On Tue, 2020-05-26 at 17:11 +0200, Hans Petter Jansson wrote: > Hi, I'm in the position of having to support a fix for a bad > interaction between sshd and winbind/Active Directory. It's solved by > a > small patch against openssh, but it would be nice to have the > solution > generally available. > > The problem has previously been described on this list by Andreas > Schneider, see: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-February/037556.html > > That's the last mention of this I could find in the archives. Was a > final decision reached on whether that patch (or something similar) > would be accepted? Did you try that patch and it solved the issue for you? We tried and we were not able to verify it fixes the described issue. Moreover this original patch is broken in systems where two users have same UID. I tried to tweak it a bit (see the attached patch) to avoid these issues, but still we were not able to verify it fixes the described issue so we do not ship it. I did not look into this much, but if I am right, the group information is cached in uidswap.c too so it might need some more work to be working. Whether it will be accepted here, is other question. Hope it helps, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
commit 3899be76a3fdbf366ee7143ce38f53a1546b65ae Author: Jakub Jelen <jjelen@xxxxxxxxxx> Date: Fri May 31 13:24:34 2019 +0200 Update cached pw structure after successful authetnication through PAM diff --git a/session.c b/session.c index f2c3abde..e25f1e82 100644 --- a/session.c +++ b/session.c @@ -1515,9 +1515,21 @@ do_child(struct ssh *ssh, Session *s, const char *command) extern char **environ; char **env, *argv[ARGV_MAX], remote_id[512]; const char *shell, *shell0; - struct passwd *pw = s->pw; + struct passwd *pw = NULL; int r = 0; + /* Update the users passwd structure after successful login */ + pw = pwcopy(getpwnam(s->pw->pw_name)); + if (pw != NULL) { + s->pw = pw; + /* Fix also the original location where we copied + * the pw structure from, to be sure. */ + free(s->authctxt->pw); + s->authctxt->pw = pw; + } else { + pw = s->pw; + } + sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev