forked from rpms/openssh
		
	resolve warnings in port_linux.c
This commit is contained in:
		
							parent
							
								
									3f220f2863
								
							
						
					
					
						commit
						1f6bdc75f1
					
				| @ -1,6 +1,6 @@ | ||||
| diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
 | ||||
| --- openssh-5.8p1/configure.ac.ldap	2011-02-28 23:21:05.000000000 +0100
 | ||||
| +++ openssh-5.8p1/configure.ac	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/configure.ac.ldap	2011-04-01 09:01:18.559688927 +0200
 | ||||
| +++ openssh-5.8p1/configure.ac	2011-04-01 09:01:18.972717095 +0200
 | ||||
| @@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
 | ||||
|  	] | ||||
|  ) | ||||
| @ -109,26 +109,120 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac | ||||
|  AC_CHECK_FUNCS( \ | ||||
|  	arc4random \ | ||||
| diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
 | ||||
| --- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/HOWTO.ldap-keys	2011-02-28 23:21:06.000000000 +0100
 | ||||
| @@ -0,0 +1,14 @@
 | ||||
| --- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-04-01 09:01:19.000648742 +0200
 | ||||
| +++ openssh-5.8p1/HOWTO.ldap-keys	2011-04-01 09:01:19.564648857 +0200
 | ||||
| @@ -0,0 +1,108 @@
 | ||||
| +
 | ||||
| +HOW TO START
 | ||||
| +
 | ||||
| +1) configure LDAP server
 | ||||
| +2) add appropriate schema
 | ||||
| +  * Use LDAP server documentation
 | ||||
| +2) add appropriate LDAP schema
 | ||||
| +  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
 | ||||
| +  * LDAP user entry
 | ||||
| +        User entry:
 | ||||
| +	- attached to the 'ldapPublicKey' objectclass
 | ||||
| +	- attached to the 'posixAccount' objectclass
 | ||||
| +	- with a filled 'sshPublicKey' attribute 
 | ||||
| +3) insert users into LDAP
 | ||||
| +  * Use LDAP Tree management tool as useful
 | ||||
| +  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
 | ||||
| +  * Example:
 | ||||
| +	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
 | ||||
| +	objectclass: top
 | ||||
| +	objectclass: person
 | ||||
| +	objectclass: organizationalPerson
 | ||||
| +	objectclass: posixAccount
 | ||||
| +	objectclass: ldapPublicKey
 | ||||
| +	description: Jonathan Archer
 | ||||
| +	userPassword: Porthos
 | ||||
| +	cn: onathan Archer
 | ||||
| +	sn: onathan Archer
 | ||||
| +	uid: captain
 | ||||
| +	uidNumber: 1001
 | ||||
| +	gidNumber: 1001
 | ||||
| +	homeDirectory: /home/captain
 | ||||
| +	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
 | ||||
| +	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
 | ||||
| +4) on the ssh side set in sshd_config
 | ||||
| +AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 | ||||
| +AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
 | ||||
| +5) do not forget to set
 | ||||
| +PubkeyAuthentication yes
 | ||||
| +  * Set up the backend
 | ||||
| +	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 | ||||
| +	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
 | ||||
| +  * Do not forget to set
 | ||||
| +	PubkeyAuthentication yes
 | ||||
| +  * Swith off unnecessary auth methods
 | ||||
| +5) confugure ldap.conf
 | ||||
| +  * Default ldap.conf is placed in /etc/ssh
 | ||||
| +  * The configuration style is the same as other ldap based aplications
 | ||||
| +6) if necessary edit ssh-ldap-wrapper
 | ||||
| +  * There is a possibility to change ldap.conf location
 | ||||
| +  * There are some debug options
 | ||||
| +  * Example
 | ||||
| +	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
 | ||||
| +
 | ||||
| +HOW TO MIGRATE FROM LPK
 | ||||
| +
 | ||||
| +To debug the ssh-ldap-helper is possible to set
 | ||||
| +the necessary flags in the ssh-ldap-wrapper.
 | ||||
| +1) goto HOW TO START 4) .... the ldap schema is the same
 | ||||
| +
 | ||||
| +2) convert the group requests to the appropriate LDAP requests
 | ||||
| +
 | ||||
| +HOW TO SOLVE PROBLEMS
 | ||||
| +
 | ||||
| +1) use debug in sshd
 | ||||
| +  * /usr/sbin/sshd -d -d -d -d
 | ||||
| +2) use debug in ssh-ldap-helper
 | ||||
| +  * ssh-ldap-helper -d -d -d -d -s <username>
 | ||||
| +3) use tcpdump ... other ldap client etc.
 | ||||
| +
 | ||||
| +ADVANTAGES
 | ||||
| +
 | ||||
| +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
 | ||||
| +
 | ||||
| +DISADVANTAGES
 | ||||
| +
 | ||||
| +1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
 | ||||
| +  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
 | ||||
| +  of your users in all your server farm -- be VERY CAREFUL.
 | ||||
| +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
 | ||||
| +  as the impersonated user.
 | ||||
| +3) If LDAP server is down there may be no fallback on passwd auth.
 | ||||
| +  
 | ||||
| +MISC.
 | ||||
| +  
 | ||||
| +1) todo
 | ||||
| +  * Possibility to reuse the ssh-ldap-helper.
 | ||||
| +  * Tune the LDAP part to accept  all possible LDAP configurations.
 | ||||
| +
 | ||||
| +2) differences from original lpk
 | ||||
| +  * No LDAP code in sshd.
 | ||||
| +  * Support for various LDAP platforms and configurations.
 | ||||
| +  * LDAP is configured in separate ldap.conf file.
 | ||||
| +
 | ||||
| +3) docs/link 
 | ||||
| +  * http://pacsec.jp/core05/psj05-barisani-en.pdf
 | ||||
| +  * http://fritz.potsdam.edu/projects/openssh-lpk/
 | ||||
| +  * http://fritz.potsdam.edu/projects/sshgate/
 | ||||
| +  * http://dev.inversepath.com/trac/openssh-lpk
 | ||||
| +  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
 | ||||
| +
 | ||||
| +4) contributors/ideas/greets
 | ||||
| +  - Eric AUGE <eau@phear.org>
 | ||||
| +  - Andrea Barisani <andrea@inversepath.com>
 | ||||
| +  - Falk Siemonsmeier.
 | ||||
| +  - Jacob Rief.
 | ||||
| +  - Michael Durchgraf.
 | ||||
| +  - frederic peters.
 | ||||
| +  - Finlay dobbie.
 | ||||
| +  - Stefan Fisher.
 | ||||
| +  - Robin H. Johnson.
 | ||||
| +  - Adrian Bridgett.
 | ||||
| +
 | ||||
| +5) Author
 | ||||
| +    Jan F. Chadima <jchadima@redhat.com>
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
 | ||||
| --- openssh-5.8p1/ldapbody.c.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapbody.c	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapbody.c.ldap	2011-04-01 09:01:19.024648747 +0200
 | ||||
| +++ openssh-5.8p1/ldapbody.c	2011-04-01 09:01:19.032648722 +0200
 | ||||
| @@ -0,0 +1,494 @@
 | ||||
| +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -625,8 +719,8 @@ diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c | ||||
| +}
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
 | ||||
| --- openssh-5.8p1/ldapbody.h.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapbody.h	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapbody.h.ldap	2011-04-01 09:01:19.047648768 +0200
 | ||||
| +++ openssh-5.8p1/ldapbody.h	2011-04-01 09:01:19.057648739 +0200
 | ||||
| @@ -0,0 +1,37 @@
 | ||||
| +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -666,8 +760,8 @@ diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h | ||||
| +#endif /* LDAPBODY_H */
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
 | ||||
| --- openssh-5.8p1/ldapconf.c.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapconf.c	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapconf.c.ldap	2011-04-01 09:01:19.073648744 +0200
 | ||||
| +++ openssh-5.8p1/ldapconf.c	2011-04-01 09:01:19.082648746 +0200
 | ||||
| @@ -0,0 +1,682 @@
 | ||||
| +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -1352,8 +1446,8 @@ diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c | ||||
| +}
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
 | ||||
| --- openssh-5.8p1/ldapconf.h.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapconf.h	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapconf.h.ldap	2011-04-01 09:01:19.097648717 +0200
 | ||||
| +++ openssh-5.8p1/ldapconf.h	2011-04-01 09:01:19.107648734 +0200
 | ||||
| @@ -0,0 +1,71 @@
 | ||||
| +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -1427,8 +1521,8 @@ diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h | ||||
| +
 | ||||
| +#endif /* LDAPCONF_H */
