I'm using libnss-mysql 1.1 with FreeBSD 5.2.1-RELEASE and I'm having troubles with logging in through SSH.
The problem is that when SSH is iin privilege separation mode I can't login. With privsep off it works fine, but of course I want to use privilege separation for security reasons.
I use the default DB layout and the default queries. The problem is that libnss-mysql uses the wrong query.
The first queries work fine (as root), but when SSH drops privileges, libnss-mysql switches to the nss-user account (as it should) but it keeps using the old getpwuid query, see this mysql log:
12 Connect nss-user@localhost on
12 Init DB normi
12 Query SELECT username,password,uid,gid,pwchange,class,gecos,homedir,shell,expire FROM users WHERE uid='5000' LIMIT 1
and that results in:
Mar 16 05:11:23 fbsd sshd[999]: libnss-mysql: mysql_query failed: SELECT command denied to user: 'nss-user@localhost' for column 'password' in table 'users'
Mar 16 05:11:23 fbsd sshd[999]: fatal: login_get_lastlog: Cannot find account for uid 5000
It seems like the query is cached somehow which seems to me like a bug in libnss-mysql. I hope you will be able to solve this problem, so I can use your great software :)
Btw: During bootup, directly after starting mysql, I get:
Mar 16 04:46:10 fbsd mysqld[625]: libnss-mysql: Connection to server 'localhost' failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
probably because mysql has not yet setup the socket. Can this cause any problems?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hm, I didn't anticipate that ssh privsep would mean it would ask for a user's password without root privs. Is privsep the default in 5.2.1? (I don't have my test box in front of me) I could swear I tested ssh with libnss-mysql 1.1 ...
If privsep isn't default and you're turning it on, and want ssh to work with mysql users, I'm afraid the only option is to change the libnss-mysql config (and database perms) to allow non-root users to SELECT the MySQL 'password' column. While that's giving people cleartext access, it would enable offline brute force attacks. I'm not sure of any other solution at the moment. I'd have to play with it when I'm in front of my test box.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't want to post the full libnss-mysql debug log here, but the problem seems clear to me now:
-SSH drops priviledges
-Starts session
-NSS receives request for getpwuid
-NSS builds query (_nss_mysql_build_query)
-NSS runs query (_nss_mysql_run_query)
-NSS sees changed euid and rereads config (_nss_mysql_check_existing_connection)
-NSS _does not_ rebuild the query, but tries to rerun the _same_ query (from root config, with password field in query)
I think the problem is that the query has to be rebuild after a config change, but I don't have the C skills to fix it :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is odd. I can't reproduce the problem on my own 5.2.1R box! Is this a fresh clean install of 5.2.1 or a cvsup or an upgrade or ...
I do believe you're going down the right path, however. I see the flaw you're fixing. Once I can reproduce the problem I'll see what the proper solution is.. you may have it, I just haven't given it much thought yet :-)
BTW that mysql error message you originally mentioned can be ignored - it's just MySQL doing some sort of user lookup before it's initialized, resulting in libnss-mysql warning that it can't reach any MySQL servers. No biggie.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Strange...
It's just a clean install of 5.2.1, done 2 weeks ago. Nothing changed in ssh or pam afaik. Maybe you are using some old configs or wrong permissions for the nss-user mysql user? (as that changed from 0.5 to 0.5.1)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I realized that when I "uninstalled" that I didn't remove any of the MySQL grants for the nss-% users. Now that I"ve done that, I can reproduce the problem. I'll now move on to fixing the code. :-) Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'm using libnss-mysql 1.1 with FreeBSD 5.2.1-RELEASE and I'm having troubles with logging in through SSH.
The problem is that when SSH is iin privilege separation mode I can't login. With privsep off it works fine, but of course I want to use privilege separation for security reasons.
I use the default DB layout and the default queries. The problem is that libnss-mysql uses the wrong query.
