Subject: strange sshd behaviour, bug in nss_ldap
To: None <tech-userlevel@NetBSD.org>
From: Edgar =?iso-8859-1?B?RnXf?= <firstname.lastname@example.org>
Date: 07/09/2007 12:38:14
I spent most of Friday trying to find out why I was unable to log in to a newly setup machine via ssh while I could log in on the console. Especially as on another machine with identical configuration, everything worked as expected.
To make a long story short, I identified the culprit being databases/nss_ldap which was 240nb6 on the machine where it worked and 240nb7 on the slightly newer one where it didn't. The relevant change was --enable-schema-mapping.
Digging further into this, I found two things one of which I find a strange behaviour of ssh with UsePam enabled and the other one I suspect to be an error in nss_ldap.
First, even with "UsePam yes", sshd tries to verify that the user's account and password have not expired (auth.c:173). I would prefer having PAM handle this.
Second, it looks like nss_ldap gets the pw_change field wrong (ldap-pwd.c:188):
pw->pw_change += atol(tmp);
which should read
pw->pw_change += atol(tmp) * (24*60*60);