NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

sshd privsep, NSS/LDAP and TLS


I encoountered a strange bug with the following setup on NetBSD-4.0:
- in tree sshd (OpenSSH-4.4) uses privilege separation (default setting)
- NSS uses LDAP for groups, using nss_ldap-260, and openldap-client-2.4.11
- nss_ldap.conf tells nss_ldap to connect to the directory using TLS
- persistent connexions are enabled in nss_ldap.conf (also defaut setting)

When a user logs in, there is a short hang until it gets to the shell.
The id command shows that the supplementary groups have not been 
initialized. id `whomai` shows the groups, therefore I am sure NSS/LDAP
is fully functionnal.

I tracked the hang to the LDAP request generated by the initgroup() 
call sshd does. The problem disapear if any of the following is done
1) disable privilege separation in sshd
2) disable persistant connexions in nss_ldap.conf
3) disable TLS in nss_ldap.conf

It seems sshd starts a LDAP connexion using TLS in a privilegied instance,
and if it is persistent, it tries to reuse it in a unprivilegied instance. 
For a reason I do not really figure, this fails.

Anyone had hit the same problem?

Emmanuel Dreyfus

Home | Main Index | Thread Index | Old Index