diff --git a/openssh-5.8p1-audit0a.patch b/openssh-5.8p1-audit0a.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-audit1a.patch b/openssh-5.8p1-audit1a.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-audit2a.patch b/openssh-5.8p1-audit2a.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-audit3a.patch b/openssh-5.8p1-audit3a.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-audit4a.patch b/openssh-5.8p1-audit4a.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-audit5a.patch b/openssh-5.8p1-audit5a.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-entropy2.patch b/openssh-5.8p1-entropy2.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-keycat2.patch b/openssh-5.8p1-keycat2.patch deleted file mode 100644 index e69de29..0000000 diff --git a/openssh-5.8p1-ldap.patch b/openssh-5.8p1-ldap.patch index d6bb196..38c120f 100644 --- a/openssh-5.8p1-ldap.patch +++ b/openssh-5.8p1-ldap.patch @@ -1,6 +1,6 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac ---- openssh-5.8p1/configure.ac.ldap 2011-02-28 23:21:05.000000000 +0100 -+++ openssh-5.8p1/configure.ac 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/configure.ac.ldap 2011-04-01 09:01:18.559688927 +0200 ++++ openssh-5.8p1/configure.ac 2011-04-01 09:01:18.972717095 +0200 @@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command, ] ) @@ -109,26 +109,120 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac AC_CHECK_FUNCS( \ arc4random \ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys ---- openssh-5.8p1/HOWTO.ldap-keys.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-28 23:21:06.000000000 +0100 -@@ -0,0 +1,14 @@ +--- openssh-5.8p1/HOWTO.ldap-keys.ldap 2011-04-01 09:01:19.000648742 +0200 ++++ openssh-5.8p1/HOWTO.ldap-keys 2011-04-01 09:01:19.564648857 +0200 +@@ -0,0 +1,108 @@ ++ ++HOW TO START + +1) configure LDAP server -+2) add appropriate schema ++ * Use LDAP server documentation ++2) add appropriate LDAP schema ++ * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. ++ * LDAP user entry ++ User entry: ++ - attached to the 'ldapPublicKey' objectclass ++ - attached to the 'posixAccount' objectclass ++ - with a filled 'sshPublicKey' attribute +3) insert users into LDAP ++ * Use LDAP Tree management tool as useful ++ * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema. ++ * Example: ++ dn: uid=captain,ou=commanders,dc=enterprise,dc=universe ++ objectclass: top ++ objectclass: person ++ objectclass: organizationalPerson ++ objectclass: posixAccount ++ objectclass: ldapPublicKey ++ description: Jonathan Archer ++ userPassword: Porthos ++ cn: onathan Archer ++ sn: onathan Archer ++ uid: captain ++ uidNumber: 1001 ++ gidNumber: 1001 ++ homeDirectory: /home/captain ++ sshPublicKey: ssh-rss AAAAB3.... =captain@universe ++ sshPublicKey: command="kill -9 1" ssh-rss AAAAM5... +4) on the ssh side set in sshd_config -+AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" -+AuthorizedKeysCommandRunAs -+5) do not forget to set -+PubkeyAuthentication yes ++ * Set up the backend ++ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" ++ AuthorizedKeysCommandRunAs ++ * Do not forget to set ++ PubkeyAuthentication yes ++ * Swith off unnecessary auth methods ++5) confugure ldap.conf ++ * Default ldap.conf is placed in /etc/ssh ++ * The configuration style is the same as other ldap based aplications ++6) if necessary edit ssh-ldap-wrapper ++ * There is a possibility to change ldap.conf location ++ * There are some debug options ++ * Example ++ /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt + ++HOW TO MIGRATE FROM LPK + -+To debug the ssh-ldap-helper is possible to set -+the necessary flags in the ssh-ldap-wrapper. ++1) goto HOW TO START 4) .... the ldap schema is the same ++ ++2) convert the group requests to the appropriate LDAP requests ++ ++HOW TO SOLVE PROBLEMS ++ ++1) use debug in sshd ++ * /usr/sbin/sshd -d -d -d -d ++2) use debug in ssh-ldap-helper ++ * ssh-ldap-helper -d -d -d -d -s ++3) use tcpdump ... other ldap client etc. ++ ++ADVANTAGES ++ ++1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). ++ ++DISADVANTAGES ++ ++1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP ++ allows write to users dn, somebody could replace some user's public key by his own and impersonate some ++ of your users in all your server farm -- be VERY CAREFUL. ++2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login ++ as the impersonated user. ++3) If LDAP server is down there may be no fallback on passwd auth. ++ ++MISC. ++ ++1) todo ++ * Possibility to reuse the ssh-ldap-helper. ++ * Tune the LDAP part to accept all possible LDAP configurations. ++ ++2) differences from original lpk ++ * No LDAP code in sshd. ++ * Support for various LDAP platforms and configurations. ++ * LDAP is configured in separate ldap.conf file. ++ ++3) docs/link ++ * http://pacsec.jp/core05/psj05-barisani-en.pdf ++ * http://fritz.potsdam.edu/projects/openssh-lpk/ ++ * http://fritz.potsdam.edu/projects/sshgate/ ++ * http://dev.inversepath.com/trac/openssh-lpk ++ * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm ) ++ ++4) contributors/ideas/greets ++ - Eric AUGE ++ - Andrea Barisani ++ - Falk Siemonsmeier. ++ - Jacob Rief. ++ - Michael Durchgraf. ++ - frederic peters. ++ - Finlay dobbie. ++ - Stefan Fisher. ++ - Robin H. Johnson. ++ - Adrian Bridgett. ++ ++5) Author ++ Jan F. Chadima + diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c ---- openssh-5.8p1/ldapbody.c.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapbody.c 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapbody.c.ldap 2011-04-01 09:01:19.024648747 +0200 ++++ openssh-5.8p1/ldapbody.c 2011-04-01 09:01:19.032648722 +0200 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -625,8 +719,8 @@ diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c +} + diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h ---- openssh-5.8p1/ldapbody.h.