sssd professionals,
Interesting problem; seems to be an interaction with sshd daemon when
using an AD back-end.
When using sssd (with an AD back-end), what should my “Match” blocks in
/etc/ssh/sshd_config file look like for over-riding user values?
Right now, my Match blocks look like:
MaxSessions 10
....
Match User SERVICEPPTPRDVRA
MaxSessions 999
ClientAliveInterval 360
ClientAliveCountMax 3
Match User SERVICEPPTPRDDCA
MaxSessions 999
ClientAliveInterval 360
ClientAliveCountMax 3
And in the system log files, it looks like:
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug2: parse_server_config:
config reprocess config len 1479
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for 'User
SERVICEPPTPRDVRA' user SERVICEPPTPRDVRA host 10.175.99.51 addr 10.175.99.51
laddr 10.174.120.203 lport 22
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug1: user SERVICEPPTPRDVRA
matched 'User SERVICEPPTPRDVRA' at line 158
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match found
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:159
setting MaxSessions 999
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:160
setting ClientAliveInterval 360
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:161
setting ClientAliveCountMax 3
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for 'User
SERVICEPPTPRDDCA' user SERVICEPPTPRDVRA host 10.175.99.51 addr 10.175.99.51
laddr 10.174.120.203 lport 22
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match not found
Here's where it gets weird. Because this is an AD back-end, by default
sssd is setting
case_sensitive = false
That is, it matches any case of user names. Examples:
SERVICEPPTPRDVRA
servicepptprdvra
ServicePPTPrdVra
However, I notice that sssd maps all the user names to lowercase once
you’re fully logged in. (this is what's desired.)
Example:
[root@peplpc1mom01 ssh]# su -l SERVICEPPTPRDVRA
Last login: Wed Nov 4 10:03:31 CST 2020 on pts/12
[servicepptprdvra@peplpc1mom01 ~]$ id
uid=3001425(servicepptprdvra) gid=3001425(servicepptprdvra)
groups=3001425(servicepptprdvra),1010(amerunixusers),2284221(puppetentrp)
[servicepptprdvra@peplpc1mom01 ~]$
It looks like SSHD is looking at the raw “user name” input without any
processing for its match blocks. So I’m guessing this is before any PAM or
NSS processing.
Originally, I naively assumed that my Match blocks should be lowercase, as
that's what I see on the command line. But now I think it has to be
whatever raw input the user entered.
Spike