 | ||||
| diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
 | ||||
| --- openssh-5.8p1/ldap.conf.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldap.conf	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldap.conf.ldap	2011-04-01 09:01:19.122648724 +0200
 | ||||
| +++ openssh-5.8p1/ldap.conf	2011-04-01 09:01:19.131648759 +0200
 | ||||
| @@ -0,0 +1,88 @@
 | ||||
| +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 | ||||
| +#
 | ||||
| @ -1519,9 +1613,9 @@ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf | ||||
| +#tls_key
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
 | ||||
| --- openssh-5.8p1/ldap-helper.c.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldap-helper.c	2011-02-28 23:21:06.000000000 +0100
 | ||||
| @@ -0,0 +1,154 @@
 | ||||
| --- openssh-5.8p1/ldap-helper.c.ldap	2011-04-01 09:01:19.145658994 +0200
 | ||||
| +++ openssh-5.8p1/ldap-helper.c	2011-04-01 09:01:19.608648889 +0200
 | ||||
| @@ -0,0 +1,155 @@
 | ||||
| +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 | ||||
| @ -1662,6 +1756,7 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c | ||||
| +	if (config_single_user) {
 | ||||
| +		process_user (config_single_user, outfile);
 | ||||
| +	} else {
 | ||||
| +		usage();
 | ||||
| +		fatal ("Not yet implemented");
 | ||||
| +/* TODO
 | ||||
| + * open unix socket a run the loop on it
 | ||||
| @ -1677,8 +1772,8 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c | ||||
| +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
 | ||||
| --- openssh-5.8p1/ldap-helper.h.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldap-helper.h	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldap-helper.h.ldap	2011-04-01 09:01:19.168648731 +0200
 | ||||
| +++ openssh-5.8p1/ldap-helper.h	2011-04-01 09:01:19.177648726 +0200
 | ||||
| @@ -0,0 +1,32 @@
 | ||||
| +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -1713,8 +1808,8 @@ diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h | ||||
| +
 | ||||
| +#endif /* LDAP_HELPER_H */
 | ||||
| diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
 | ||||
| --- openssh-5.8p1/ldapincludes.h.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapincludes.h	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapincludes.h.ldap	2011-04-01 09:01:19.192648737 +0200
 | ||||
| +++ openssh-5.8p1/ldapincludes.h	2011-04-01 09:01:19.202648683 +0200
 | ||||
| @@ -0,0 +1,41 @@
 | ||||
| +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -1758,8 +1853,8 @@ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h | ||||
| +
 | ||||
| +#endif /* LDAPINCLUDES_H */
 | ||||
| diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
 | ||||
| --- openssh-5.8p1/ldapmisc.c.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapmisc.c	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapmisc.c.ldap	2011-04-01 09:01:19.216648692 +0200
 | ||||
| +++ openssh-5.8p1/ldapmisc.c	2011-04-01 09:01:19.225648767 +0200
 | ||||
| @@ -0,0 +1,79 @@
 | ||||
| +
 | ||||
| +#include "ldapincludes.h"
 | ||||
| @ -1841,8 +1936,8 @@ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c | ||||
| +#endif
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
 | ||||
| --- openssh-5.8p1/ldapmisc.h.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ldapmisc.h	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ldapmisc.h.ldap	2011-04-01 09:01:19.240648724 +0200
 | ||||
| +++ openssh-5.8p1/ldapmisc.h	2011-04-01 09:01:19.249648718 +0200
 | ||||
| @@ -0,0 +1,35 @@
 | ||||
| +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 | ||||
| +/*
 | ||||
| @ -1880,129 +1975,9 @@ diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h | ||||
| +#endif /* LDAPMISC_H */
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
 | ||||
| --- openssh-5.8p1/lpk-user-example.txt.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/lpk-user-example.txt	2011-02-28 23:21:06.000000000 +0100
 | ||||
| @@ -0,0 +1,117 @@
 | ||||
| +
 | ||||
| +Post to ML -> User Made Quick Install Doc.
 | ||||
| +Contribution from John Lane <john@lane.uk.net>
 | ||||
| +
 | ||||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 | ||||
| +
 | ||||
| +OpenSSH LDAP keystore Patch
 | ||||
| +===========================
 | ||||
| +
 | ||||
| +NOTE: these notes are a transcript of a specific installation
 | ||||
| +      they work for me, your specifics may be different!
 | ||||
| +      from John Lane March 17th 2005         john@lane.uk.net
 | ||||
| +
 | ||||
| +This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
 | ||||
| +from their LDAP record as an alternative to ~/.ssh/authorized_keys.
 | ||||
| +
 | ||||
| +(Assuming here that necessary build stuff is in $BUILD)
 | ||||
| +
 | ||||
| +cd $BUILD/openssh-4.0p1
 | ||||
| +patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
 | ||||
| +mkdir -p /var/empty &&
 | ||||
| +./configure --prefix=/usr --sysconfdir=/etc/ssh \
 | ||||
| +    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
 | ||||
| +    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
 | ||||
| +Now do.
 | ||||
| +make &&
 | ||||
| +make install
 | ||||
| +
 | ||||
| +Add the following config to /etc/ssh/ssh_config
 | ||||
| +UseLPK yes
 | ||||
| +LpkServers ldap://myhost.mydomain.com
 | ||||
| +LpkUserDN  ou=People,dc=mydomain,dc=com
 | ||||
| +
 | ||||
| +We need to tell sshd about the SSL keys during boot, as root's
 | ||||
| +environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
 | ||||
| +Change the startup code from this:
 | ||||
| +                echo "Starting SSH Server..."
 | ||||
| +                loadproc /usr/sbin/sshd
 | ||||
| +                ;;
 | ||||
| +to this:
 | ||||
| +                echo "Starting SSH Server..."
 | ||||
| +                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
 | ||||
| +                ;;
 | ||||
| +
 | ||||
| +Re-start the sshd daemon:
 | ||||
| +/etc/rc.d/init.d/sshd restart
 | ||||
| +
 | ||||
| +Install the additional LDAP schema
 | ||||
| +cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
 | ||||
| +
 | ||||
| +Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
 | ||||
| +Add the following to the end of the existing block of schema includes
 | ||||
| +include         /etc/openldap/schema/openssh.schema
 | ||||
| +
 | ||||
| +Re-start the LDAP server:
 | ||||
| +/etc/rc.d/init.d/slapd restart
 | ||||
| +
 | ||||
| +To add one or more public keys to a user, eg "testuser" :
 | ||||
| +ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
 | ||||
| +"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
 | ||||
| +
 | ||||
| +append the following to this /tmp/testuser file
 | ||||
| +objectclass: ldapPublicKey
 | ||||
| +sshPublicKey: ssh-rsa
 | ||||
| +AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
 | ||||
| +qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
 | ||||
| +7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
 | ||||
| +
 | ||||
| +Then do a modify:
 | ||||
| +ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
 | ||||
| +/tmp/testuser -Z
 | ||||
| +Enter LDAP Password:
 | ||||
| +modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
 | ||||
| +And check the modify is ok:
 | ||||
| +ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
 | ||||
| +"uid=testuser,ou=People,dc=mydomain,dc=com"
 | ||||
| +Enter LDAP Password:
 | ||||
| +# extended LDIF
 | ||||
| +#
 | ||||
| +# LDAPv3
 | ||||
| +# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
 | ||||
| +# filter: (objectclass=*)
 | ||||
| +# requesting: ALL
 | ||||
| +#
 | ||||
| +
 | ||||
| +# testuser, People, mydomain.com
 | ||||
| +dn: uid=testuser,ou=People,dc=mydomain,dc=com
 | ||||
| +uid: testuser
 | ||||
| +cn: testuser
 | ||||
| +objectClass: account
 | ||||
| +objectClass: posixAccount
 | ||||
| +objectClass: top
 | ||||
| +objectClass: shadowAccount
 | ||||
| +objectClass: ldapPublicKey
 | ||||
| +shadowLastChange: 12757
 | ||||
| +shadowMax: 99999
 | ||||
| +shadowWarning: 7
 | ||||
| +loginShell: /bin/bash
 | ||||
| +uidNumber: 9999
 | ||||
| +gidNumber: 501
 | ||||
| +homeDirectory: /home/testuser
