[Bug 938] "AllowGroups" option and secondary user's groups limit
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Oct 3 03:11:41 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=938
Summary: "AllowGroups" option and secondary user's groups limit
Product: Portable OpenSSH
Version: 3.9p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: coil93 at mail.ee
Linux Suse 9.1, nss_ldap version 215, pam_ldap version 169, openldap version 2.
2.17
OpenSSH can't handle more than 5 groups via pam_ldap authentication.
For example: user john has primary group gr1 and belongs to secondary groups
gr2,gr3,gr4,gr5 in LDAP database.
sshd_config:
AllowGroups 5
UsePAM yes
/etc/pam.d/sshd
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so
/etc/nsswitch.conf
passwd_compat: ldap
group_compat: ldap
root at localhost> id john
root at localhost> uid=1023(john) gid=10(gr1) groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5)
root at localhost> ssh -l john localhost
Password: *****
Have a lot of fan...
john at localhost>
Now add user john into additional group gr6
root at localhost> id john
root at localhost> uid=1023(john) gid=10(gr1) groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5),3456(gr6)
root at localhost> ssh -l john localhost
Password: *****
Password: *****
Password: *****
Permission denied (publickey, keyboard-interactive)
root at localhost>
sshd debug:
Oct 2 20:06:35 linux sshd[8856]: debug1: userauth-request for user john
service ssh-connection method keyboard-interactive
Oct 2 20:06:35 linux sshd[8856]: debug1: attempt 3 failures 3
Oct 2 20:06:35 linux sshd[8856]: debug2: input_userauth_request: try
method keyboard-interactive
Oct 2 20:06:35 linux sshd[8856]: debug1: keyboard-interactive devs
Oct 2 20:06:35 linux sshd[8856]: debug1: auth2_challenge: user=john devs=
Oct 2 20:06:35 linux sshd[8856]: debug1: kbdint_alloc: devices 'pam'
Oct 2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices
pam
Oct 2 20:06:35 linux sshd[8856]: debug2: kbdint_next_device: devices
<empty>
Oct 2 20:06:35 linux sshd[8856]: debug1: auth2_challenge_start: trying
authentication method 'pam'
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_init_ctx entering
Oct 2 20:06:35 linux PAM-warn[8860]: function=[pam_sm_authenticate]
service=[sshd] terminal=[ssh] user=[john] ruser=[<unknown>]
rhost=[127.0.0.1]
Oct 2 20:06:35 linux sshd[8860]: debug3: PAM: sshpam_thread_conv
entering, 1 messages
Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_send: type 1
Oct 2 20:06:35 linux sshd[8860]: debug3: ssh_msg_recv entering
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_query entering
Oct 2 20:06:35 linux sshd[8856]: debug3: ssh_msg_recv entering
Oct 2 20:06:35 linux sshd[8856]: Postponed keyboard-interactive for
invalid user john from 127.0.0.1 port 32986 ssh2
Oct 2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices
<empty>Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_free_ctx
entering
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup
entering
Oct 2 20:06:35 linux sshd[8856]: Failed keyboard-interactive/pam for
invalid user john from 127.0.0.1 port 32986 ssh2
Oct 2 20:06:35 linux sshd[8856]: Connection closed by 127.0.0.1
Oct 2 20:06:35 linux sshd[8856]: debug1: do_cleanup
Oct 2 20:06:35 linux sshd[8856]: debug1: PAM: cleanup
Oct 2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list