OA63229: SSHD MAY CHANGE THE INCOMING USERNAME DURING AUTHENTICATION

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When group checking is required by sshd, it will enter a loop to
  check all the groups an incoming user belongs to, but the userid
  being checked may get replaced with an alternate/incorrect
  username.
  
  This may result in users not obtaining the keyword values
  specified in the expected match group.
  
  
  For example:
  My sshd_config has a series of "Match Group" blocks (say
  GROUP1-4) and GROUP4 is set up as:
  ---
  Match Group GROUP4
  Banner /etc/ssh/banner2
  ---
  
  When I attempt to login with "myid" sshd will loop through the
  match block groups to determine if "myid" is a member.
  
  Using a debug trace of sshd I observe messages such as:
  debug1: user myid does not match group list GROUP1
  debug1: user myid does not match group list GROUP2
  debug1: user yourid does not match group list GROUP3
  debug1: user yourid does not match group list GROUP4
  
  You can note "myid" changed to "yourid".
  
  In this example, if "myid" is a member of GROUP4, then the
  Banner keyword setting might not take effect.
  
  
  
  Verification Steps:
  1) Configure sshd to collect a debug trace of at least a debug1
  level (debug3 preferred).
  2) Review the debug trace data looking for messages similar to
  those included above and determine if the username is changing
  between groups.
  
  
  
  Keywords:
  sshd
  FOTSXSHD
  sshd_config
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: z/OS users of z/OS OpenSSH who specify       *
  *                 Match Group in the sshd_config               *
  *                 configuration file.                          *
  ****************************************************************
  * PROBLEM DESCRIPTION: When group checking is required by      *
  *                      sshd, it will enter a loop to check     *
  *                      all the groups an incoming user         *
  *                      belongs to, but the userid being        *
  *                      checked may get replaced with an        *
  *                      incorrect username.                     *
  *                                                              *
  *                      This may result in users not obtaining  *
  *                      the keyword values specified in the     *
  *                      expected match group, or a failed login *
  *                      attempt.                                *
  ****************************************************************
  When Group checking is required by sshd, save the user name in
  buffer to avoid replacing.
  

Problem conclusion

• Updated the Match Group checking code in sshd, saving the
  user name in buffer to avoid replacing.
  

Temporary fix

Comments

• ×**** PE23/07/10 FIX IN ERROR. SEE APAR OA65172  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ08838 UJ08839

Modules/Macros

• FOTSXSHD
  

Fix information

• Fixed component name

  OPENSSH FOR Z/O

• Fixed component ID

  5655M2301

Applicable component levels

• R230 PSY UJ08839

     UP22/07/27 P F207

• R240 PSY UJ08838

     UP22/07/27 P F207

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.