 | ||||
| +userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
 | ||||
| +sshPublicKey: ssh-rsa
 | ||||
| +AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
 | ||||
| +8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
 | ||||
| +
 | ||||
| +# search result
 | ||||
| +search: 3
 | ||||
| +result: 0 Success
 | ||||
| +
 | ||||
| +# numResponses: 2
 | ||||
| +# numEntries: 1
 | ||||
| +
 | ||||
| +Now start a ssh session to user "testuser" from usual ssh client (e.g.
 | ||||
| +puTTY). Login should succeed.
 | ||||
| +
 | ||||
| +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 | ||||
| diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
 | ||||
| --- openssh-5.8p1/Makefile.in.ldap	2011-02-28 23:21:03.000000000 +0100
 | ||||
| +++ openssh-5.8p1/Makefile.in	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/Makefile.in.ldap	2011-04-01 09:01:15.209648708 +0200
 | ||||
| +++ openssh-5.8p1/Makefile.in	2011-04-01 09:01:19.307648329 +0200
 | ||||
| @@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 | ||||
|  SFTP_SERVER=$(libexecdir)/sftp-server | ||||
|  SSH_KEYSIGN=$(libexecdir)/ssh-keysign | ||||
| @ -2089,8 +2064,8 @@ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in | ||||
|   | ||||
|  tests interop-tests:	$(TARGETS) | ||||
| diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
 | ||||
| --- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-04-01 09:01:19.333648708 +0200
 | ||||
| +++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-04-01 09:01:19.343648766 +0200
 | ||||
| @@ -0,0 +1,21 @@
 | ||||
| +#
 | ||||
| +# LDAP Public Key Patch schema for use with openssh-ldappubkey
 | ||||
| @ -2114,8 +2089,8 @@ diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lp | ||||
| +	MUST ( sshPublicKey $ uid ) 
 | ||||
| +	)
 | ||||
| diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
 | ||||
| --- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/openssh-lpk-sun.schema	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-04-01 09:01:19.358648705 +0200
 | ||||
| +++ openssh-5.8p1/openssh-lpk-sun.schema	2011-04-01 09:01:19.368648739 +0200
 | ||||
| @@ -0,0 +1,23 @@
 | ||||
| +#
 | ||||
| +# LDAP Public Key Patch schema for use with openssh-ldappubkey
 | ||||
| @ -2141,286 +2116,9 @@ diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun | ||||
| +	MUST ( sshPublicKey $ uid ) 
 | ||||
| +	)
 | ||||
| diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
 | ||||
| --- openssh-5.8p1/README.lpk.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/README.lpk	2011-02-28 23:21:06.000000000 +0100
 | ||||
| @@ -0,0 +1,274 @@
 | ||||
| +OpenSSH LDAP PUBLIC KEY PATCH 
 | ||||
| +Copyright (c) 2003 Eric AUGE (eau@phear.org)
 | ||||
| +All rights reserved.
 | ||||
| +
 | ||||
| +Rewriten by Jan F. Chadima (jchadima@redhat.com)
 | ||||
| +Copyright (c) 2010 Red Hat, Inc.
 | ||||
| +The new PKA-LDAP patch is rewritten from the scratch.
 | ||||
| +LDAP schema and part of the documentation is based on original
 | ||||
| +LPK project (http://code.google.com/p/openssh-lpk),
 | ||||
| +copyright (c) 2003 Eric AUGE
 | ||||
| +The new openssh configuration is different from the original LPK one.
 | ||||
| +
 | ||||
| +Redistribution and use in source and binary forms, with or without
 | ||||
| +modification, are permitted provided that the following conditions
 | ||||
| +are met:
 | ||||
| +1. Redistributions of source code must retain the above copyright
 | ||||
| +   notice, this list of conditions and the following disclaimer.
 | ||||
| +2. Redistributions in binary form must reproduce the above copyright
 | ||||
| +   notice, this list of conditions and the following disclaimer in the
 | ||||
| +   documentation and/or other materials provided with the distribution.
 | ||||
| +3. The name of the author may not be used to endorse or promote products
 | ||||
| +   derived from this software without specific prior written permission.
 | ||||
| +
 | ||||
| +THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 | ||||
| +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 | ||||
| +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 | ||||
| +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 | ||||
| +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 | ||||
| +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 | ||||
| +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 | ||||
| +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 | ||||
| +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 | ||||
| +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 | ||||
| +
 | ||||
| +purposes of this patch:
 | ||||
| +
 | ||||
| +This patch would help to have authentication centralization policy
 | ||||
| +using ssh public key authentication.
 | ||||
| +This patch could be an alternative to other "secure" authentication system
 | ||||
| +working in a similar way (Kerberos, SecurID, etc...), except the fact 
 | ||||
| +that it's based on OpenSSH and its public key abilities.
 | ||||
| +
 | ||||
| +>> FYI: <<
 | ||||
| +'uid': means unix accounts existing on the current server
 | ||||
| +'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
 | ||||
| +
 | ||||
| +example schema:
 | ||||
| +
 | ||||
| +
 | ||||
| +                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
 | ||||
| +                ___________      /
 | ||||
| +               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
 | ||||
| +              | LDAP Server |    \
 | ||||
| +	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
 | ||||
| +	      | titi ,toto  |
 | ||||
| +	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
 | ||||
| +               \___________/ \       /
 | ||||
| +	                       ----- - server4 (uid: eau, rival)  (no group configured)
 | ||||
| +			             \
 | ||||
| +				        etc...
 | ||||
| +
 | ||||
| +- WHAT WE NEED :
 | ||||
| +
 | ||||
| +  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
 | ||||
| +  * patched sshd (with this patch ;)
 | ||||
| +  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
 | ||||
| +        User entry:
 | ||||
| +	- attached to the 'ldapPublicKey' objectclass
 | ||||
| +	- attached to the 'posixAccount' objectclass
 | ||||
| +	- with a filled 'sshPublicKey' attribute 
 | ||||
| +	Example:
 | ||||
| +		dn: uid=eau,ou=users,dc=cuckoos,dc=net
 | ||||
| +		objectclass: top
 | ||||
| +		objectclass: person
 | ||||
| +		objectclass: organizationalPerson
 | ||||
| +		objectclass: posixAccount
 | ||||
| +		objectclass: ldapPublicKey
 | ||||
| +		description: Eric AUGE Account
 | ||||
| +		userPassword: blah
 | ||||
| +		cn: Eric AUGE
 | ||||
| +		sn: Eric AUGE
 | ||||
| +		uid: eau
 | ||||
| +		uidNumber: 1034
 | ||||
| +		gidNumber: 1
 | ||||
| +		homeDirectory: /export/home/eau
 | ||||
| +		sshPublicKey: ssh-dss AAAAB3...
 | ||||
| +		sshPublicKey: ssh-dss AAAAM5...
 | ||||
| +
 | ||||
| +	Group entry:
 | ||||
| +	- attached to the 'posixGroup' objectclass
 | ||||
| +	- with a 'cn' groupname attribute
 | ||||
| +	- with multiple 'memberUid' attributes filled with usernames allowed in this group
 | ||||
| +	Example:
 | ||||
| +		# few members
 | ||||
| +		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
 | ||||
| +		objectclass: top
 | ||||
| +		objectclass: posixGroup
 | ||||
| +		description: Unix based servers group
 | ||||
| +		cn: unix
 | ||||
| +		gidNumber: 1002
 | ||||
| +		memberUid: eau
 | ||||
| +		memberUid: user1
 | ||||
| +		memberUid: user2
 | ||||
| +
 | ||||
| +
 | ||||
| +- HOW IT WORKS :
 | ||||
| +
 | ||||
| +  * without patch
 | ||||
| +  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
 | ||||
| +  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
 | ||||
| +
 | ||||
| +  * with the patch
 | ||||
| +  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
 | ||||
| +  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
 | ||||
| +  (usually in $HOME/.ssh/authorized_keys)
 | ||||
| +
 | ||||
| +  2 tokens are added to sshd_config :
 | ||||
