12:56:12 2008 from yellowtail.bmrb.wisc.edu
testlocal@urchin:~$ whoami
testlocal


Additional info: with order "files ldap" -- written to nsswitch.conf by
authconfig gui, ssh login picks my uid instead of that of testldap user. Now if
I run passwd, I'm changing password for "dmaziuk", not "testldap", etc. I'm not
sure whose bug that is (from what google finds, it seems openssh's privsep is to
blame), but one workaround is to change the order to "ldap files" when writing
out nsswitch.conf.

Of course, if people put system accounts into ldap directory, that could break
stuff -- but they probably shouldn't.
Comment 1 Dimitri Maziuk 2008-07-11 17:08:13 EDT
On second thought, changing order to "ldap files" prevents slapd from 
starting, so that doesn't work either. I guess the only solution is to never 
ssh from local account (e.g. root) to an ldap account...
Comment 2 Tomas Mraz 2008-07-14 04:16:54 EDT
This is no openss/pam/ldap bug. Your system behaves just as it is configured.
The uid of 'dmaziuk' user in local /etc/passwd is surely the same as uid of the
'testldap' user in the LDAP server database. If you use accounts from some
network user account service such as LDAP server you have to ensure that the
uids and gids do not collide.

Note You need to log in before you can comment on or make changes to this bug.