[Bug 938] "AllowGroups" option and secondary user's groups limit

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Oct 3 03:11:41 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=938

           Summary: "AllowGroups" option and secondary user's groups limit
           Product: Portable OpenSSH
           Version: 3.9p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: coil93 at mail.ee


Linux Suse 9.1, nss_ldap version 215, pam_ldap version 169, openldap version 2.
2.17

OpenSSH can't handle more than 5 groups via pam_ldap authentication.

For example: user john has primary group gr1 and belongs to secondary groups 
gr2,gr3,gr4,gr5 in LDAP database.

sshd_config:
AllowGroups 5
UsePAM yes

/etc/pam.d/sshd
auth     required       pam_unix2.so    # set_secrpc
auth     required       pam_nologin.so
auth     required       pam_env.so
account  required       pam_unix2.so
account  required       pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session  required       pam_unix2.so    none # trace or debug
session  required       pam_limits.so

/etc/nsswitch.conf
passwd_compat:  ldap
group_compat:   ldap

root at localhost> id john
root at localhost> uid=1023(john) gid=10(gr1) groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5)

root at localhost> ssh -l john localhost
Password: *****
Have a lot of fan...
john at localhost>

Now add user john into additional group gr6
root at localhost> id john
root at localhost> uid=1023(john) gid=10(gr1) groups=10(gr1),5021(gr2),0(gr3),
1013(gr4),3455(gr5),3456(gr6)

root at localhost> ssh -l john localhost
Password: *****
Password: *****
Password: *****
Permission denied (publickey, keyboard-interactive)
root at localhost>

sshd debug:
Oct  2 20:06:35 linux sshd[8856]: debug1: userauth-request for user john 
service ssh-connection method keyboard-interactive
Oct  2 20:06:35 linux sshd[8856]: debug1: attempt 3 failures 3
Oct  2 20:06:35 linux sshd[8856]: debug2: input_userauth_request: try 
method keyboard-interactive
Oct  2 20:06:35 linux sshd[8856]: debug1: keyboard-interactive devs
Oct  2 20:06:35 linux sshd[8856]: debug1: auth2_challenge: user=john devs=
Oct  2 20:06:35 linux sshd[8856]: debug1: kbdint_alloc: devices 'pam'
Oct  2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices 
pam
Oct  2 20:06:35 linux sshd[8856]: debug2: kbdint_next_device: devices 
<empty>
Oct  2 20:06:35 linux sshd[8856]: debug1: auth2_challenge_start: trying 
authentication method 'pam'
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_init_ctx entering
Oct  2 20:06:35 linux PAM-warn[8860]: function=[pam_sm_authenticate] 
service=[sshd] terminal=[ssh] user=[john] ruser=[<unknown>] 
rhost=[127.0.0.1]
Oct  2 20:06:35 linux sshd[8860]: debug3: PAM: sshpam_thread_conv 
entering, 1 messages
Oct  2 20:06:35 linux sshd[8860]: debug3: ssh_msg_send: type 1
Oct  2 20:06:35 linux sshd[8860]: debug3: ssh_msg_recv entering
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_query entering
Oct  2 20:06:35 linux sshd[8856]: debug3: ssh_msg_recv entering
Oct  2 20:06:35 linux sshd[8856]: Postponed keyboard-interactive for 
invalid user john from 127.0.0.1 port 32986 ssh2
Oct  2 20:06:35 linux sshd[8856]: debug2: auth2_challenge_start: devices 
<empty>Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_free_ctx 
entering
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup 
entering
Oct  2 20:06:35 linux sshd[8856]: Failed keyboard-interactive/pam for 
invalid user john from 127.0.0.1 port 32986 ssh2
Oct  2 20:06:35 linux sshd[8856]: Connection closed by 127.0.0.1
Oct  2 20:06:35 linux sshd[8856]: debug1: do_cleanup
Oct  2 20:06:35 linux sshd[8856]: debug1: PAM: cleanup
Oct  2 20:06:35 linux sshd[8856]: debug3: PAM: sshpam_thread_cleanup



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list