diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2016-04-28 10:31:45 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-07-01 15:28:33 +0200 |
commit | fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 (patch) | |
tree | a49ba2e0f768f17916bcf481afaafce21e059135 /src/responder | |
parent | ab5c1f5d8c2855e56198676cef2b5fd418d96d42 (diff) | |
download | sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.tar.gz sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.tar.xz sssd-fcbcfa69f9291936f01f24b5fcb5a7672dca46f3.zip |
SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.
This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.
Resolves:
https://fedorahosted.org/sssd/ticket/3003
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/ssh/sshsrv_cmd.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c index 1baba8b03..fef0ce099 100644 --- a/src/responder/ssh/sshsrv_cmd.c +++ b/src/responder/ssh/sshsrv_cmd.c @@ -67,7 +67,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx) cmd_ctx->name, cmd_ctx->domname ? cmd_ctx->domname : "<ALL>"); if (strcmp(cmd_ctx->name, "root") == 0) { - ret = ENOENT; + ret = ERR_NON_SSSD_USER; goto done; } @@ -168,6 +168,20 @@ ssh_user_pubkeys_search_dp_callback(uint16_t err_maj, void *ptr); static errno_t +ssh_user_handle_not_found(const char *username) +{ + struct passwd *pwd; + + pwd = getpwnam(username); + if (pwd != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "%s is a non-SSSD user\n", username); + return ERR_NON_SSSD_USER; + } + + return ENOENT; +} + +static errno_t ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx) { struct tevent_req *req; @@ -182,7 +196,7 @@ ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx) if (!cmd_ctx->domain) { DEBUG(SSSDBG_OP_FAILURE, "No matching domain found for [%s], fail!\n", cmd_ctx->name); - return ENOENT; + return ssh_user_handle_not_found(cmd_ctx->name); } /* refresh the user's cache entry */ @@ -256,10 +270,10 @@ ssh_user_pubkeys_search_next(struct ssh_cmd_ctx *cmd_ctx) return ssh_user_pubkeys_search(cmd_ctx); } - DEBUG(SSSDBG_OP_FAILURE, + DEBUG(SSSDBG_MINOR_FAILURE, "No attributes for user [%s] found.\n", cmd_ctx->name); - return ENOENT; + return ssh_user_handle_not_found(cmd_ctx->name); } cmd_ctx->result = res->msgs[0]; |