sssd professionals, Interesting problem; seems to be an interaction with sshd daemon when using an AD back-end.
When using sssd (with an AD back-end), what should my “Match” blocks in /etc/ssh/sshd_config file look like for over-riding user values? Right now, my Match blocks look like: MaxSessions 10 .... Match User SERVICEPPTPRDVRA MaxSessions 999 ClientAliveInterval 360 ClientAliveCountMax 3 Match User SERVICEPPTPRDDCA MaxSessions 999 ClientAliveInterval 360 ClientAliveCountMax 3 And in the system log files, it looks like: Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug2: parse_server_config: config reprocess config len 1479 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for 'User SERVICEPPTPRDVRA' user SERVICEPPTPRDVRA host 10.175.99.51 addr 10.175.99.51 laddr 10.174.120.203 lport 22 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug1: user SERVICEPPTPRDVRA matched 'User SERVICEPPTPRDVRA' at line 158 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match found Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:159 setting MaxSessions 999 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:160 setting ClientAliveInterval 360 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:161 setting ClientAliveCountMax 3 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for 'User SERVICEPPTPRDDCA' user SERVICEPPTPRDVRA host 10.175.99.51 addr 10.175.99.51 laddr 10.174.120.203 lport 22 Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match not found Here's where it gets weird. Because this is an AD back-end, by default sssd is setting case_sensitive = false That is, it matches any case of user names. Examples: SERVICEPPTPRDVRA servicepptprdvra ServicePPTPrdVra However, I notice that sssd maps all the user names to lowercase once you’re fully logged in. (this is what's desired.) Example: [root@peplpc1mom01 ssh]# su -l SERVICEPPTPRDVRA Last login: Wed Nov 4 10:03:31 CST 2020 on pts/12 [servicepptprdvra@peplpc1mom01 ~]$ id uid=3001425(servicepptprdvra) gid=3001425(servicepptprdvra) groups=3001425(servicepptprdvra),1010(amerunixusers),2284221(puppetentrp) [servicepptprdvra@peplpc1mom01 ~]$ It looks like SSHD is looking at the raw “user name” input without any processing for its match blocks. So I’m guessing this is before any PAM or NSS processing. Originally, I naively assumed that my Match blocks should be lowercase, as that's what I see on the command line. But now I think it has to be whatever raw input the user entered. Spike
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org