| +  # here is the new patched ldap related tokens
 | ||||
| +  AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 | ||||
| +  AuthorizedKeysCommandRunAs nobody
 | ||||
| +
 | ||||
| +  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
 | ||||
| +There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
 | ||||
| +
 | ||||
| +- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
 | ||||
| +
 | ||||
| +  * my way (there is plenty :)
 | ||||
| +  - create ldif file (i.e. users.ldif)
 | ||||
| +  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
 | ||||
| +  - my way in 4 steps :
 | ||||
| +  Example:
 | ||||
| +
 | ||||
| +  # you add this to the user entry in the LDIF file :
 | ||||
| +  [...]
 | ||||
| +  objectclass: posixAccount
 | ||||
| +  objectclass: ldapPublicKey
 | ||||
| +  [...]
 | ||||
| +  sshPubliKey: ssh-dss AAAABDh12DDUR2...
 | ||||
| +  [...]
 | ||||
| +
 | ||||
| +  # insert your entry and you're done :)
 | ||||
| +  ldapadd -D balblabla -w bleh < file.ldif 
 | ||||
| +  
 | ||||
| +  all standard options can be present in the 'sshPublicKey' attribute.
 | ||||
| +
 | ||||
| +- WHY :
 | ||||
| +
 | ||||
| +  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
 | ||||
| +  as authentication method (like pam_ldap etc..).  
 | ||||
| +  
 | ||||
| +  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
 | ||||
| +  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
 | ||||
| +  objectclass within LDAP and part of the group the SSH server is in). 
 | ||||
| +
 | ||||
| +  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
 | ||||
| +  so each user can change it as much as he wants). 
 | ||||
| +
 | ||||
| +  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
 | ||||
| +
 | ||||
| +- RULES :  
 | ||||
| +  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
 | ||||
| +  and the additionnal lpk.schema.
 | ||||
| +
 | ||||
| +  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
 | ||||
| +  (pamldap, nss_ldap, etc..).
 | ||||
| +
 | ||||
| +  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
 | ||||
| +  
 | ||||
| +  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
 | ||||
| +  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
 | ||||
| +  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
 | ||||
| +  to log in 'server5' (i hope you got the idea, my english is bad :).
 | ||||
| +
 | ||||
| +  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
 | ||||
| +  server.
 | ||||
| +  When you want to allow a new user to have access to the server parc, you just add him an account on 
 | ||||
| +  your servers, you add his public key into his entry on the LDAP server, it's done. 
 | ||||
| +
 | ||||
| +  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
 | ||||
| +
 | ||||
| +  When the user needs to change his passphrase he can do it directly from his workstation by changing 
 | ||||
| +  his own key set lock passphrase, and all servers are automatically aware.
 | ||||
| + 
 | ||||
| +  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
 | ||||
| +  so he can add/modify/delete himself his public key when needed.
 | ||||
| +
 | ||||
| + FLAWS :
 | ||||
| +  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
 | ||||
| +  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
 | ||||
| +  of your users in all your server farm be VERY CAREFUL.
 | ||||
| +  
 | ||||
| +  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
 | ||||
| +  as the impersonnated user.
 | ||||
| +
 | ||||
| +  If LDAP server is down then, no fallback on passwd auth.
 | ||||
| +  
 | ||||
| +  the ldap code part has not been well audited yet.
 | ||||
| +
 | ||||
| +- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
 | ||||
| +    --- CUT HERE ---
 | ||||
| +    dn: uid=jdoe,ou=users,dc=foobar,dc=net
 | ||||
| +    objectclass: top
 | ||||
| +    objectclass: person
 | ||||
| +    objectclass: organizationalPerson
 | ||||
| +    objectclass: posixAccount
 | ||||
| +    objectclass: ldapPublicKey
 | ||||
| +    description: My account
 | ||||
| +    cn: John Doe
 | ||||
| +    sn: John Doe
 | ||||
| +    uid: jdoe
 | ||||
| +    uidNumber: 100
 | ||||
| +    gidNumber: 100
 | ||||
| +    homeDirectory: /home/jdoe
 | ||||
| +    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
 | ||||
| +    [...]
 | ||||
| +    --- CUT HERE ---
 | ||||
| +
 | ||||
| +- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
 | ||||
| +    --- CUT HERE ---
 | ||||
| +    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
 | ||||
| +    objectclass: top
 | ||||
| +    objectclass: posixGroup
 | ||||
| +    description: Unix based servers group
 | ||||
| +    cn: unix
 | ||||
| +    gidNumber: 1002
 | ||||
| +    memberUid: jdoe
 | ||||
| +    memberUid: user1
 | ||||
| +    memberUid: user2
 | ||||
| +    [...]
 | ||||
| +    --- CUT HERE ---
 | ||||
| +
 | ||||
| +>> FYI: << 
 | ||||
| +Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
 | ||||
| +
 | ||||
| +- COMPILING:
 | ||||
| +  1. Apply the patch
 | ||||
| +  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
 | ||||
| +  3. make
 | ||||
| +  4. it's done.
 | ||||
| +
 | ||||
| +- BLA :
 | ||||
| +  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
 | ||||
| +  
 | ||||
| +- TODO :
 | ||||
| +  Possibility to reuse the ssh-ldap-helper.
 | ||||
| +  Tune the LDAP part to all possible LDAP configurations.
 | ||||
| +
 | ||||
| +- DIFFERENCES FROM ORIGINAL lpk
 | ||||
| +  No LDAP code in sshd.
 | ||||
| +  Support for various LDAP platforms and configurations.
 | ||||
| +  LDAP is configured in separate ldap.conf file.
 | ||||
| +
 | ||||
| +- DOCS/LINK :
 | ||||
| +  http://pacsec.jp/core05/psj05-barisani-en.pdf
 | ||||
| +  http://fritz.potsdam.edu/projects/openssh-lpk/
 | ||||
| +  http://fritz.potsdam.edu/projects/sshgate/
 | ||||
| +  http://dev.inversepath.com/trac/openssh-lpk
 | ||||
| +  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
 | ||||
| +
 | ||||
| +- CONTRIBUTORS/IDEAS/GREETS :
 | ||||
| +  - Eric AUGE <eau@phear.org>
 | ||||
| +  - Andrea Barisani <andrea@inversepath.com>
 | ||||
| +  - Falk Siemonsmeier.
 | ||||
| +  - Jacob Rief.
 | ||||
| +  - Michael Durchgraf.
 | ||||
| +  - frederic peters.
 | ||||
| +  - Finlay dobbie.
 | ||||
| +  - Stefan Fisher.
 | ||||
| +  - Robin H. Johnson.
 | ||||
| +  - Adrian Bridgett.
 | ||||
| +
 | ||||
| +- CONTACT :
 | ||||
| +    Jan F. Chadima <jchadima@redhat.com>
 | ||||
| +
 | ||||
| diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 | ||||
| --- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ssh-ldap.conf.5	2011-02-28 23:21:06.000000000 +0100
 | ||||
| --- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-04-01 09:01:19.408648714 +0200
 | ||||
| +++ openssh-5.8p1/ssh-ldap.conf.5	2011-04-01 09:01:19.418648733 +0200
 | ||||
| @@ -0,0 +1,373 @@
 | ||||
| +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 | ||||
| +.\"
 | ||||
| @ -2796,9 +2494,9 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5 | ||||
| +.Sh AUTHORS
 | ||||
| +.An Jan F. Chadima Aq jchadima@redhat.com
 | ||||
| diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 | ||||
| --- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-02-28 23:21:06.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ssh-ldap-helper.8	2011-02-28 23:21:06.000000000 +0100
 | ||||
| @@ -0,0 +1,78 @@
 | ||||
| --- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-04-01 09:01:19.432648735 +0200
 | ||||
| +++ openssh-5.8p1/ssh-ldap-helper.8	2011-04-01 09:01:19.709648247 +0200
 | ||||
| @@ -0,0 +1,79 @@
 | ||||
| +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 | ||||
| +.\"
 | ||||
| +.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
 | ||||
| @ -2838,11 +2536,12 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 | ||||
| +by setting
 | ||||
| +.Cm AuthorizedKeysCommand
 | ||||
| +to
 | ||||
| +.Dq /usr/libexec/ssh-ldap-helper -s %u .
 | ||||
| +.Dq /usr/libexec/ssh-ldap-wrapper .
 | ||||
| +.Pp
 | ||||
| +.Nm
 | ||||
| +is not intended to be invoked by the user, but from
 | ||||
| +.Xr sshd 8 .
 | ||||
