SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user

If an IPA client uses the SSH integration and a local user logs in with SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH responder, which doesn't find the user and returns ENOENT. The sss_ssh_authorizedkeys reports a failure on any error, including ENOENT which produced a confusing error message in the logs. This patch adds a new error code that handles users that are not found by SSSD but exist on the system and also special cases root with the same error code. Therefore, logging in as a local user no longer prints an error message. Resolves: https://fedorahosted.org/sssd/ticket/3003 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2016-04-28 10:31:45 +0200
committer: Lukas Slebodnik <lslebodn@redhat.com> 2016-07-01 15:28:33 +0200
commit: fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 (patch)
tree: a49ba2e0f768f17916bcf481afaafce21e059135
parent: ab5c1f5d8c2855e56198676cef2b5fd418d96d42 (diff)
download: sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.tar.gz
sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.tar.xz
sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.zip
4 files changed, 26 insertions, 5 deletions
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 1baba8b03..fef0ce099 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -67,7 +67,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx)
            cmd_ctx->name, cmd_ctx->domname ? cmd_ctx->domname : "<ALL>");
 
     if (strcmp(cmd_ctx->name, "root") == 0) {
-        ret = ENOENT;
+        ret = ERR_NON_SSSD_USER;
         goto done;
     }
 
@@ -168,6 +168,20 @@ ssh_user_pubkeys_search_dp_callback(uint16_t err_maj,
                                     void *ptr);
 
 static errno_t
+ssh_user_handle_not_found(const char *username)
+{
+    struct passwd *pwd;
+
+    pwd = getpwnam(username);
+    if (pwd != NULL) {
+        DEBUG(SSSDBG_TRACE_ALL, "%s is a non-SSSD user\n", username);
+        return ERR_NON_SSSD_USER;
+    }
+
+    return ENOENT;
+}
+
+static errno_t
 ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx)
 {
     struct tevent_req *req;
@@ -182,7 +196,7 @@ ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx)
     if (!cmd_ctx->domain) {
         DEBUG(SSSDBG_OP_FAILURE,
               "No matching domain found for [%s], fail!\n", cmd_ctx->name);
-        return ENOENT;
+        return ssh_user_handle_not_found(cmd_ctx->name);
     }
 
     /* refresh the user's cache entry */
@@ -256,10 +270,10 @@ ssh_user_pubkeys_search_next(struct ssh_cmd_ctx *cmd_ctx)
             return ssh_user_pubkeys_search(cmd_ctx);
         }
 
-        DEBUG(SSSDBG_OP_FAILURE,
+        DEBUG(SSSDBG_MINOR_FAILURE,
               "No attributes for user [%s] found.\n", cmd_ctx->name);
 
-        return ENOENT;
+        return ssh_user_handle_not_found(cmd_ctx->name);
     }
 
     cmd_ctx->result = res->msgs[0];
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
index 89eda2371..782a9f443 100644
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -86,7 +86,12 @@ int main(int argc, const char **argv)
     /* look up public keys */
     ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_USER_PUBKEYS,
                           pc_user, pc_domain, NULL, &ent);
-    if (ret != EOK) {
+    if (ret == ERR_NON_SSSD_USER) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "The user %s is valid, but not handled by sssd\n", pc_user);
+        ret = EXIT_SUCCESS;
+        goto fini;
+    } else if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret));
         ERROR("Error looking up public keys\n");
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 9beffbc39..522b0f4ff 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -96,6 +96,7 @@ struct err_string error_to_str[] = {
     { "Domain has to timestamp cache" }, /* ERR_NO_TS */
     { "No timestamp cache record" }, /* ERR_TS_CACHE_MISS */
     { "Dereference threshold reached" }, /* ERR_DEREF_THRESHOLD */
+    { "The user is not handled by SSSD" }, /* ERR_NON_SSSD_USER */
     { "ERR_LAST" } /* ERR_LAST */
 };
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index d234ed00f..15ec5974b 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -118,6 +118,7 @@ enum sssd_errors {
     ERR_NO_TS,
     ERR_TS_CACHE_MISS,
     ERR_DEREF_THRESHOLD,
+    ERR_NON_SSSD_USER,
     ERR_LAST            /* ALWAYS LAST */
 };
author	Jakub Hrozek <jhrozek@redhat.com>	2016-04-28 10:31:45 +0200
committer	Lukas Slebodnik <lslebodn@redhat.com>	2016-07-01 15:28:33 +0200
commit	fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 (patch)
tree	a49ba2e0f768f17916bcf481afaafce21e059135
parent	ab5c1f5d8c2855e56198676cef2b5fd418d96d42 (diff)
download	sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.tar.gz sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.tar.xz sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.zip