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapbody.h 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapbody.h.ldap 2011-04-01 09:01:19.047648768 +0200 ++++ openssh-5.8p1/ldapbody.h 2011-04-01 09:01:19.057648739 +0200 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -666,8 +760,8 @@ diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h +#endif /* LDAPBODY_H */ + diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c ---- openssh-5.8p1/ldapconf.c.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapconf.c 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapconf.c.ldap 2011-04-01 09:01:19.073648744 +0200 ++++ openssh-5.8p1/ldapconf.c 2011-04-01 09:01:19.082648746 +0200 @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1352,8 +1446,8 @@ diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c +} + diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h ---- openssh-5.8p1/ldapconf.h.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapconf.h 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapconf.h.ldap 2011-04-01 09:01:19.097648717 +0200 ++++ openssh-5.8p1/ldapconf.h 2011-04-01 09:01:19.107648734 +0200 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1427,8 +1521,8 @@ diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h + +#endif /* LDAPCONF_H */ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf ---- openssh-5.8p1/ldap.conf.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldap.conf 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldap.conf.ldap 2011-04-01 09:01:19.122648724 +0200 ++++ openssh-5.8p1/ldap.conf 2011-04-01 09:01:19.131648759 +0200 @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -1519,9 +1613,9 @@ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf +#tls_key + diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c ---- openssh-5.8p1/ldap-helper.c.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldap-helper.c 2011-02-28 23:21:06.000000000 +0100 -@@ -0,0 +1,154 @@ +--- openssh-5.8p1/ldap-helper.c.ldap 2011-04-01 09:01:19.145658994 +0200 ++++ openssh-5.8p1/ldap-helper.c 2011-04-01 09:01:19.608648889 +0200 +@@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1662,6 +1756,7 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c + if (config_single_user) { + process_user (config_single_user, outfile); + } else { ++ usage(); + fatal ("Not yet implemented"); +/* TODO + * open unix socket a run the loop on it @@ -1677,8 +1772,8 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h ---- openssh-5.8p1/ldap-helper.h.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldap-helper.h 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldap-helper.h.ldap 2011-04-01 09:01:19.168648731 +0200 ++++ openssh-5.8p1/ldap-helper.h 2011-04-01 09:01:19.177648726 +0200 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1713,8 +1808,8 @@ diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h + +#endif /* LDAP_HELPER_H */ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h ---- openssh-5.8p1/ldapincludes.h.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapincludes.h 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapincludes.h.ldap 2011-04-01 09:01:19.192648737 +0200 ++++ openssh-5.8p1/ldapincludes.h 2011-04-01 09:01:19.202648683 +0200 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1758,8 +1853,8 @@ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h + +#endif /* LDAPINCLUDES_H */ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c ---- openssh-5.8p1/ldapmisc.c.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapmisc.c 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapmisc.c.ldap 2011-04-01 09:01:19.216648692 +0200 ++++ openssh-5.8p1/ldapmisc.c 2011-04-01 09:01:19.225648767 +0200 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -1841,8 +1936,8 @@ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c +#endif + diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h ---- openssh-5.8p1/ldapmisc.h.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ldapmisc.h 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ldapmisc.h.ldap 2011-04-01 09:01:19.240648724 +0200 ++++ openssh-5.8p1/ldapmisc.h 2011-04-01 09:01:19.249648718 +0200 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1880,129 +1975,9 @@ diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h +#endif /* LDAPMISC_H */ + diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt ---- openssh-5.8p1/lpk-user-example.txt.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/lpk-user-example.txt 2011-02-28 23:21:06.000000000 +0100 -@@ -0,0 +1,117 @@ -+ -+Post to ML -> User Made Quick Install Doc. -+Contribution from John Lane -+ -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -+ -+OpenSSH LDAP keystore Patch -+=========================== -+ -+NOTE: these notes are a transcript of a specific installation -+ they work for me, your specifics may be different! -+ from John Lane March 17th 2005 john@lane.uk.net -+ -+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys -+from their LDAP record as an alternative to ~/.ssh/authorized_keys. -+ -+(Assuming here that necessary build stuff is in $BUILD) -+ -+cd $BUILD/openssh-4.0p1 -+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch -+mkdir -p /var/empty && -+./configure --prefix=/usr --sysconfdir=/etc/ssh \ -+ --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ -+ --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" -+Now do. -+make && -+make install -+ -+Add the following config to /etc/ssh/ssh_config -+UseLPK yes -+LpkServers ldap://myhost.mydomain.com -+LpkUserDN ou=People,dc=mydomain,dc=com -+ -+We need to tell sshd about the SSL keys during boot, as root's -+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. -+Change the startup code from this: -+ echo "Starting SSH Server..." -+ loadproc /usr/sbin/sshd -+ ;; -+to this: -+ echo "Starting SSH Server..." -+ LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd -+ ;; -+ -+Re-start the sshd daemon: -+/etc/rc.d/init.d/sshd restart -+ -+Install the additional LDAP schema -+cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema -+ -+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: -+Add the following to the end of the existing block of schema includes -+include /etc/openldap/schema/openssh.schema -+ -+Re-start the LDAP server: -+/etc/rc.d/init.d/slapd restart -+ -+To add one or more public keys to a user, eg "testuser" : -+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D -+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser -+ -+append the following to this /tmp/testuser file -+objectclass: ldapPublicKey -+sshPublicKey: ssh-rsa -+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS -+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI -+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -+ -+Then do a modify: -+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f -+/tmp/testuser -Z -+Enter LDAP Password: -+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" -+And check the modify is ok: -+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D -+"uid=testuser,ou=People,dc=mydomain,dc=com" -+Enter LDAP Password: -+# extended LDIF -+# -+# LDAPv3 -+# base with scope sub -+# filter: (objectclass=*) -+# requesting: ALL -+# -+ -+# testuser, People, mydomain.com -+dn: uid=testuser,ou=People,dc=mydomain,dc=com -+uid: testuser -+cn: testuser -+objectClass: account -+objectClass: posixAccount -+objectClass: top -+objectClass: shadowAccount -+objectClass: ldapPublicKey -+shadowLastChange: 12757 -+shadowMax: 99999 -+shadowWarning: 7 -+loginShell: /bin/bash -+uidNumber: 9999 -+gidNumber: 501 -+homeDirectory: /home/testuser -+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= -+sshPublicKey: ssh-rsa -+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z -+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -+ -+# search result -+search: 3 -+result: 0 Success -+ -+# numResponses: 2 -+# numEntries: 1 -+ -+Now start a ssh session to user "testuser" from usual ssh client (e.g. -+puTTY). Login should succeed. -+ -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in ---- openssh-5.8p1/Makefile.in.ldap 2011-02-28 23:21:03.000000000 +0100 -+++ openssh-5.8p1/Makefile.in 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/Makefile.in.ldap 2011-04-01 09:01:15.209648708 +0200 ++++ openssh-5.8p1/Makefile.in 2011-04-01 09:01:19.307648329 +0200 @@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -2089,8 +2064,8 @@ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in tests interop-tests: $(TARGETS) diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema ---- openssh-5.8p1/openssh-lpk-openldap.schema.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/openssh-lpk-openldap.schema 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap 2011-04-01 09:01:19.333648708 +0200 ++++ openssh-5.8p1/openssh-lpk-openldap.schema 2011-04-01 09:01:19.343648766 +0200 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2114,8 +2089,8 @@ diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lp + MUST ( sshPublicKey $ uid ) + ) diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema ---- openssh-5.8p1/openssh-lpk-sun.schema.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/openssh-lpk-sun.schema 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/openssh-lpk-sun.schema.ldap 2011-04-01 09:01:19.358648705 +0200 ++++ openssh-5.8p1/openssh-lpk-sun.schema 2011-04-01 09:01:19.368648739 +0200 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2141,286 +2116,9 @@ diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun + MUST ( sshPublicKey $ uid ) + ) diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk ---- openssh-5.8p1/README.lpk.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/README.lpk 2011-02-28 23:21:06.000000000 +0100 -@@ -0,0 +1,274 @@ -+OpenSSH LDAP PUBLIC KEY PATCH -+Copyright (c) 2003 Eric AUGE (eau@phear.org) -+All rights reserved. -+ -+Rewriten by Jan F. Chadima (jchadima@redhat.com) -+Copyright (c) 2010 Red Hat, Inc. -+The new PKA-LDAP patch is rewritten from the scratch. -+LDAP schema and part of the documentation is based on original -+LPK project (http://code.google.com/p/openssh-lpk), -+copyright (c) 2003 Eric AUGE -+The new openssh configuration is different from the original LPK one. -+ -+Redistribution and use in source and binary forms, with or without -+modification, are permitted provided that the following conditions -+are met: -+1. Redistributions of source code must retain the above copyright -+ notice, this list of conditions and the following disclaimer. -+2. Redistributions in binary form must reproduce the above copyright -+ notice, this list of conditions and the following disclaimer in the -+ documentation and/or other materials provided with the distribution. -+3. The name of the author may not be used to endorse or promote products -+ derived from this software without specific prior written permission. -+ -+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ -+purposes of this patch: -+ -+This patch would help to have authentication centralization policy -+using ssh public key authentication. -+This patch could be an alternative to other "secure" authentication system -+working in a similar way (Kerberos, SecurID, etc...), except the fact -+that it's based on OpenSSH and its public key abilities. -+ -+>> FYI: << -+'uid': means unix accounts existing on the current server -+'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf. -+ -+example schema: -+ -+ -+ server1 (uid: eau,rival,toto) (ServerGroup: unix) -+ ___________ / -+ / \ --- - server3 (uid: eau, titi) (ServerGroup: unix) -+ | LDAP Server | \ -+ | eau ,rival | server2 (uid: rival, eau) (ServerGroup: unix) -+ | titi ,toto | -+ | userx,.... | server5 (uid: eau) (ServerGroup: mail) -+ \___________/ \ / -+ ----- - server4 (uid: eau, rival) (no group configured) -+ \ -+ etc... -+ -+- WHAT WE NEED : -+ -+ * configured LDAP server somewhere on the network (i.e. OpenLDAP) -+ * patched sshd (with this patch ;) -+ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): -+ User entry: -+ - attached to the 'ldapPublicKey' objectclass -+ - attached to the 'posixAccount' objectclass -+ - with a filled 'sshPublicKey' attribute -+ Example: -+ dn: uid=eau,ou=users,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: Eric AUGE Account -+ userPassword: blah -+ cn: Eric AUGE -+ sn: Eric AUGE -+ uid: eau -+ uidNumber: 1034 -+ gidNumber: 1 -+ homeDirectory: /export/home/eau -+ sshPublicKey: ssh-dss AAAAB3... -+ sshPublicKey: ssh-dss AAAAM5... -+ -+ Group entry: -+ - attached to the 'posixGroup' objectclass -+ - with a 'cn' groupname attribute -+ - with multiple 'memberUid' attributes filled with usernames allowed in this group -+ Example: -+ # few members -+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: posixGroup -+ description: Unix based servers group -+ cn: unix -+ gidNumber: 1002 -+ memberUid: eau -+ memberUid: user1 -+ memberUid: user2 -+ -+ -+- HOW IT WORKS : -+ -+ * without patch -+ If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) -+ and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). -+ -+ * with the patch -+ If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. -+ It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. -+ (usually in $HOME/.ssh/authorized_keys) -+ -+ 2 tokens are added to sshd_config : -+ # here is the new patched ldap related tokens -+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" -+ AuthorizedKeysCommandRunAs nobody -+ -+ The LDAP configuratin is read from common /etc/ldap.conf configuration file. -+There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched. -+ -+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY -+ -+ * my way (there is plenty :) -+ - create ldif file (i.e. users.ldif) -+ - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub -+ - my way in 4 steps : -+ Example: -+ -+ # you add this to the user entry in the LDIF file : -+ [...] -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ [...] -+ sshPubliKey: ssh-dss AAAABDh12DDUR2... -+ [...] -+ -+ # insert your entry and you're done :) -+ ldapadd -D balblabla -w bleh < file.ldif -+ -+ all standard options can be present in the 'sshPublicKey' attribute. -+ -+- WHY : -+ -+ Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP -+ as authentication method (like pam_ldap etc..). -+ -+ After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get -+ public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser' -+ objectclass within LDAP and part of the group the SSH server is in). -+ -+ Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase -+ so each user can change it as much as he wants). -+ -+ Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only). -+ -+- RULES : -+ Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. -+ and the additionnal lpk.schema. -+ -+ This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication -+ (pamldap, nss_ldap, etc..). -+ -+ This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..). -+ -+ Referring to schema at the beginning of this file if user 'eau' is only in group 'unix' -+ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'. -+ If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able -+ to log in 'server5' (i hope you got the idea, my english is bad :). -+ -+ Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP -+ server. -+ When you want to allow a new user to have access to the server parc, you just add him an account on -+ your servers, you add his public key into his entry on the LDAP server, it's done. -+ -+ Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys). -+ -+ When the user needs to change his passphrase he can do it directly from his workstation by changing -+ his own key set lock passphrase, and all servers are automatically aware. -+ -+ With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself -+ so he can add/modify/delete himself his public key when needed. -+ -+­ FLAWS : -+ LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP -+ allow write to users dn, somebody could replace someuser's public key by its own and impersonate some -+ of your users in all your server farm be VERY CAREFUL. -+ -+ MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login -+ as the impersonnated user. -+ -+ If LDAP server is down then, no fallback on passwd auth. -+ -+ the ldap code part has not been well audited yet. -+ -+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif) -+ --- CUT HERE --- -+ dn: uid=jdoe,ou=users,dc=foobar,dc=net -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: My account -+ cn: John Doe -+ sn: John Doe -+ uid: jdoe -+ uidNumber: 100 -+ gidNumber: 100 -+ homeDirectory: /home/jdoe -+ sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB.... -+ [...] -+ --- CUT HERE --- -+ -+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif) -+ --- CUT HERE --- -+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: posixGroup -+ description: Unix based servers group -+ cn: unix -+ gidNumber: 1002 -+ memberUid: jdoe -+ memberUid: user1 -+ memberUid: user2 -+ [...] -+ --- CUT HERE --- -+ -+>> FYI: << -+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry -+ -+- COMPILING: -+ 1. Apply the patch -+ 2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes -+ 3. make -+ 4. it's