| +.Xr sshd 8 via
 | ||||
| +.Xr ssh-ldap-wrapper .
 | ||||
| +.Pp
 | ||||
| +The options are as follows:
 | ||||
| +.Bl -tag -width Ds
 | ||||
| @ -2878,8 +2577,8 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 | ||||
| +.Sh AUTHORS
 | ||||
| +.An Jan F. Chadima Aq jchadima@redhat.com
 | ||||
| diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
 | ||||
| --- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-02-28 23:21:07.000000000 +0100
 | ||||
| +++ openssh-5.8p1/ssh-ldap-wrapper	2011-02-28 23:21:07.000000000 +0100
 | ||||
| --- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-04-01 09:01:19.456648676 +0200
 | ||||
| +++ openssh-5.8p1/ssh-ldap-wrapper	2011-04-01 09:01:19.464648753 +0200
 | ||||
| @@ -0,0 +1,4 @@
 | ||||
| +#!/bin/sh
 | ||||
| +
 | ||||
|  | ||||
| @ -1,547 +0,0 @@ | ||||
| diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
 | ||||
| --- openssh-5.8p1/HOWTO.ldap-keys.ldap2	2011-03-10 21:45:52.706855323 +0100
 | ||||
| +++ openssh-5.8p1/HOWTO.ldap-keys	2011-03-10 19:35:50.000000000 +0100
 | ||||
| @@ -1,14 +1,108 @@
 | ||||
|   | ||||
| +HOW TO START
 | ||||
| +
 | ||||
|  1) configure LDAP server | ||||
| -2) add appropriate schema
 | ||||
| +  * Use LDAP server documentation
 | ||||
| +2) add appropriate LDAP schema
 | ||||
| +  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
 | ||||
| +  * LDAP user entry
 | ||||
| +        User entry:
 | ||||
| +	- attached to the 'ldapPublicKey' objectclass
 | ||||
| +	- attached to the 'posixAccount' objectclass
 | ||||
| +	- with a filled 'sshPublicKey' attribute 
 | ||||
|  3) insert users into LDAP | ||||
| +  * Use LDAP Tree management tool as useful
 | ||||
| +  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
 | ||||
| +  * Example:
 | ||||
| +	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
 | ||||
| +	objectclass: top
 | ||||
| +	objectclass: person
 | ||||
| +	objectclass: organizationalPerson
 | ||||
| +	objectclass: posixAccount
 | ||||
| +	objectclass: ldapPublicKey
 | ||||
| +	description: Jonathan Archer
 | ||||
| +	userPassword: Porthos
 | ||||
| +	cn: onathan Archer
 | ||||
| +	sn: onathan Archer
 | ||||
| +	uid: captain
 | ||||
| +	uidNumber: 1001
 | ||||
| +	gidNumber: 1001
 | ||||
| +	homeDirectory: /home/captain
 | ||||
| +	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
 | ||||
| +	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
 | ||||
|  4) on the ssh side set in sshd_config | ||||
| -AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 | ||||
| -AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
 | ||||
| -5) do not forget to set
 | ||||
| -PubkeyAuthentication yes
 | ||||
| +  * Set up the backend
 | ||||
| +	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 | ||||
| +	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
 | ||||
| +  * Do not forget to set
 | ||||
| +	PubkeyAuthentication yes
 | ||||
| +  * Swith off unnecessary auth methods
 | ||||
| +5) confugure ldap.conf
 | ||||
| +  * Default ldap.conf is placed in /etc/ssh
 | ||||
| +  * The configuration style is the same as other ldap based aplications
 | ||||
| +6) if necessary edit ssh-ldap-wrapper
 | ||||
| +  * There is a possibility to change ldap.conf location
 | ||||
| +  * There are some debug options
 | ||||
| +  * Example
 | ||||
| +	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
 | ||||
| +
 | ||||
| +HOW TO MIGRATE FROM LPK
 | ||||
| +
 | ||||
| +1) goto HOW TO START 4) .... the ldap schema is the same
 | ||||
| +
 | ||||
| +2) convert the group requests to the appropriate LDAP requests
 | ||||
| +
 | ||||
| +HOW TO SOLVE PROBLEMS
 | ||||
| +
 | ||||
| +1) use debug in sshd
 | ||||
| +  * /usr/sbin/sshd -d -d -d -d
 | ||||
| +2) use debug in ssh-ldap-helper
 | ||||
| +  * ssh-ldap-helper -d -d -d -d -s <username>
 | ||||
| +3) use tcpdump ... other ldap client etc.
 | ||||
| +
 | ||||
| +ADVANTAGES
 | ||||
| +
 | ||||
| +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
 | ||||
| +
 | ||||
| +DISADVANTAGES
 | ||||
| +
 | ||||
| +1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
 | ||||
| +  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
 | ||||
| +  of your users in all your server farm -- be VERY CAREFUL.
 | ||||
| +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
 | ||||
| +  as the impersonated user.
 | ||||
| +3) If LDAP server is down there may be no fallback on passwd auth.
 | ||||
| +  
 | ||||
| +MISC.
 | ||||
| +  
 | ||||
| +1) todo
 | ||||
| +  * Possibility to reuse the ssh-ldap-helper.
 | ||||
| +  * Tune the LDAP part to accept  all possible LDAP configurations.
 | ||||
| +
 | ||||
| +2) differences from original lpk
 | ||||
| +  * No LDAP code in sshd.
 | ||||
| +  * Support for various LDAP platforms and configurations.
 | ||||
| +  * LDAP is configured in separate ldap.conf file.
 | ||||
| +
 | ||||
| +3) docs/link 
 | ||||
| +  * http://pacsec.jp/core05/psj05-barisani-en.pdf
 | ||||
| +  * http://fritz.potsdam.edu/projects/openssh-lpk/
 | ||||
| +  * http://fritz.potsdam.edu/projects/sshgate/
 | ||||
| +  * http://dev.inversepath.com/trac/openssh-lpk
 | ||||
| +  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
 | ||||
|   | ||||
| +4) contributors/ideas/greets
 | ||||
| +  - Eric AUGE <eau@phear.org>
 | ||||
| +  - Andrea Barisani <andrea@inversepath.com>
 | ||||
| +  - Falk Siemonsmeier.
 | ||||
| +  - Jacob Rief.
 | ||||
| +  - Michael Durchgraf.
 | ||||
| +  - frederic peters.
 | ||||
| +  - Finlay dobbie.
 | ||||
| +  - Stefan Fisher.
 | ||||
| +  - Robin H. Johnson.
 | ||||
| +  - Adrian Bridgett.
 | ||||
|   | ||||
| -To debug the ssh-ldap-helper is possible to set
 | ||||
| -the necessary flags in the ssh-ldap-wrapper.
 | ||||
| +5) Author
 | ||||
| +    Jan F. Chadima <jchadima@redhat.com>
 | ||||
|   | ||||
| diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
 | ||||
| --- openssh-5.8p1/ldap-helper.c.ldap2	2011-03-10 21:45:52.872854838 +0100
 | ||||
| +++ openssh-5.8p1/ldap-helper.c	2011-03-10 21:45:53.342855061 +0100
 | ||||
| @@ -138,6 +138,7 @@ main(int ac, char **av)
 | ||||
|  	if (config_single_user) { | ||||
|  		process_user (config_single_user, outfile); | ||||
|  	} else { | ||||
| +		usage();
 | ||||
|  		fatal ("Not yet implemented"); | ||||
|  /* TODO | ||||
|   * open unix socket a run the loop on it | ||||
| diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt
 | ||||
| --- openssh-5.8p1/lpk-user-example.txt.ldap2	2011-03-10 21:45:52.986980339 +0100
 | ||||
| +++ openssh-5.8p1/lpk-user-example.txt	2011-03-10 21:45:53.379854929 +0100
 | ||||
| @@ -1,117 +0,0 @@
 | ||||
| -
 | ||||
| -Post to ML -> User Made Quick Install Doc.
 | ||||
| -Contribution from John Lane <john@lane.uk.net>
 | ||||
| -
 | ||||
| -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 | ||||
| -
 | ||||
| -OpenSSH LDAP keystore Patch
 | ||||
| -===========================
 | ||||
| -
 | ||||
| -NOTE: these notes are a transcript of a specific installation
 | ||||
| -      they work for me, your specifics may be different!
 | ||||
| -      from John Lane March 17th 2005         john@lane.uk.net
 | ||||
| -
 | ||||
| -This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
 | ||||
| -from their LDAP record as an alternative to ~/.ssh/authorized_keys.
 | ||||
| -
 | ||||
| -(Assuming here that necessary build stuff is in $BUILD)
 | ||||
| -
 | ||||
| -cd $BUILD/openssh-4.0p1
 | ||||
| -patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
 | ||||
| -mkdir -p /var/empty &&
 | ||||
| -./configure --prefix=/usr --sysconfdir=/etc/ssh \
 | ||||
| -    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
 | ||||
| -    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
 | ||||
| -Now do.
 | ||||
| -make &&
 | ||||
| -make install
 | ||||
| -
 | ||||
| -Add the following config to /etc/ssh/ssh_config
 | ||||
| -UseLPK yes
 | ||||
| -LpkServers ldap://myhost.mydomain.com
 | ||||
| -LpkUserDN  ou=People,dc=mydomain,dc=com
 | ||||
| -
 | ||||
| -We need to tell sshd about the SSL keys during boot, as root's
 | ||||
