jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

resolve warnings in port_linux.c

Browse Source
This commit is contained in:
Jan F 2011-04-01 09:04:38 +02:00
parent 3f220f2863
commit 1f6bdc75f1
11 changed files with 146 additions and 1010 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
openssh-5.8p1-audit0a.patch
View File

0
openssh-5.8p1-audit1a.patch
View File

0
openssh-5.8p1-audit2a.patch
View File

0
openssh-5.8p1-audit3a.patch
View File

0
openssh-5.8p1-audit4a.patch
View File

0
openssh-5.8p1-audit5a.patch
View File

0
openssh-5.8p1-entropy2.patch
View File

0
openssh-5.8p1-keycat2.patch
View File

589
openssh-5.8p1-ldap.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
--- openssh-5.8p1/configure.ac.ldap 2011-02-28 23:21:05.000000000 +0100 --- openssh-5.8p1/configure.ac.ldap 2011-04-01 09:01:18.559688927 +0200
+++ openssh-5.8p1/configure.ac 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/configure.ac 2011-04-01 09:01:18.972717095 +0200
@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command, @@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
] ]
) )
@ -109,26 +109,120 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
AC_CHECK_FUNCS( \ AC_CHECK_FUNCS( \
arc4random \ arc4random \
diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
--- openssh-5.8p1/HOWTO.ldap-keys.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/HOWTO.ldap-keys.ldap 2011-04-01 09:01:19.000648742 +0200
+++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/HOWTO.ldap-keys 2011-04-01 09:01:19.564648857 +0200
@@ -0,0 +1,14 @@ @@ -0,0 +1,108 @@
+
+HOW TO START
+ +
+1) configure LDAP server +1) configure LDAP server
+2) add appropriate schema + * Use LDAP server documentation
+2) add appropriate LDAP schema
+ * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
+ * LDAP user entry
+ User entry:
+ - attached to the 'ldapPublicKey' objectclass
+ - attached to the 'posixAccount' objectclass
+ - with a filled 'sshPublicKey' attribute
+3) insert users into LDAP +3) insert users into LDAP
+ * Use LDAP Tree management tool as useful
+ * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
+ * Example:
+ dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
+ objectclass: top
+ objectclass: person
+ objectclass: organizationalPerson
+ objectclass: posixAccount
+ objectclass: ldapPublicKey
+ description: Jonathan Archer
+ userPassword: Porthos
+ cn: onathan Archer
+ sn: onathan Archer
+ uid: captain
+ uidNumber: 1001
+ gidNumber: 1001
+ homeDirectory: /home/captain
+ sshPublicKey: ssh-rss AAAAB3.... =captain@universe
+ sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
+4) on the ssh side set in sshd_config +4) on the ssh side set in sshd_config
+AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper" + * Set up the backend
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP> + AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+5) do not forget to set + AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
+PubkeyAuthentication yes + * Do not forget to set
+ PubkeyAuthentication yes
+ * Swith off unnecessary auth methods
+5) confugure ldap.conf
+ * Default ldap.conf is placed in /etc/ssh
+ * The configuration style is the same as other ldap based aplications
+6) if necessary edit ssh-ldap-wrapper
+ * There is a possibility to change ldap.conf location
+ * There are some debug options
+ * Example
+ /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
+ +
+HOW TO MIGRATE FROM LPK
+ +
+To debug the ssh-ldap-helper is possible to set +1) goto HOW TO START 4) .... the ldap schema is the same
+the necessary flags in the ssh-ldap-wrapper. +
+2) convert the group requests to the appropriate LDAP requests
+
+HOW TO SOLVE PROBLEMS
+
+1) use debug in sshd
+ * /usr/sbin/sshd -d -d -d -d
+2) use debug in ssh-ldap-helper
+ * ssh-ldap-helper -d -d -d -d -s <username>
+3) use tcpdump ... other ldap client etc.
+
+ADVANTAGES
+
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
+
+DISADVANTAGES
+
+1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
+ allows write to users dn, somebody could replace some user's public key by his own and impersonate some
+ of your users in all your server farm -- be VERY CAREFUL.
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
+ as the impersonated user.
+3) If LDAP server is down there may be no fallback on passwd auth.
+
+MISC.
+
+1) todo
+ * Possibility to reuse the ssh-ldap-helper.
+ * Tune the LDAP part to accept all possible LDAP configurations.
+
+2) differences from original lpk
+ * No LDAP code in sshd.
+ * Support for various LDAP platforms and configurations.
+ * LDAP is configured in separate ldap.conf file.
+
+3) docs/link
+ * http://pacsec.jp/core05/psj05-barisani-en.pdf
+ * http://fritz.potsdam.edu/projects/openssh-lpk/
+ * http://fritz.potsdam.edu/projects/sshgate/
+ * http://dev.inversepath.com/trac/openssh-lpk
+ * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
+
+4) contributors/ideas/greets
+ - Eric AUGE <eau@phear.org>
+ - Andrea Barisani <andrea@inversepath.com>
+ - Falk Siemonsmeier.
+ - Jacob Rief.
+ - Michael Durchgraf.
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
+ - Robin H. Johnson.
+ - Adrian Bridgett.
+
+5) Author
+ Jan F. Chadima <jchadima@redhat.com>
+ +
diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
--- openssh-5.8p1/ldapbody.c.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapbody.c.ldap 2011-04-01 09:01:19.024648747 +0200
+++ openssh-5.8p1/ldapbody.c 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapbody.c 2011-04-01 09:01:19.032648722 +0200
