[SSSD] [sssd PR#472][opened] Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA

Tue, 12 Dec 2017 07:08:26 -0800 

   URL: https://github.com/SSSD/sssd/pull/472
Author: fidencio
 Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's 
removed from IPA
Action: opened

PR body:
"""
Those two patches provide a fix for https://pagure.io/SSSD/sssd/issue/3602.

When testing these patches, please, make sure you have this code built and 
installed on **server side**.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/472/head:pr472
git checkout pr472

From ef461855d25227c8a1214a10e71885bf052df21b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Tue, 12 Dec 2017 14:47:38 +0100
Subject: [PATCH 1/2] SYSDB_VIEWS: Remove sshPublicKey attribute when it's not
 set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We have to explicitly remove 'sshPublicKey' attribute from an override
in case it's not set, otherwise we may ended up in a situation where a
ssh key is removed from IPA but it'll still be present in SSSD cache,
allowing users to ssh to a machine even without having a ssh key set.

Related: https://pagure.io/SSSD/sssd/issue/3602

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
 src/db/sysdb_views.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index bcd7dd461..1e69f3433 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -842,6 +842,8 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
                                     NULL };
     bool override_attrs_found = false;
     bool is_cert = false;
+    struct ldb_message_element el_del = { 0, SYSDB_SSH_PUBKEY, 0, NULL };
+    struct sysdb_attrs del_attrs = { 1, &el_del };
 
     if (override_attrs == NULL) {
         /* nothing to do */
@@ -941,7 +943,14 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
                           el->values[d].data, ldb_dn_get_linearized(obj_dn));
                 }
             }
-        } else if (ret != ENOENT) {
+        } else if (ret == ENOENT) {
+            if (strcmp(allowed_attrs[c], SYSDB_SSH_PUBKEY) == 0) {
+                ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, &del_attrs,
+                                           SYSDB_MOD_DEL);
+                DEBUG(SSSDBG_DEFAULT, "FIDENCIO | ret (%d): %s\n",
+                      ret, sss_strerror(ret));
+            }
+        } else {
             DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el_ext failed.\n");
             goto done;
         }

From f8c6f6e0d3adeec7c46c84bb371c4922ec027bf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Mon, 11 Dec 2017 14:55:50 +0100
Subject: [PATCH 2/2] SSH: Always lookup in the DP for a user's SSH keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Similarly to what we do in the PAM responder to ensure that we'll always
get a valid user from the DP, let's firstly check the DP to get fresh
information about the user and just after that let's check the cache,
ensuring then that if a ssh key has been removed from the IPA master we
won't allow any user to log in just using their cached info.

Related: https://pagure.io/SSSD/sssd/issue/3602

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
 src/responder/ssh/ssh_cmd.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c
index 1b9aff2b5..ed0bbf097 100644
--- a/src/responder/ssh/ssh_cmd.c
+++ b/src/responder/ssh/ssh_cmd.c
@@ -69,6 +69,7 @@ static errno_t ssh_cmd_get_user_pubkeys(struct cli_ctx *cli_ctx)
 {
     struct ssh_cmd_ctx *cmd_ctx;
     struct tevent_req *subreq;
+    struct cache_req_data *data;
     errno_t ret;
 
     static const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY,
@@ -98,11 +99,21 @@ static errno_t ssh_cmd_get_user_pubkeys(struct cli_ctx *cli_ctx)
         goto done;
     }
 
-    subreq = cache_req_user_by_name_attrs_send(cmd_ctx, cli_ctx->ev,
-                                               cli_ctx->rctx,
-                                               cli_ctx->rctx->ncache, 0,
-                                               cmd_ctx->domain,
-                                               cmd_ctx->name, attrs);
+    data = cache_req_data_name_attrs(cmd_ctx, CACHE_REQ_USER_BY_NAME,
+                                     cmd_ctx->name, attrs);
+    if (data == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    cache_req_data_set_bypass_cache(data, true);
+
+    subreq = cache_req_send(cmd_ctx, cli_ctx->ev,
+                            cli_ctx->rctx,
+                            cli_ctx->rctx->ncache, 0,
+                            CACHE_REQ_POSIX_DOM,
+                            cmd_ctx->domain,
+                            data);
     if (subreq == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
         ret = ENOMEM;
@@ -130,7 +141,7 @@ static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq)
 
     cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
 
-    ret = cache_req_user_by_name_attrs_recv(cmd_ctx, subreq, &result);
+    ret = cache_req_single_domain_recv(cmd_ctx, subreq, &result);
     talloc_zfree(subreq);
     if (ret != EOK) {
         if (ret == ENOENT) {

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to