| -environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
 | ||||
| -Change the startup code from this:
 | ||||
| -                echo "Starting SSH Server..."
 | ||||
| -                loadproc /usr/sbin/sshd
 | ||||
| -                ;;
 | ||||
| -to this:
 | ||||
| -                echo "Starting SSH Server..."
 | ||||
| -                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
 | ||||
| -                ;;
 | ||||
| -
 | ||||
| -Re-start the sshd daemon:
 | ||||
| -/etc/rc.d/init.d/sshd restart
 | ||||
| -
 | ||||
| -Install the additional LDAP schema
 | ||||
| -cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
 | ||||
| -
 | ||||
| -Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
 | ||||
| -Add the following to the end of the existing block of schema includes
 | ||||
| -include         /etc/openldap/schema/openssh.schema
 | ||||
| -
 | ||||
| -Re-start the LDAP server:
 | ||||
| -/etc/rc.d/init.d/slapd restart
 | ||||
| -
 | ||||
| -To add one or more public keys to a user, eg "testuser" :
 | ||||
| -ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
 | ||||
| -"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
 | ||||
| -
 | ||||
| -append the following to this /tmp/testuser file
 | ||||
| -objectclass: ldapPublicKey
 | ||||
| -sshPublicKey: ssh-rsa
 | ||||
| -AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
 | ||||
| -qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
 | ||||
| -7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
 | ||||
| -
 | ||||
| -Then do a modify:
 | ||||
| -ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
 | ||||
| -/tmp/testuser -Z
 | ||||
| -Enter LDAP Password:
 | ||||
| -modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
 | ||||
| -And check the modify is ok:
 | ||||
| -ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
 | ||||
| -"uid=testuser,ou=People,dc=mydomain,dc=com"
 | ||||
| -Enter LDAP Password:
 | ||||
| -# extended LDIF
 | ||||
| -#
 | ||||
| -# LDAPv3
 | ||||
| -# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
 | ||||
| -# filter: (objectclass=*)
 | ||||
| -# requesting: ALL
 | ||||
| -#
 | ||||
| -
 | ||||
| -# testuser, People, mydomain.com
 | ||||
| -dn: uid=testuser,ou=People,dc=mydomain,dc=com
 | ||||
| -uid: testuser
 | ||||
| -cn: testuser
 | ||||
| -objectClass: account
 | ||||
| -objectClass: posixAccount
 | ||||
| -objectClass: top
 | ||||
| -objectClass: shadowAccount
 | ||||
| -objectClass: ldapPublicKey
 | ||||
| -shadowLastChange: 12757
 | ||||
| -shadowMax: 99999
 | ||||
| -shadowWarning: 7
 | ||||
| -loginShell: /bin/bash
 | ||||
| -uidNumber: 9999
 | ||||
| -gidNumber: 501
 | ||||
| -homeDirectory: /home/testuser
 | ||||
| -userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
 | ||||
| -sshPublicKey: ssh-rsa
 | ||||
| -AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
 | ||||
| -8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
 | ||||
| -
 | ||||
| -# search result
 | ||||
| -search: 3
 | ||||
| -result: 0 Success
 | ||||
| -
 | ||||
| -# numResponses: 2
 | ||||
| -# numEntries: 1
 | ||||
| -
 | ||||
| -Now start a ssh session to user "testuser" from usual ssh client (e.g.
 | ||||
| -puTTY). Login should succeed.
 | ||||
| -
 | ||||
| -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 | ||||
| diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk
 | ||||
| --- openssh-5.8p1/README.lpk.ldap2	2011-03-10 21:45:53.112979980 +0100
 | ||||
| +++ openssh-5.8p1/README.lpk	2011-03-10 21:45:53.416856007 +0100
 | ||||
| @@ -1,274 +0,0 @@
 | ||||
| -OpenSSH LDAP PUBLIC KEY PATCH 
 | ||||
| -Copyright (c) 2003 Eric AUGE (eau@phear.org)
 | ||||
| -All rights reserved.
 | ||||
| -
 | ||||
| -Rewriten by Jan F. Chadima (jchadima@redhat.com)
 | ||||
| -Copyright (c) 2010 Red Hat, Inc.
 | ||||
| -The new PKA-LDAP patch is rewritten from the scratch.
 | ||||
| -LDAP schema and part of the documentation is based on original
 | ||||
| -LPK project (http://code.google.com/p/openssh-lpk),
 | ||||
| -copyright (c) 2003 Eric AUGE
 | ||||
| -The new openssh configuration is different from the original LPK one.
 | ||||
| -
 | ||||
| -Redistribution and use in source and binary forms, with or without
 | ||||
| -modification, are permitted provided that the following conditions
 | ||||
| -are met:
 | ||||
| -1. Redistributions of source code must retain the above copyright
 | ||||
| -   notice, this list of conditions and the following disclaimer.
 | ||||
| -2. Redistributions in binary form must reproduce the above copyright
 | ||||
| -   notice, this list of conditions and the following disclaimer in the
 | ||||
| -   documentation and/or other materials provided with the distribution.
 | ||||
| -3. The name of the author may not be used to endorse or promote products
 | ||||
| -   derived from this software without specific prior written permission.
 | ||||
| -
 | ||||
| -THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 | ||||
| -IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 | ||||
| -OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 | ||||
| -IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 | ||||
| -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 | ||||
| -NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 | ||||
| -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 | ||||
| -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 | ||||
| -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 | ||||
| -THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 | ||||
| -
 | ||||
| -purposes of this patch:
 | ||||
| -
 | ||||
| -This patch would help to have authentication centralization policy
 | ||||
| -using ssh public key authentication.
 | ||||
| -This patch could be an alternative to other "secure" authentication system
 | ||||
| -working in a similar way (Kerberos, SecurID, etc...), except the fact 
 | ||||
| -that it's based on OpenSSH and its public key abilities.
 | ||||
| -
 | ||||
| ->> FYI: <<
 | ||||
| -'uid': means unix accounts existing on the current server
 | ||||
| -'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
 | ||||
| -
 | ||||
| -example schema:
 | ||||
| -
 | ||||
| -
 | ||||
| -                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
 | ||||
| -                ___________      /
 | ||||
| -               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
 | ||||
| -              | LDAP Server |    \
 | ||||
| -	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
 | ||||
| -	      | titi ,toto  |
 | ||||
| -	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
 | ||||
| -               \___________/ \       /
 | ||||
| -	                       ----- - server4 (uid: eau, rival)  (no group configured)
 | ||||
| -			             \
 | ||||
| -				        etc...
 | ||||
| -
 | ||||
| -- WHAT WE NEED :
 | ||||
| -
 | ||||
| -  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
 | ||||
| -  * patched sshd (with this patch ;)
 | ||||
| -  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
 | ||||
| -        User entry:
 | ||||
| -	- attached to the 'ldapPublicKey' objectclass
 | ||||
| -	- attached to the 'posixAccount' objectclass
 | ||||
| -	- with a filled 'sshPublicKey' attribute 
 | ||||
| -	Example:
 | ||||
| -		dn: uid=eau,ou=users,dc=cuckoos,dc=net
 | ||||
| -		objectclass: top
 | ||||
| -		objectclass: person
 | ||||
| -		objectclass: organizationalPerson
 | ||||
| -		objectclass: posixAccount
 | ||||
| -		objectclass: ldapPublicKey
 | ||||
| -		description: Eric AUGE Account
 | ||||
| -		userPassword: blah
 | ||||
| -		cn: Eric AUGE
 | ||||
| -		sn: Eric AUGE
 | ||||
| -		uid: eau
 | ||||
| -		uidNumber: 1034
 | ||||
| -		gidNumber: 1
 | ||||
| -		homeDirectory: /export/home/eau
 | ||||
| -		sshPublicKey: ssh-dss AAAAB3...
 | ||||
| -		sshPublicKey: ssh-dss AAAAM5...
 | ||||
| -
 | ||||
| -	Group entry:
 | ||||
| -	- attached to the 'posixGroup' objectclass
 | ||||
| -	- with a 'cn' groupname attribute
 | ||||
| -	- with multiple 'memberUid' attributes filled with usernames allowed in this group
 | ||||
