Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455062 - search order in nsswitch.conf triggers openssh/pam/ldap bug
Summary: search order in nsswitch.conf triggers openssh/pam/ldap bug
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-11 19:03 UTC by Dimitri Maziuk
Modified: 2008-07-14 08:16 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-14 08:16:54 UTC


Attachments (Terms of Use)

Description Dimitri Maziuk 2008-07-11 19:03:27 UTC
Description of problem:
This is a bit convoluted, it involves openldap, ssh, pam and nsswitch.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create an LDAP user "testldap".
2. Run system-config-authentication on machine "urchin" and enable LDAP.
3. Create a local user "testlocal" on urchin.
  
Actual results:

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testldap@urchin
testldap@urchin's password:
Last login: Fri Jul 11 13:55:23 2008 from yellowtail.bmrb.wisc.edu
-bash-3.2$ whoami
dmaziuk
-bash-3.2$ logout
Connection to urchin closed.

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testlocal@urchin
testlocal@urchin's password:
Last login: Fri Jul 11 12:56:12 2008 from yellowtail.bmrb.wisc.edu
testlocal@urchin:~$ whoami
testlocal


Expected results:

4. Edit /etc/nsswitch.conf and change 
  passwd:     files ldap
  shadow:     files ldap
to
  passwd:     ldap files
  shadow:     ldap files

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testldap@urchin
testldap@urchin's password:
Last login: Fri Jul 11 12:55:46 2008 from yellowtail.bmrb.wisc.edu
-bash-3.2$ whoami
testldap
-bash-3.2$ logout
Connection to urchin closed.

dmaziuk@yellowtail:/website/htdocs$ ssh -Y testlocal@urchin
testlocal@urchin's password:
Last login: Fri Jul 11 12:56:12 2008 from yellowtail.bmrb.wisc.edu
testlocal@urchin:~$ whoami
testlocal


Additional info: with order "files ldap" -- written to nsswitch.conf by
authconfig gui, ssh login picks my uid instead of that of testldap user. Now if
I run passwd, I'm changing password for "dmaziuk", not "testldap", etc. I'm not
sure whose bug that is (from what google finds, it seems openssh's privsep is to
blame), but one workaround is to change the order to "ldap files" when writing
out nsswitch.conf.

Of course, if people put system accounts into ldap directory, that could break
stuff -- but they probably shouldn't.

Comment 1 Dimitri Maziuk 2008-07-11 21:08:13 UTC
On second thought, changing order to "ldap files" prevents slapd from 
starting, so that doesn't work either. I guess the only solution is to never 
ssh from local account (e.g. root) to an ldap account...

Comment 2 Tomas Mraz 2008-07-14 08:16:54 UTC
This is no openss/pam/ldap bug. Your system behaves just as it is configured.
The uid of 'dmaziuk' user in local /etc/passwd is surely the same as uid of the
'testldap' user in the LDAP server database. If you use accounts from some
network user account service such as LDAP server you have to ensure that the
uids and gids do not collide.



Note You need to log in before you can comment on or make changes to this bug.