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -625,8 +719,8 @@ diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
+} +}
+ +
diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
--- openssh-5.8p1/ldapbody.h.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapbody.h.ldap 2011-04-01 09:01:19.047648768 +0200
+++ openssh-5.8p1/ldapbody.h 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapbody.h 2011-04-01 09:01:19.057648739 +0200
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -666,8 +760,8 @@ diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
--- openssh-5.8p1/ldapconf.c.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapconf.c.ldap 2011-04-01 09:01:19.073648744 +0200
+++ openssh-5.8p1/ldapconf.c 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapconf.c 2011-04-01 09:01:19.082648746 +0200
@@ -0,0 +1,682 @@ @@ -0,0 +1,682 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1352,8 +1446,8 @@ diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
+} +}
+ +
diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
--- openssh-5.8p1/ldapconf.h.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapconf.h.ldap 2011-04-01 09:01:19.097648717 +0200
+++ openssh-5.8p1/ldapconf.h 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapconf.h 2011-04-01 09:01:19.107648734 +0200
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1427,8 +1521,8 @@ diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
--- openssh-5.8p1/ldap.conf.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldap.conf.ldap 2011-04-01 09:01:19.122648724 +0200
+++ openssh-5.8p1/ldap.conf 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldap.conf 2011-04-01 09:01:19.131648759 +0200
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -1519,9 +1613,9 @@ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
+#tls_key +#tls_key
+ +
diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
--- openssh-5.8p1/ldap-helper.c.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldap-helper.c.ldap 2011-04-01 09:01:19.145658994 +0200
+++ openssh-5.8p1/ldap-helper.c 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldap-helper.c 2011-04-01 09:01:19.608648889 +0200
@@ -0,0 +1,154 @@ @@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved. + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@ -1662,6 +1756,7 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
+ if (config_single_user) { + if (config_single_user) {
+ process_user (config_single_user, outfile); + process_user (config_single_user, outfile);
+ } else { + } else {
+ usage();
+ fatal ("Not yet implemented"); + fatal ("Not yet implemented");
+/* TODO +/* TODO
+ * open unix socket a run the loop on it + * open unix socket a run the loop on it
@ -1677,8 +1772,8 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
+void buffer_put_string(Buffer *b, const void *f, u_int l) {} +void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+ +
diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
--- openssh-5.8p1/ldap-helper.h.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldap-helper.h.ldap 2011-04-01 09:01:19.168648731 +0200
+++ openssh-5.8p1/ldap-helper.h 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldap-helper.h 2011-04-01 09:01:19.177648726 +0200
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1713,8 +1808,8 @@ diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
--- openssh-5.8p1/ldapincludes.h.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapincludes.h.ldap 2011-04-01 09:01:19.192648737 +0200
+++ openssh-5.8p1/ldapincludes.h 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapincludes.h 2011-04-01 09:01:19.202648683 +0200
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1758,8 +1853,8 @@ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
--- openssh-5.8p1/ldapmisc.c.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapmisc.c.ldap 2011-04-01 09:01:19.216648692 +0200
+++ openssh-5.8p1/ldapmisc.c 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapmisc.c 2011-04-01 09:01:19.225648767 +0200
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -1841,8 +1936,8 @@ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
+#endif +#endif
+ +
diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
--- openssh-5.8p1/ldapmisc.h.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ldapmisc.h.ldap 2011-04-01 09:01:19.240648724 +0200
+++ openssh-5.8p1/ldapmisc.h 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ldapmisc.h 2011-04-01 09:01:19.249648718 +0200
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1880,129 +1975,9 @@ diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
--- openssh-5.8p1/lpk-user-example.txt.ldap 2011-02-28 23:21:06.000000000 +0100
+++ openssh-5.8p1/lpk-user-example.txt 2011-02-28 23:21:06.000000000 +0100
@@ -0,0 +1,117 @@
+
+Post to ML -> User Made Quick Install Doc.
+Contribution from John Lane <john@lane.uk.net>
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+OpenSSH LDAP keystore Patch
+===========================
+
+NOTE: these notes are a transcript of a specific installation
+ they work for me, your specifics may be different!
+ from John Lane March 17th 2005 john@lane.uk.net
+
+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
+from their LDAP record as an alternative to ~/.ssh/authorized_keys.
+
+(Assuming here that necessary build stuff is in $BUILD)
+
+cd $BUILD/openssh-4.0p1
+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