| -	Example:
 | ||||
| -		# few members
 | ||||
| -		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
 | ||||
| -		objectclass: top
 | ||||
| -		objectclass: posixGroup
 | ||||
| -		description: Unix based servers group
 | ||||
| -		cn: unix
 | ||||
| -		gidNumber: 1002
 | ||||
| -		memberUid: eau
 | ||||
| -		memberUid: user1
 | ||||
| -		memberUid: user2
 | ||||
| -
 | ||||
| -
 | ||||
| -- HOW IT WORKS :
 | ||||
| -
 | ||||
| -  * without patch
 | ||||
| -  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
 | ||||
| -  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
 | ||||
| -
 | ||||
| -  * with the patch
 | ||||
| -  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
 | ||||
| -  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
 | ||||
| -  (usually in $HOME/.ssh/authorized_keys)
 | ||||
| -
 | ||||
| -  2 tokens are added to sshd_config :
 | ||||
| -  # here is the new patched ldap related tokens
 | ||||
| -  AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 | ||||
| -  AuthorizedKeysCommandRunAs nobody
 | ||||
| -
 | ||||
| -  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
 | ||||
| -There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
 | ||||
| -
 | ||||
| -- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
 | ||||
| -
 | ||||
| -  * my way (there is plenty :)
 | ||||
| -  - create ldif file (i.e. users.ldif)
 | ||||
| -  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
 | ||||
| -  - my way in 4 steps :
 | ||||
| -  Example:
 | ||||
| -
 | ||||
| -  # you add this to the user entry in the LDIF file :
 | ||||
| -  [...]
 | ||||
| -  objectclass: posixAccount
 | ||||
| -  objectclass: ldapPublicKey
 | ||||
| -  [...]
 | ||||
| -  sshPubliKey: ssh-dss AAAABDh12DDUR2...
 | ||||
| -  [...]
 | ||||
| -
 | ||||
| -  # insert your entry and you're done :)
 | ||||
| -  ldapadd -D balblabla -w bleh < file.ldif 
 | ||||
| -  
 | ||||
| -  all standard options can be present in the 'sshPublicKey' attribute.
 | ||||
| -
 | ||||
| -- WHY :
 | ||||
| -
 | ||||
| -  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
 | ||||
| -  as authentication method (like pam_ldap etc..).  
 | ||||
| -  
 | ||||
| -  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
 | ||||
| -  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
 | ||||
| -  objectclass within LDAP and part of the group the SSH server is in). 
 | ||||
| -
 | ||||
| -  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
 | ||||
| -  so each user can change it as much as he wants). 
 | ||||
| -
 | ||||
| -  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
 | ||||
| -
 | ||||
| -- RULES :  
 | ||||
| -  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
 | ||||
| -  and the additionnal lpk.schema.
 | ||||
| -
 | ||||
| -  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
 | ||||
| -  (pamldap, nss_ldap, etc..).
 | ||||
| -
 | ||||
| -  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
 | ||||
| -  
 | ||||
| -  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
 | ||||
| -  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
 | ||||
| -  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
 | ||||
| -  to log in 'server5' (i hope you got the idea, my english is bad :).
 | ||||
| -
 | ||||
| -  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
 | ||||
| -  server.
 | ||||
| -  When you want to allow a new user to have access to the server parc, you just add him an account on 
 | ||||
| -  your servers, you add his public key into his entry on the LDAP server, it's done. 
 | ||||
| -
 | ||||
| -  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
 | ||||
| -
 | ||||
| -  When the user needs to change his passphrase he can do it directly from his workstation by changing 
 | ||||
| -  his own key set lock passphrase, and all servers are automatically aware.
 | ||||
| - 
 | ||||
| -  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
 | ||||
| -  so he can add/modify/delete himself his public key when needed.
 | ||||
| -
 | ||||
| - FLAWS :
 | ||||
| -  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
 | ||||
| -  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
 | ||||
| -  of your users in all your server farm be VERY CAREFUL.
 | ||||
| -  
 | ||||
| -  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
 | ||||
| -  as the impersonnated user.
 | ||||
| -
 | ||||
| -  If LDAP server is down then, no fallback on passwd auth.
 | ||||
| -  
 | ||||
| -  the ldap code part has not been well audited yet.
 | ||||
| -
 | ||||
| -- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
 | ||||
| -    --- CUT HERE ---
 | ||||
| -    dn: uid=jdoe,ou=users,dc=foobar,dc=net
 | ||||
| -    objectclass: top
 | ||||
| -    objectclass: person
 | ||||
| -    objectclass: organizationalPerson
 | ||||
| -    objectclass: posixAccount
 | ||||
| -    objectclass: ldapPublicKey
 | ||||
| -    description: My account
 | ||||
| -    cn: John Doe
 | ||||
| -    sn: John Doe
 | ||||
| -    uid: jdoe
 | ||||
| -    uidNumber: 100
 | ||||
| -    gidNumber: 100
 | ||||
| -    homeDirectory: /home/jdoe
 | ||||
| -    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
 | ||||
| -    [...]
 | ||||
| -    --- CUT HERE ---
 | ||||
| -
 | ||||
| -- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
 | ||||
| -    --- CUT HERE ---
 | ||||
| -    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
 | ||||
| -    objectclass: top
 | ||||
| -    objectclass: posixGroup
 | ||||
| -    description: Unix based servers group
 | ||||
| -    cn: unix
 | ||||
| -    gidNumber: 1002
 | ||||
| -    memberUid: jdoe
 | ||||
| -    memberUid: user1
 | ||||
| -    memberUid: user2
 | ||||
| -    [...]
 | ||||
| -    --- CUT HERE ---
 | ||||
| -
 | ||||
| ->> FYI: << 
 | ||||
| -Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
 | ||||
| -
 | ||||
| -- COMPILING:
 | ||||
| -  1. Apply the patch
 | ||||
| -  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
 | ||||
| -  3. make
 | ||||
| -  4. it's done.
 | ||||
| -
 | ||||
| -- BLA :
 | ||||
| -  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
 | ||||
| -  
 | ||||
| -- TODO :
 | ||||
| -  Possibility to reuse the ssh-ldap-helper.
 | ||||
| -  Tune the LDAP part to all possible LDAP configurations.
 | ||||
| -
 | ||||
| -- DIFFERENCES FROM ORIGINAL lpk
 | ||||
| -  No LDAP code in sshd.
 | ||||
| -  Support for various LDAP platforms and configurations.
 | ||||
| -  LDAP is configured in separate ldap.conf file.
 | ||||
| -
 | ||||
| -- DOCS/LINK :
 | ||||
| -  http://pacsec.jp/core05/psj05-barisani-en.pdf
 | ||||
| -  http://fritz.potsdam.edu/projects/openssh-lpk/
 | ||||
| -  http://fritz.potsdam.edu/projects/sshgate/
 | ||||
| -  http://dev.inversepath.com/trac/openssh-lpk
 | ||||
| -  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
 | ||||
| -
 | ||||
| -- CONTRIBUTORS/IDEAS/GREETS :
 | ||||
| -  - Eric AUGE <eau@phear.org>
 | ||||
| -  - Andrea Barisani <andrea@inversepath.com>
 | ||||
| -  - Falk Siemonsmeier.
 | ||||
| -  - Jacob Rief.
 | ||||
| -  - Michael Durchgraf.
 | ||||
| -  - frederic peters.
 | ||||
| -  - Finlay dobbie.
 | ||||
| -  - Stefan Fisher.
 | ||||
| -  - Robin H. Johnson.
 | ||||
| -  - Adrian Bridgett.
 | ||||
| -
 | ||||
| -- CONTACT :
 | ||||
| -    Jan F. Chadima <jchadima@redhat.com>
 | ||||
| -
 | ||||
| diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8
 | ||||
| --- openssh-5.8p1/ssh-ldap-helper.8.ldap2	2011-03-10 21:45:53.170854817 +0100
 | ||||
| +++ openssh-5.8p1/ssh-ldap-helper.8	2011-03-10 21:45:53.454980272 +0100
 | ||||
| @@ -37,11 +37,12 @@ sshd configuration file
 | ||||
|  by setting | ||||
|  .Cm AuthorizedKeysCommand | ||||
|  to | ||||
| -.Dq /usr/libexec/ssh-ldap-helper -s %u .
 | ||||
| +.Dq /usr/libexec/ssh-ldap-wrapper .
 | ||||
|  .Pp | ||||
|  .Nm | ||||
|  is not intended to be invoked by the user, but from | ||||
| -.Xr sshd 8 .
 | ||||
| +.Xr sshd 8 via
 | ||||
| +.Xr ssh-ldap-wrapper .
 | ||||
|  .Pp | ||||
|  The options are as follows: | ||||
|  .Bl -tag -width Ds | ||||
							