The first queries work fine (as root), but when SSH drops privileges, libnss-mysql switches to the nss-user account (as it should) but it keeps using the old getpwuid query, see this mysql log:
12 Connect nss-user@localhost on
12 Init DB normi
12 Query SELECT username,password,uid,gid,pwchange,class,gecos,homedir,shell,expire FROM users WHERE uid='5000' LIMIT 1
and that results in:
Mar 16 05:11:23 fbsd sshd[999]: libnss-mysql: mysql_query failed: SELECT command denied to user: 'nss-user@localhost' for column 'password' in table 'users'
Mar 16 05:11:23 fbsd sshd[999]: fatal: login_get_lastlog: Cannot find account for uid 5000
It seems like the query is cached somehow which seems to me like a bug in libnss-mysql. I hope you will be able to solve this problem, so I can use your great software :)
Btw: During bootup, directly after starting mysql, I get:
Mar 16 04:46:10 fbsd mysqld[625]: libnss-mysql: Connection to server 'localhost' failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
probably because mysql has not yet setup the socket. Can this cause any problems?
Hm, I didn't anticipate that ssh privsep would mean it would ask for a user's password without root privs. Is privsep the default in 5.2.1? (I don't have my test box in front of me) I could swear I tested ssh with libnss-mysql 1.1 ...
If privsep isn't default and you're turning it on, and want ssh to work with mysql users, I'm afraid the only option is to change the libnss-mysql config (and database perms) to allow non-root users to SELECT the MySQL 'password' column. While that's giving people cleartext access, it would enable offline brute force attacks. I'm not sure of any other solution at the moment. I'd have to play with it when I'm in front of my test box.
Privsep is the default in 5.2.1.
After turning it off everything worked fine.
But the password checking happens as root afaik.
This is the full query log of a login attempt:
040316 7:40:48 2 Connect nss-root@localhost on
2 Init DB normi
2 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE username='testuser' LIMIT 1
3 Connect nss-root@localhost on
3 Init DB normi
3 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE username='testuser' LIMIT 1
3 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE username='testuser' LIMIT 1
040316 7:40:49 3 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE username='testuser' LIMIT 1
4 Connect nss-root@localhost on
4 Init DB normi
4 Query SELECT name,password,gid FROM groups
4 Query SELECT username FROM grouplist WHERE gid='50
00'
040316 7:40:50 4 Quit
5 Connect nss-user@localhost on
5 Init DB normi
5 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE uid='5000' LIMIT 1
5 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE uid='5000' LIMIT 1
5 Query SELECT username,password,uid,gid,pwchange,cl
ass,gecos,homedir,shell,expire FROM users WHERE uid='5000' LIMIT 1
I don't want to post the full libnss-mysql debug log here, but the problem seems clear to me now:
-SSH drops priviledges
-Starts session
-NSS receives request for getpwuid
-NSS builds query (_nss_mysql_build_query)
-NSS runs query (_nss_mysql_run_query)
-NSS sees changed euid and rereads config (_nss_mysql_check_existing_connection)
-NSS _does not_ rebuild the query, but tries to rerun the _same_ query (from root config, with password field in query)
I think the problem is that the query has to be rebuild after a config change, but I don't have the C skills to fix it :)
I moved some code (the euid check) from _nss_mysql_check_existing_connection to _nss_mysql_lookup. This seems to solve the problem for me :)
The patch is here:
http://normi.net/~mike/libnss-mysql-euid.diff
Don't know if this is the ideal solution, but it works :)
This is odd. I can't reproduce the problem on my own 5.2.1R box! Is this a fresh clean install of 5.2.1 or a cvsup or an upgrade or ...
I do believe you're going down the right path, however. I see the flaw you're fixing. Once I can reproduce the problem I'll see what the proper solution is.. you may have it, I just haven't given it much thought yet :-)
BTW that mysql error message you originally mentioned can be ignored - it's just MySQL doing some sort of user lookup before it's initialized, resulting in libnss-mysql warning that it can't reach any MySQL servers. No biggie.
Strange...
It's just a clean install of 5.2.1, done 2 weeks ago. Nothing changed in ssh or pam afaik. Maybe you are using some old configs or wrong permissions for the nss-user mysql user? (as that changed from 0.5 to 0.5.1)
0.5 to 0.5.1? What's that refering to?
I realized that when I "uninstalled" that I didn't remove any of the MySQL grants for the nss-% users. Now that I"ve done that, I can reproduce the problem. I'll now move on to fixing the code. :-) Thanks!
>>0.5 to 0.5.1? What's that refering to?
Err :+ I mean libnss-mysql 1.0 to 1.1 lol....
:-)
I've patched the code with your patch (thanks!) and it's sitting in CVS, awaiting more testing by myself. It appears to be the proper solution.