sssd professionals,

Interesting problem;  seems to be an interaction with sshd daemon when using an AD back-end.

When using sssd (with an AD back-end), what should my “Match” blocks in /etc/ssh/sshd_config file look like for over-riding user values?

Right now, my Match blocks look like:

               MaxSessions 10

              ....

Match User SERVICEPPTPRDVRA

   MaxSessions 999

   ClientAliveInterval 360

   ClientAliveCountMax 3

 

Match User SERVICEPPTPRDDCA

   MaxSessions 999

   ClientAliveInterval 360

   ClientAliveCountMax 3

 

And in the system log files, it looks like:

Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug2: parse_server_config: config reprocess config len 1479
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for 'User SERVICEPPTPRDVRA' user SERVICEPPTPRDVRA host 10.175.99.51 addr 10.175.99.51 laddr 10.174.120.203 lport 22
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug1: user SERVICEPPTPRDVRA matched 'User SERVICEPPTPRDVRA' at line 158
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match found
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:159 setting MaxSessions 999
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:160 setting ClientAliveInterval 360
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: reprocess config:161 setting ClientAliveCountMax 3
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: checking match for 'User SERVICEPPTPRDDCA' user SERVICEPPTPRDVRA host 10.175.99.51 addr 10.175.99.51 laddr 10.174.120.203 lport 22
Nov 4 10:40:22 peplpc1mom01 sshd[2400354]: debug3: match not found

 

Here's where it gets weird.  Because this is an AD back-end, by default sssd is setting

case_sensitive = false

That is, it matches any case of user names.  Examples:

                SERVICEPPTPRDVRA

                servicepptprdvra

                ServicePPTPrdVra

However, I notice that sssd maps all the user names to lowercase once you’re fully logged in. (this is what's desired.)

 

Example:

 

[root@peplpc1mom01 ssh]# su -l SERVICEPPTPRDVRA

Last login: Wed Nov  4 10:03:31 CST 2020 on pts/12

[servicepptprdvra@peplpc1mom01 ~]$ id

uid=3001425(servicepptprdvra) gid=3001425(servicepptprdvra) groups=3001425(servicepptprdvra),1010(amerunixusers),2284221(puppetentrp)

[servicepptprdvra@peplpc1mom01 ~]$

 

It looks like SSHD is looking at the raw “user name” input without any processing for its match blocks.  So I’m guessing this is before any PAM or NSS processing.

Originally, I naively assumed that my Match blocks should be lowercase, as that's what I see on the command line.  But now I think it has to be whatever raw input the user entered.  

Spike