LDAP - SFTP Chroot - Not totally functioning

[GeorgeLinn]

I am having a problem using LDAP with SFTP chrooted access on a FreeBSD 9.1-RC1 installation. LDAP works fine with SSH logins, LDAP also seems to authenticate chrooted SFTP sessions ok too, but once the SFTP session is active I can not get a simple directoy listing to work. The ls command seems to freeze for 10-20 minutes then eventualy works. After the initail dealy, ls command continues to work.

If I disable LDAP on the computer, the chrooted SFTP process works OK. Also, if I put a copy of the hosts file in to the chrooted SFTP environment there is no delay in the chrooted SFTP session while LDAP is enabled.

I think there is an issue with LDAP lookups only from within the SFTP chrooted session. Any thoughts as to why this is not working?
/etc/ssh/sshd_config excerpt

Match Group sftpusers
    ChrootDirectory /mnt/home/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
Match

LDAP related ports installed:

nss_ldap-1.265_7    RFC 2307 NSS module
openldap-client-2.3.43 Open source LDAP client implementation

 

[mamalos]

Post your /etc/nsswitch.conf, your /usr/local/etc/openldap/ldap.conf, your /etc/hosts as well as the contents of your nss-ldap configuration. Lastly, tell us your jail's IP.

 

[GeorgeLinn]

Thanks for taking the time to look at this. No jails are setup, the IP address of the machine is 192.168.101.32 and the machine name is ny-sftpc1.

/etc/nsswitch.conf

#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
#passwd: compat
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

/usr/local/etc/openldap/ldap.conf

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE    dc=bsd4all, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI     ldap://ny-ldapcs1.bsd4all.com:389
#URI    ldap://192.168.101.51:389
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

/etc/hosts

::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain

192.168.100.50          ny-ldapm ny-ldapm.bsd4all.com
192.168.101.51          ny-ldapcs1 ny-ldapcs1.bsd4all.com
192.168.100.51          ny-ldaps1 ny-ldaps1.bsd4all.com
192.168.100.52          ny-ldaps2 ny-ldaps2.bsd4all.com
192.168.101.32          ny-sftpc1 ny-sftpc1.bsd4all.com

 

[GeorgeLinn]

/usr/local/etc/nss_ldap.conf

# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# [url]http://www.padl.com[/url]
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#
[color="Red"][B]host ny-ldapcs1.bsd4all.com ny-ldaps2.bsd4all.com[/B][/color]
#host ny-ldapcs1.bsd4all.com 192.168.101.51


# The distinguished name of the search base.
[color="Red"][B]base ou=people,dc=bsd4all,dc=com[/B][/color]
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://192.168.101.51/
#uri ldaps://192.168.101.51/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=replication,ou=people,dc=bsd4all,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw password

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=replication,ou=people,dc=bsd4all,dc=com

# The port.
# Optional: default is 389.
port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password clear SSHA

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
#extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit [url]http://internal[/url] to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd         ou=People,dc=bsd4all,dc=com?one
#nss_base_shadow        ou=People,dc=padl,dc=com?one
nss_base_group          ou=Groups,dc=bsd4all,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
tls_cacertfile /usr/local/etc/openldap/cacert.pem
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
tls_cert /usr/local/etc/openldap/ny_sftpc1_servercrt.pem
tls_key /usr/local/etc/openldap/ny_sftpc1_serverkey.pem
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5

 

[SirDice]

Please use pastebin or something similar for large files.

 

[mamalos]

OK, the first time I saw your post I didn't realize that the chroot you were referring to was the built-in chroot that OpenSSH offers and this is why I was asking you for your jail's setup. No problem, though, the info you sent might be useful either way.

From what I understand (by looking how OpenSSH's chrooting method works), you might need to copy some libraries and/or maybe some binaries/configs(?) inside the chroot's root directory, which on your case is /mnt. This means that you might need some folders like /mnt/lib or /mnt/usr/lib, etc to be present in your case. If I wanted to find which files are needed and are not present, I'd run sshd from the command line through ktrace(1) (with -d to follow descendants), and I'd filter kdump(1)'s output to show all open(2) system calls (using grep(1)) to see which ones fail and seem to be related to ldap/nss (and which will probably be located at the end of the file and also be repeating themselves).

 

[GeorgeLinn]

Thanks. I also wanted to clarify that if I disable LDAP lookups, the SFTP chroot works fine without needing to copy additional files or libraries in to other areas of the chrooted area.

Once LDAP lookups are enabled I am still able to authenticate and access the SFTP chroot environment but the first time I execute the ls command there is a 20 minute pause. If I do copy a hosts file over the the chrooted envirnment there is no delay.

Below is a trace using LDAP only where the delay exists. I note in the trace where the 20 minute dealy is (let me know if you need to see more of the trace).

      "sftp> "
 11896 sftp     RET   write 6
 11896 sftp     CALL  ioctl(0,TIOCGETA,0x288084d0)
 11896 sftp     RET   ioctl 0
 11896 sftp     CALL  ioctl(0,TIOCSETAW,0x288084a4)
 11896 sftp     RET   ioctl 0
 11896 sftp     CALL  read(0,0xbfbfe3ab,0x1)
 11896 sftp     GIO   fd 0 read 1 byte
       "g"
 11896 sftp     RET   read 1
 11896 sftp     CALL  write(0x1,0x28839000,0x1)
 11896 sftp     GIO   fd 1 wrote 1 byte
       "g"
 11896 sftp     RET   write 1
 11896 sftp     CALL  read(0,0xbfbfe3ab,0x1)
 11896 sftp     GIO   fd 0 read 1 byte
       0x0000 7f                                                                          |.|

 11896 sftp     RET   read 1
 11896 sftp     CALL  write(0x1,0x28839000,0x4)
 11896 sftp     GIO   fd 1 wrote 4 bytes
       0x0000 081b 5b4b                                                                   |..[K|

 11896 sftp     RET   write 4
 11896 sftp     CALL  read(0,0xbfbfe3ab,0x1)

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

20 minute pause here.  The the ls command completes.  Everything
works fine after the 20 minute pause

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
 11897 ssh      RET   read 1
 11897 ssh      CALL  read(0x4,0xbfbfd5af,0x1)
 11897 ssh      GIO   fd 4 read 1 byte
       "o"
 11897 ssh      RET   read 1
 11897 ssh      CALL  read(0x4,0xbfbfd5af,0x1)
 11897 ssh      GIO   fd 4 read 1 byte
       "g"
 11897 ssh      RET   read 1
 11897 ssh      CALL  read(0x4,0xbfbfd5af,0x1)
 11897 ssh      GIO   fd 4 read 1 byte
       "o"
 11897 ssh      RET   read 1
 11897 ssh      CALL  read(0x4,0xbfbfd5af,0x1)
 11897 ssh      GIO   fd 4 read 1 byte
       "
       "
 11897 ssh      RET   read 1
 11897 ssh      CALL  write(0x4,0x2838ed71,0x1)
 11897 ssh      GIO   fd 4 wrote 1 byte

 

[GeorgeLinn]

Working good enough now

The issue goes away if I use DNS instead of host files. I created an A record for my LDAP server and there is no more delay. I thought that most services looked at the host file before reaching out to DNS, this may be one of those exceptions.

Thanks for taking the time to review this issue.