done. -+ -+- BLA : -+ I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. -+ -+- TODO : -+ Possibility to reuse the ssh-ldap-helper. -+ Tune the LDAP part to all possible LDAP configurations. -+ -+- DIFFERENCES FROM ORIGINAL lpk -+ No LDAP code in sshd. -+ Support for various LDAP platforms and configurations. -+ LDAP is configured in separate ldap.conf file. -+ -+- DOCS/LINK : -+ http://pacsec.jp/core05/psj05-barisani-en.pdf -+ http://fritz.potsdam.edu/projects/openssh-lpk/ -+ http://fritz.potsdam.edu/projects/sshgate/ -+ http://dev.inversepath.com/trac/openssh-lpk -+ http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm ) -+ -+- CONTRIBUTORS/IDEAS/GREETS : -+ - Eric AUGE -+ - Andrea Barisani -+ - Falk Siemonsmeier. -+ - Jacob Rief. -+ - Michael Durchgraf. -+ - frederic peters. -+ - Finlay dobbie. -+ - Stefan Fisher. -+ - Robin H. Johnson. -+ - Adrian Bridgett. -+ -+- CONTACT : -+ Jan F. Chadima -+ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5 ---- openssh-5.8p1/ssh-ldap.conf.5.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ssh-ldap.conf.5 2011-02-28 23:21:06.000000000 +0100 +--- openssh-5.8p1/ssh-ldap.conf.5.ldap 2011-04-01 09:01:19.408648714 +0200 ++++ openssh-5.8p1/ssh-ldap.conf.5 2011-04-01 09:01:19.418648733 +0200 @@ -0,0 +1,373 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2796,9 +2494,9 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5 +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 ---- openssh-5.8p1/ssh-ldap-helper.8.ldap 2011-02-28 23:21:06.000000000 +0100 -+++ openssh-5.8p1/ssh-ldap-helper.8 2011-02-28 23:21:06.000000000 +0100 -@@ -0,0 +1,78 @@ +--- openssh-5.8p1/ssh-ldap-helper.8.ldap 2011-04-01 09:01:19.432648735 +0200 ++++ openssh-5.8p1/ssh-ldap-helper.8 2011-04-01 09:01:19.709648247 +0200 +@@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. @@ -2838,11 +2536,12 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 +by setting +.Cm AuthorizedKeysCommand +to -+.Dq /usr/libexec/ssh-ldap-helper -s %u . ++.Dq /usr/libexec/ssh-ldap-wrapper . +.Pp +.Nm +is not intended to be invoked by the user, but from -+.Xr sshd 8 . ++.Xr sshd 8 via ++.Xr ssh-ldap-wrapper . +.Pp +The options are as follows: +.Bl -tag -width Ds @@ -2878,8 +2577,8 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper ---- openssh-5.8p1/ssh-ldap-wrapper.ldap 2011-02-28 23:21:07.000000000 +0100 -+++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-28 23:21:07.000000000 +0100 +--- openssh-5.8p1/ssh-ldap-wrapper.ldap 2011-04-01 09:01:19.456648676 +0200 ++++ openssh-5.8p1/ssh-ldap-wrapper 2011-04-01 09:01:19.464648753 +0200 @@ -0,0 +1,4 @@ +#!/bin/sh + diff --git a/openssh-5.8p1-ldap2.patch b/openssh-5.8p1-ldap2.patch deleted file mode 100644 index 9520582..0000000 --- a/openssh-5.8p1-ldap2.patch +++ /dev/null @@ -1,547 +0,0 @@ -diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys ---- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-03-10 21:45:52.706855323 +0100 -+++ openssh-5.8p1/HOWTO.ldap-keys 2011-03-10 19:35:50.000000000 +0100 -@@ -1,14 +1,108 @@ - -+HOW TO START -+ - 1) configure LDAP server --2) add appropriate schema -+ * Use LDAP server documentation -+2) add appropriate LDAP schema -+ * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. -+ * LDAP user entry -+ User entry: -+ - attached to the 'ldapPublicKey' objectclass -+ - attached to the 'posixAccount' objectclass -+ - with a filled 'sshPublicKey' attribute - 3) insert users into LDAP -+ * Use LDAP Tree management tool as useful -+ * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema. -+ * Example: -+ dn: uid=captain,ou=commanders,dc=enterprise,dc=universe -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: Jonathan Archer -+ userPassword: Porthos -+ cn: onathan Archer -+ sn: onathan Archer -+ uid: captain -+ uidNumber: 1001 -+ gidNumber: 1001 -+ homeDirectory: /home/captain -+ sshPublicKey: ssh-rss AAAAB3.... =captain@universe -+ sshPublicKey: command="kill -9 1" ssh-rss AAAAM5... - 4) on the ssh side set in sshd_config --AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" --AuthorizedKeysCommandRunAs --5) do not forget to set --PubkeyAuthentication yes -+ * Set up the backend -+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" -+ AuthorizedKeysCommandRunAs -+ * Do not forget to set -+ PubkeyAuthentication yes -+ * Swith off unnecessary auth methods -+5) confugure ldap.conf -+ * Default ldap.conf is placed in /etc/ssh -+ * The configuration style is the same as other ldap based aplications -+6) if necessary edit ssh-ldap-wrapper -+ * There is a possibility to change ldap.conf location -+ * There are some debug options -+ * Example -+ /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt -+ -+HOW TO MIGRATE FROM LPK -+ -+1) goto HOW TO START 4) .... the ldap schema is the same -+ -+2) convert the group requests to the appropriate LDAP requests -+ -+HOW TO SOLVE PROBLEMS -+ -+1) use debug in sshd -+ * /usr/sbin/sshd -d -d -d -d -+2) use debug in ssh-ldap-helper -+ * ssh-ldap-helper -d -d -d -d -s -+3) use tcpdump ... other ldap client etc. -+ -+ADVANTAGES -+ -+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). -+ -+DISADVANTAGES -+ -+1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP -+ allows write to users dn, somebody could replace some user's public key by his own and impersonate some -+ of your users in all your server farm -- be VERY CAREFUL. -+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login -+ as the impersonated user. -+3) If LDAP server is down there may be no fallback on passwd auth. -+ -+MISC. -+ -+1) todo -+ * Possibility to reuse the ssh-ldap-helper. -+ * Tune the LDAP part to accept all possible LDAP configurations. -+ -+2) differences from original lpk -+ * No LDAP code in sshd. -+ * Support for various LDAP platforms and