								
								
									
										20
									
								
								openssh.spec
									
									
									
									
									
								
							
							
						
						
									
										20
									
								
								openssh.spec
									
									
									
									
									
								
							| @ -104,20 +104,13 @@ Patch100: openssh-5.8p1-fingerprint.patch | ||||
| Patch200: openssh-5.8p1-exit.patch | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 | ||||
| Patch8: openssh-5.8p1-audit0.patch | ||||
| Patch108: openssh-5.8p1-audit0a.patch | ||||
| Patch1: openssh-5.8p1-audit1.patch | ||||
| Patch101: openssh-5.8p1-audit1a.patch | ||||
| Patch2: openssh-5.8p1-audit2.patch | ||||
| Patch102: openssh-5.8p1-audit2a.patch | ||||
| Patch3: openssh-5.8p1-audit3.patch | ||||
| Patch103: openssh-5.8p1-audit3a.patch | ||||
| Patch4: openssh-5.8p1-audit4.patch | ||||
| Patch104: openssh-5.8p1-audit4a.patch | ||||
| Patch5: openssh-5.8p1-audit5.patch | ||||
| Patch105: openssh-5.8p1-audit5a.patch | ||||
| #? | ||||
| Patch7: openssh-5.8p1-entropy.patch | ||||
| Patch107: openssh-5.8p1-entropy2.patch | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) | ||||
| Patch9: openssh-5.8p1-vendor.patch | ||||
| # --- pam_ssh-agent --- | ||||
| @ -127,7 +120,6 @@ Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch | ||||
| Patch20: openssh-5.8p1-authorized-keys-command.patch | ||||
| #? | ||||
| Patch21: openssh-5.8p1-ldap.patch | ||||
| Patch121: openssh-5.8p1-ldap2.patch | ||||
| #-mail-conf | ||||
| Patch22: openssh-5.8p1-selinux.patch | ||||
| #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) | ||||
| @ -169,7 +161,6 @@ Patch56: openssh-5.2p1-edns.patch | ||||
| Patch57: openssh-5.1p1-scp-manpage.patch | ||||
| #? | ||||
| Patch58: openssh-5.8p1-keycat.patch | ||||
| Patch158: openssh-5.8p1-keycat2.patch | ||||
| #http://www.sxw.org.uk/computing/patches/openssh.html | ||||
| Patch60: openssh-5.8p1-gsskex.patch | ||||
| #? | ||||
| @ -329,19 +320,12 @@ The module is most useful for su and sudo service stacks. | ||||
| %patch100 -p1 -b .fingerprint | ||||
| %patch200 -p1 -b .exit | ||||
| %patch8 -p1 -b .audit0 | ||||
| %patch108 -p1 -b .audit0a | ||||
| %patch1 -p1 -b .audit1 | ||||
| %patch101 -p1 -b .audit1a | ||||
| %patch2 -p1 -b .audit2 | ||||
| %patch102 -p1 -b .audit2a | ||||
| %patch3 -p1 -b .audit3 | ||||
| %patch103 -p1 -b .audit3a | ||||
| %patch4 -p1 -b .audit4 | ||||
| %patch104 -p1 -b .audit4a | ||||
| %patch5 -p1 -b .audit5 | ||||
| %patch105 -p1 -b .audit5a | ||||
| %patch7 -p1 -b .entropy | ||||
| %patch107 -p1 -b .entropy2 | ||||
| %patch9 -p1 -b .vendor | ||||
| %if %{pam_ssh_agent} | ||||
| pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} | ||||
| @ -354,7 +338,6 @@ popd | ||||
| %patch20 -p1 -b .akc | ||||
| %if %{ldap} | ||||
| %patch21 -p1 -b .ldap | ||||
| %patch121 -p1 -b .ldap2 | ||||
| %endif | ||||
| %if %{WITH_SELINUX} | ||||
| #SELinux | ||||
| @ -368,6 +351,8 @@ popd | ||||
| %patch32 -p1 -b .randclean | ||||
| %patch34 -p1 -b .kuserok | ||||
| %patch35 -p1 -b .glob | ||||
| %patch36 -p1 -b .pwchange | ||||
| 
 | ||||
| %patch50 -p1 -b .fips | ||||
| %patch51 -p1 -b .x11 | ||||
| %patch52 -p1 -b .exit-deadlock | ||||
| @ -376,7 +361,6 @@ popd | ||||
| %patch56 -p1 -b .edns | ||||
| %patch57 -p1 -b .manpage | ||||
| %patch58 -p1 -b .keycat | ||||
| %patch158 -p1 -b .keycat2 | ||||
| %patch60 -p1 -b .gsskex | ||||
| %patch61 -p1 -b .canohost | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user