URL: https://github.com/SSSD/sssd/pull/472 Author: fidencio Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/472/head:pr472 git checkout pr472
From a32a112f7d1dddfde572008c71afd72172a1aaf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Tue, 12 Dec 2017 14:47:38 +0100 Subject: [PATCH 1/3] SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We have to explicitly remove 'sshPublicKey' attribute from an override in case it's not set, otherwise we may ended up in a situation where a ssh key is removed from IPA but it'll still be present in SSSD's server cache, allowing then users to ssh to a machine even having a key that has already been removed from IPA. Related: https://pagure.io/SSSD/sssd/issue/3602 Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> --- src/db/sysdb_views.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c index bcd7dd461..73213ae28 100644 --- a/src/db/sysdb_views.c +++ b/src/db/sysdb_views.c @@ -842,6 +842,8 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, NULL }; bool override_attrs_found = false; bool is_cert = false; + struct ldb_message_element el_del = { 0, SYSDB_SSH_PUBKEY, 0, NULL }; + struct sysdb_attrs del_attrs = { 1, &el_del }; if (override_attrs == NULL) { /* nothing to do */ @@ -941,7 +943,17 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, el->values[d].data, ldb_dn_get_linearized(obj_dn)); } } - } else if (ret != ENOENT) { + } else if (ret == ENOENT) { + if (strcmp(allowed_attrs[c], SYSDB_SSH_PUBKEY) == 0) { + ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, &del_attrs, + SYSDB_MOD_DEL); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_set_entry_attr failed.\n"); + goto done; + } + } + } else { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el_ext failed.\n"); goto done; } From f5fd6e2250b29f40f277ba313c88bdb93a33c181 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Wed, 13 Dec 2017 20:52:46 +0100 Subject: [PATCH 2/3] IPA: Remove sshPublicKey attribute when it's not set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similary to what has been for the SSSD's server, we have to explicitly remove the 'sshPublicKey' attribute from an override in case it's not set, otherwise we may end up in a situation where a ssh key is removed from IPA but it'll still be present in the SSSD's client cache, allowing then users to ssh to a machine even having a key that has already been removed from IPA. Related: https://pagure.io/SSSD/sssd/issue/3602 Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> --- src/providers/ipa/ipa_s2n_exop.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 8b97f7862..3578e10b6 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -2194,6 +2194,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct ldb_message *msg; struct ldb_message_element *el = NULL; const char *missing[] = {NULL, NULL}; + struct ldb_message_element ssh_public_key_el = { 0, SYSDB_SSH_PUBKEY, 0, NULL }; + struct sysdb_attrs ssh_public_key_attrs = { 1, &ssh_public_key_el }; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -2512,6 +2514,19 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, } } + if (override_attrs != NULL) { + ret = sysdb_attrs_get_el_ext(override_attrs, + SYSDB_SSH_PUBKEY, false, &el); + if (ret == ENOENT) { + ret = sysdb_set_user_attr(dom, name, &ssh_public_key_attrs, + SYSDB_MOD_DEL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_user_attr failed,\n"); + goto done; + } + } + } + if (attrs->response_type == RESP_USER_GROUPLIST) { ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name, &sysdb_grouplist); From df8f8594e15ce7bae727d1b5fd098226e0a45018 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 11 Dec 2017 14:55:50 +0100 Subject: [PATCH 3/3] SSH: Always lookup in the DP for a user's SSH key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similarly to what we do in the PAM responder to ensure that we'll always get a valid user from the DP, let's firstly check the DP to get fresh information about the user and just after that let's check the cache, ensuring then that if a ssh key has been removed from the IPA master we won't allow any user to log in just using their cached info. Related: https://pagure.io/SSSD/sssd/issue/3602 Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> --- src/responder/ssh/ssh_cmd.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c index 1b9aff2b5..ed0bbf097 100644 --- a/src/responder/ssh/ssh_cmd.c +++ b/src/responder/ssh/ssh_cmd.c @@ -69,6 +69,7 @@ static errno_t ssh_cmd_get_user_pubkeys(struct cli_ctx *cli_ctx) { struct ssh_cmd_ctx *cmd_ctx; struct tevent_req *subreq; + struct cache_req_data *data; errno_t ret; static const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, @@ -98,11 +99,21 @@ static errno_t ssh_cmd_get_user_pubkeys(struct cli_ctx *cli_ctx) goto done; } - subreq = cache_req_user_by_name_attrs_send(cmd_ctx, cli_ctx->ev, - cli_ctx->rctx, - cli_ctx->rctx->ncache, 0, - cmd_ctx->domain, - cmd_ctx->name, attrs); + data = cache_req_data_name_attrs(cmd_ctx, CACHE_REQ_USER_BY_NAME, + cmd_ctx->name, attrs); + if (data == NULL) { + ret = ENOMEM; + goto done; + } + + cache_req_data_set_bypass_cache(data, true); + + subreq = cache_req_send(cmd_ctx, cli_ctx->ev, + cli_ctx->rctx, + cli_ctx->rctx->ncache, 0, + CACHE_REQ_POSIX_DOM, + cmd_ctx->domain, + data); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ret = ENOMEM; @@ -130,7 +141,7 @@ static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq) cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx); - ret = cache_req_user_by_name_attrs_recv(cmd_ctx, subreq, &result); + ret = cache_req_single_domain_recv(cmd_ctx, subreq, &result); talloc_zfree(subreq); if (ret != EOK) { if (ret == ENOENT) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