configurations. -+ * LDAP is configured in separate ldap.conf file. -+ -+3) docs/link -+ * http://pacsec.jp/core05/psj05-barisani-en.pdf -+ * http://fritz.potsdam.edu/projects/openssh-lpk/ -+ * http://fritz.potsdam.edu/projects/sshgate/ -+ * http://dev.inversepath.com/trac/openssh-lpk -+ * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm ) - -+4) contributors/ideas/greets -+ - Eric AUGE -+ - Andrea Barisani -+ - Falk Siemonsmeier. -+ - Jacob Rief. -+ - Michael Durchgraf. -+ - frederic peters. -+ - Finlay dobbie. -+ - Stefan Fisher. -+ - Robin H. Johnson. -+ - Adrian Bridgett. - --To debug the ssh-ldap-helper is possible to set --the necessary flags in the ssh-ldap-wrapper. -+5) Author -+ Jan F. Chadima - -diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c ---- openssh-5.8p1/ldap-helper.c.ldap2 2011-03-10 21:45:52.872854838 +0100 -+++ openssh-5.8p1/ldap-helper.c 2011-03-10 21:45:53.342855061 +0100 -@@ -138,6 +138,7 @@ main(int ac, char **av) - if (config_single_user) { - process_user (config_single_user, outfile); - } else { -+ usage(); - fatal ("Not yet implemented"); - /* TODO - * open unix socket a run the loop on it -diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt ---- openssh-5.8p1/lpk-user-example.txt.ldap2 2011-03-10 21:45:52.986980339 +0100 -+++ openssh-5.8p1/lpk-user-example.txt 2011-03-10 21:45:53.379854929 +0100 -@@ -1,117 +0,0 @@ -- --Post to ML -> User Made Quick Install Doc. --Contribution from John Lane -- --++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- --OpenSSH LDAP keystore Patch --=========================== -- --NOTE: these notes are a transcript of a specific installation -- they work for me, your specifics may be different! -- from John Lane March 17th 2005 john@lane.uk.net -- --This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys --from their LDAP record as an alternative to ~/.ssh/authorized_keys. -- --(Assuming here that necessary build stuff is in $BUILD) -- --cd $BUILD/openssh-4.0p1 --patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch --mkdir -p /var/empty && --./configure --prefix=/usr --sysconfdir=/etc/ssh \ -- --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ -- --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" --Now do. --make && --make install -- --Add the following config to /etc/ssh/ssh_config --UseLPK yes --LpkServers ldap://myhost.mydomain.com --LpkUserDN ou=People,dc=mydomain,dc=com -- --We need to tell sshd about the SSL keys during boot, as root's --environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. --Change the startup code from this: -- echo "Starting SSH Server..." -- loadproc /usr/sbin/sshd -- ;; --to this: -- echo "Starting SSH Server..." -- LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd -- ;; -- --Re-start the sshd daemon: --/etc/rc.d/init.d/sshd restart -- --Install the additional LDAP schema --cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema -- --Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: --Add the following to the end of the existing block of schema includes --include /etc/openldap/schema/openssh.schema -- --Re-start the LDAP server: --/etc/rc.d/init.d/slapd restart -- --To add one or more public keys to a user, eg "testuser" : --ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D --"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser -- --append the following to this /tmp/testuser file --objectclass: ldapPublicKey --sshPublicKey: ssh-rsa --AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS --qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI --7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -- --Then do a modify: --ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f --/tmp/testuser -Z --Enter LDAP Password: --modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" --And check the modify is ok: --ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D --"uid=testuser,ou=People,dc=mydomain,dc=com" --Enter LDAP Password: --# extended LDIF --# --# LDAPv3 --# base with scope sub --# filter: (objectclass=*) --# requesting: ALL --# -- --# testuser, People, mydomain.com --dn: uid=testuser,ou=People,dc=mydomain,dc=com --uid: testuser --cn: testuser --objectClass: account --objectClass: posixAccount --objectClass: top --objectClass: shadowAccount --objectClass: ldapPublicKey --shadowLastChange: 12757 --shadowMax: 99999 --shadowWarning: 7 --loginShell: /bin/bash --uidNumber: 9999 --gidNumber: 501 --homeDirectory: /home/testuser --userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= --sshPublicKey: ssh-rsa --AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z --8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -- --# search result --search: 3 --result: 0 Success -- --# numResponses: 2 --# numEntries: 1 -- --Now start a ssh session to user "testuser" from usual ssh client (e.g. --puTTY). Login should succeed. -- --++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk ---- openssh-5.8p1/README.lpk.ldap2 2011-03-10 21:45:53.112979980 +0100 -+++ openssh-5.8p1/README.lpk 2011-03-10 21:45:53.416856007 +0100 -@@ -1,274 +0,0 @@ --OpenSSH LDAP PUBLIC KEY PATCH --Copyright (c) 2003 Eric AUGE (eau@phear.org) --All rights reserved. -- --Rewriten by Jan F. Chadima (jchadima@redhat.com) --Copyright (c) 2010 Red Hat, Inc. --The new PKA-LDAP patch is rewritten from the scratch. --LDAP schema and part of the documentation is based on original --LPK project (http://code.google.com/p/openssh-lpk), --copyright (c) 2003 Eric AUGE --The new openssh configuration is different from the original LPK one. -- --Redistribution and use in source and binary forms, with or without --modification, are permitted provided that the following conditions --are met: --1. Redistributions of source code must retain the above copyright -- notice, this list