Re: [Cooker] sshd & slapd bite each other

Mon, 27 Jan 2003 14:34:13 -0800 

On Mon Jan 27, 2003 at 12:53:00PM -0700, Vincent Danen wrote:

> [...]
> > Let me do some digging... this is starting to ring some bells.  I bet
> > if you do an strace on ssh (as a user in the LDAP database), you'll see
> > it accessing /etc/shadow directly, and *not* using getent to retrieve
> > that info.  If that's the case, then there is very little we can do
> > about it as it would be a design "flaw" in ssh directly.  It could very
> > well be that openssh doesn't use NSS to obtain that information,
> > meaning it will never call getent to do the lookup.
> > 
> > Ie. to openssh, if user isn't in the physical /etc/shadow file, then
> > user doesn't exist to it.
> > 
> > I'll do a little snooping and see what I can come up with.  This may be
> > one reason I'm not personally using LDAP for authentication...  this is
> > sounding quite familiar.
> 
> Ok... if you do an strace on ssh, and then search the output, you'll
> see something like this:
> 
> open("/etc/passwd", O_RDONLY)         = 3
> ... (much repeated, my strace shows 6 similar calls)
> 
> So ssh, the client, is looking at the file directly, and not using NSS
> or getent or any other similar mechanism that would allow it to
> retrieve that data from LDAP.
> 
> This is a limitation of openssh, and not something that we can fix...
> you'll have to bring this up with the openssh developers.

Nevermind... I'm an idiot.  ssh should work with LDAP.. I didn't look
closely enough at the file... it most definitely does open up
nsswitch.conf to read, and definitely loads libnss_files.so.2, so it's
certainly looking at the NSS info.  There is something else wrong
here... ssh should interact with LDAP just fine.

Sorry about that... too little coffee and too little sleep I guess.  =(

If I get a chance, I'll setup LDAP for auth over here and see if I can
debug this further.

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}

Attachment: msg88320/pgp00000.pgp
Description: PGP signature

Reply via email to