of conditions and the following disclaimer. --2. Redistributions in binary form must reproduce the above copyright -- notice, this list of conditions and the following disclaimer in the -- documentation and/or other materials provided with the distribution. --3. The name of the author may not be used to endorse or promote products -- derived from this software without specific prior written permission. -- --THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR --IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES --OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. --IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, --INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT --NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, --DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY --THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT --(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF --THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- --purposes of this patch: -- --This patch would help to have authentication centralization policy --using ssh public key authentication. --This patch could be an alternative to other "secure" authentication system --working in a similar way (Kerberos, SecurID, etc...), except the fact --that it's based on OpenSSH and its public key abilities. -- -->> FYI: << --'uid': means unix accounts existing on the current server --'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf. -- --example schema: -- -- -- server1 (uid: eau,rival,toto) (ServerGroup: unix) -- ___________ / -- / \ --- - server3 (uid: eau, titi) (ServerGroup: unix) -- | LDAP Server | \ -- | eau ,rival | server2 (uid: rival, eau) (ServerGroup: unix) -- | titi ,toto | -- | userx,.... | server5 (uid: eau) (ServerGroup: mail) -- \___________/ \ / -- ----- - server4 (uid: eau, rival) (no group configured) -- \ -- etc... -- --- WHAT WE NEED : -- -- * configured LDAP server somewhere on the network (i.e. OpenLDAP) -- * patched sshd (with this patch ;) -- * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): -- User entry: -- - attached to the 'ldapPublicKey' objectclass -- - attached to the 'posixAccount' objectclass -- - with a filled 'sshPublicKey' attribute -- Example: -- dn: uid=eau,ou=users,dc=cuckoos,dc=net -- objectclass: top -- objectclass: person -- objectclass: organizationalPerson -- objectclass: posixAccount -- objectclass: ldapPublicKey -- description: Eric AUGE Account -- userPassword: blah -- cn: Eric AUGE -- sn: Eric AUGE -- uid: eau -- uidNumber: 1034 -- gidNumber: 1 -- homeDirectory: /export/home/eau -- sshPublicKey: ssh-dss AAAAB3... -- sshPublicKey: ssh-dss AAAAM5... -- -- Group entry: -- - attached to the 'posixGroup' objectclass -- - with a 'cn' groupname attribute -- - with multiple 'memberUid' attributes filled with usernames allowed in this group -- Example: -- # few members -- dn: cn=unix,ou=groups,dc=cuckoos,dc=net -- objectclass: top -- objectclass: posixGroup -- description: Unix based servers group -- cn: unix -- gidNumber: 1002 -- memberUid: eau -- memberUid: user1 -- memberUid: user2 -- -- --- HOW IT WORKS : -- -- * without patch -- If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) -- and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). -- -- * with the patch -- If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. -- It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. -- (usually in $HOME/.ssh/authorized_keys) -- -- 2 tokens are added to sshd_config : -- # here is the new patched ldap related tokens -- AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" -- AuthorizedKeysCommandRunAs nobody -- -- The LDAP configuratin is read from common /etc/ldap.conf configuration file. --There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched. -- --- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY -- -- * my way (there is plenty :) -- - create ldif file (i.e. users.ldif) -- - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub -- - my way in 4 steps : -- Example: -- -- # you add this to the user entry in the LDIF file : -- [...] -- objectclass: posixAccount -- objectclass: ldapPublicKey -- [...] -- sshPubliKey: ssh-dss AAAABDh12DDUR2... -- [...] -- -- # insert your entry and you're done :) -- ldapadd -D balblabla -w bleh < file.ldif -- -- all standard options can be present in the 'sshPublicKey' attribute. -- --- WHY : -- -- Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP -- as authentication method (like pam_ldap etc..). -- -- After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get -- public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser' -- objectclass within LDAP and part of the group the SSH server is in). -- -- Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase -- so each user can change it as much as he wants). -- -- Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only). -- --- RULES : -- Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. -- and the additionnal lpk.schema. -- -- This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication -- (pamldap, nss_ldap, etc..). -- -- This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..). -- -- Referring to schema at the beginning of this file if user 'eau' is only in group 'unix' -- 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'. -- If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able -- to log in 'server5' (i hope you got the idea, my english is bad :). -- -- Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP -- server. -- When you want to allow a new user to have access to the server parc, you just add him an account on -- your servers, you add his public key into his entry on the LDAP server, it's done. -- -- Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys). -- -- When the user needs to change his passphrase he can do it directly from his workstation by changing -- his own key set lock passphrase, and all servers are automatically aware. -- -- With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself -- so he can add/modify/delete himself his public key when needed. -- --­ FLAWS : -- LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP -- allow write to users dn, somebody could replace someuser's public key by its own and impersonate some -- of your users in all your server farm be VERY CAREFUL. -- -- MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login -- as the impersonnated user. -- -- If LDAP server is down then, no fallback on passwd auth. -- -- the ldap code part has not been well audited yet. -- --- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif) -- --- CUT HERE --- -- dn: uid=jdoe,ou=users,dc=foobar,dc=net -- objectclass: top -- objectclass: person -- objectclass: organizationalPerson -- objectclass: posixAccount -- objectclass: ldapPublicKey -- description: My account -- cn: John Doe -- sn: John Doe -- uid: jdoe -- uidNumber: 100 -- gidNumber: 100 -- homeDirectory: /home/jdoe -- sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB.... -- [...] -- --- CUT HERE --- -- --- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif) -- --- CUT HERE --- -- dn: cn=unix,ou=groups,dc=cuckoos,dc=net -- objectclass: top -- objectclass: posixGroup -- description: Unix based servers group -- cn: unix -- gidNumber: 1002 -- memberUid: jdoe -- memberUid: user1 -- memberUid: user2 -- [...] -- --- CUT HERE --- -- -->> FYI: << --Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry -- --- COMPILING: -- 1. Apply the patch -- 2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes -- 3. make -- 4. it's done. -- --- BLA : -- I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. -- --- TODO : -- Possibility to reuse the ssh-ldap-helper. -- Tune the LDAP part to all possible LDAP configurations. -- --- DIFFERENCES FROM ORIGINAL lpk -- No LDAP code in sshd. -- Support for various LDAP platforms and configurations. -- LDAP is configured in separate ldap.conf file. -- --- DOCS/LINK : -- http://pacsec.jp/core05/psj05-barisani-en.pdf -- http://fritz.potsdam.edu/projects/openssh-lpk/ -- http://fritz.potsdam.edu/projects/sshgate/ -- http://dev.inversepath.com/trac/openssh-lpk -- http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm ) -- --- CONTRIBUTORS/IDEAS/GREETS : -- - Eric AUGE -- - Andrea Barisani -- - Falk Siemonsmeier. -- - Jacob Rief. -- - Michael Durchgraf. -- - frederic peters. -- - Finlay dobbie. -- - Stefan Fisher. -- - Robin H. Johnson. -- - Adrian Bridgett. -- --- CONTACT : -- Jan F. Chadima -- -diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8 ---- openssh-5.8p1/ssh-ldap-helper.8.ldap2 2011-03-10 21:45:53.170854817 +0100 -+++ openssh-5.8p1/ssh-ldap-helper.8 2011-03-10 21:45:53.454980272 +0100 -@@ -37,11 +37,12 @@ sshd configuration file - by setting - .Cm AuthorizedKeysCommand - to --.Dq /usr/libexec/ssh-ldap-helper -s %u . -+.Dq /usr/libexec/ssh-ldap-wrapper . - .Pp - .Nm - is not intended to be invoked by the user, but from --.Xr sshd 8 . -+.Xr sshd 8 via -+.Xr ssh-ldap-wrapper . - .Pp - The options are as follows: - .Bl -tag -width Ds diff --git a/openssh.spec b/openssh.spec index a6616e0..62627c9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -104,20 +104,13 @@ Patch100: openssh-5.8p1-fingerprint.patch Patch200: openssh-5.8p1-exit.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch8: openssh-5.8p1-audit0.patch -Patch108: openssh-5.8p1-audit0a.patch Patch1: openssh-5.8p1-audit1.patch -Patch101: openssh-5.8p1-audit1a.patch Patch2: openssh-5.8p1-audit2.patch -Patch102: openssh-5.8p1-audit2a.patch Patch3: openssh-5.8p1-audit3.patch -Patch103: openssh-5.8p1-audit3a.patch Patch4: openssh-5.8p1-audit4.patch -Patch104: openssh-5.8p1-audit4a.patch Patch5: openssh-5.8p1-audit5.patch -Patch105: openssh-5.8p1-audit5a.patch #? Patch7: openssh-5.8p1-entropy.patch -Patch107: openssh-5.8p1-entropy2.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) Patch9: openssh-5.8p1-vendor.patch # --- pam_ssh-agent --- @@ -127,7 +120,6 @@ Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch Patch20: openssh-5.8p1-authorized-keys-command.patch #? Patch21: openssh-5.8p1-ldap.patch -Patch121: openssh-5.8p1-ldap2.patch #-mail-conf Patch22: openssh-5.8p1-selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) @@ -169,7 +161,6 @@ Patch56: openssh-5.2p1-edns.patch Patch57: openssh-5.1p1-scp-manpage.patch #? Patch58: openssh-5.8p1-keycat.patch -Patch158: openssh-5.8p1-keycat2.patch #http://www.sxw.org.uk/computing/patches/openssh.html Patch60: openssh-5.8p1-gsskex.patch #? @@ -329,19 +320,12 @@ The module is most useful for su and sudo service stacks. %patch100 -p1 -b .fingerprint %patch200 -p1 -b .exit %patch8 -p1 -b .audit0 -%patch108 -p1 -b .audit0a %patch1 -p1 -b .audit1 -%patch101 -p1 -b .audit1a %patch2 -p1 -b .audit2 -%patch102 -p1 -b .audit2a %patch3 -p1 -b .audit3 -%patch103 -p1 -b .audit3a %patch4 -p1 -b .audit4 -%patch104 -p1 -b .audit4a %patch5 -p1 -b .audit5 -%patch105 -p1 -b .audit5a %patch7 -p1 -b .entropy -%patch107 -p1 -b .entropy2 %patch9 -p1 -b .vendor %if %{pam_ssh_agent} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -354,7 +338,6 @@ popd %patch20 -p1 -b .akc %if %{ldap} %patch21 -p1 -b .ldap -%patch121 -p1 -b .ldap2 %endif %if %{WITH_SELINUX} #SELinux @@ -368,6 +351,8 @@ popd %patch32 -p1 -b .randclean %patch34 -p1 -b .kuserok %patch35 -p1 -b .glob +%patch36 -p1 -b .pwchange + %patch50 -p1 -b .fips %patch51 -p1 -b .x11 %patch52 -p1 -b .exit-deadlock @@ -376,7 +361,6 @@ popd %patch56 -p1 -b .edns %patch57 -p1 -b .manpage %patch58 -p1 -b .keycat -%patch158 -p1 -b .keycat2 %patch60 -p1 -b .gsskex %patch61 -p1 -b .canohost