+mkdir -p /var/empty &&
+./configure --prefix=/usr --sysconfdir=/etc/ssh \
+ --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
+ --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
+Now do.
+make &&
+make install
+
+Add the following config to /etc/ssh/ssh_config
+UseLPK yes
+LpkServers ldap://myhost.mydomain.com
+LpkUserDN ou=People,dc=mydomain,dc=com
+
+We need to tell sshd about the SSL keys during boot, as root's
+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
+Change the startup code from this:
+ echo "Starting SSH Server..."
+ loadproc /usr/sbin/sshd
+ ;;
+to this:
+ echo "Starting SSH Server..."
+ LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
+ ;;
+
+Re-start the sshd daemon:
+/etc/rc.d/init.d/sshd restart
+
+Install the additional LDAP schema
+cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema
+
+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
+Add the following to the end of the existing block of schema includes
+include /etc/openldap/schema/openssh.schema
+
+Re-start the LDAP server:
+/etc/rc.d/init.d/slapd restart
+
+To add one or more public keys to a user, eg "testuser" :
+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
+
+append the following to this /tmp/testuser file
+objectclass: ldapPublicKey
+sshPublicKey: ssh-rsa
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
+
+Then do a modify:
+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
+/tmp/testuser -Z
+Enter LDAP Password:
+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
+And check the modify is ok:
+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
+"uid=testuser,ou=People,dc=mydomain,dc=com"
+Enter LDAP Password:
+# extended LDIF
+#
+# LDAPv3
+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# testuser, People, mydomain.com
+dn: uid=testuser,ou=People,dc=mydomain,dc=com
+uid: testuser
+cn: testuser
+objectClass: account
+objectClass: posixAccount
+objectClass: top
+objectClass: shadowAccount
+objectClass: ldapPublicKey
+shadowLastChange: 12757
+shadowMax: 99999
+shadowWarning: 7
+loginShell: /bin/bash
+uidNumber: 9999
+gidNumber: 501
+homeDirectory: /home/testuser
+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
+sshPublicKey: ssh-rsa
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
+
+# search result
+search: 3
+result: 0 Success
+
+# numResponses: 2
+# numEntries: 1
+
+Now start a ssh session to user "testuser" from usual ssh client (e.g.
+puTTY). Login should succeed.
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
--- openssh-5.8p1/Makefile.in.ldap 2011-02-28 23:21:03.000000000 +0100 --- openssh-5.8p1/Makefile.in.ldap 2011-04-01 09:01:15.209648708 +0200
+++ openssh-5.8p1/Makefile.in 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/Makefile.in 2011-04-01 09:01:19.307648329 +0200
@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas @@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -2089,8 +2064,8 @@ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
tests interop-tests: $(TARGETS) tests interop-tests: $(TARGETS)
diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/openssh-lpk-openldap.schema.ldap 2011-04-01 09:01:19.333648708 +0200
+++ openssh-5.8p1/openssh-lpk-openldap.schema 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/openssh-lpk-openldap.schema 2011-04-01 09:01:19.343648766 +0200
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2114,8 +2089,8 @@ diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lp
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
--- openssh-5.8p1/openssh-lpk-sun.schema.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/openssh-lpk-sun.schema.ldap 2011-04-01 09:01:19.358648705 +0200
+++ openssh-5.8p1/openssh-lpk-sun.schema 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/openssh-lpk-sun.schema 2011-04-01 09:01:19.368648739 +0200
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2141,286 +2116,9 @@ diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
--- openssh-5.8p1/README.lpk.ldap 2011-02-28 23:21:06.000000000 +0100
+++ openssh-5.8p1/README.lpk 2011-02-28 23:21:06.000000000 +0100
@@ -0,0 +1,274 @@
+OpenSSH LDAP PUBLIC KEY PATCH
+Copyright (c) 2003 Eric AUGE (eau@phear.org)
+All rights reserved.
+
+Rewriten by Jan F. Chadima (jchadima@redhat.com)
+Copyright (c) 2010 Red Hat, Inc.
+The new PKA-LDAP patch is rewritten from the scratch.
+LDAP schema and part of the documentation is based on original
+LPK project (http://code.google.com/p/openssh-lpk),
+copyright (c) 2003 Eric AUGE
+The new openssh configuration is different from the original LPK one.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+3. The name of the author may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+purposes of this patch:
+
+This patch would help to have authentication centralization policy
+using ssh public key authentication.
+This patch could be an alternative to other "secure" authentication system
+working in a similar way (Kerberos, SecurID, etc...), except the fact
+that it's based on OpenSSH and its public key abilities.
+
+>> FYI: <<
+'uid': means unix accounts existing on the current server
+'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
+
+example schema:
+
+
+ server1 (uid: eau,rival,toto) (ServerGroup: unix)
+ ___________ /
+ / \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
+ | LDAP Server | \
+ | eau ,rival | server2 (uid: rival, eau) (ServerGroup: unix)
+ | titi ,toto |
+ | userx,.... | server5 (uid: eau) (ServerGroup: mail)
+ \___________/ \ /
+ ----- - server4 (uid: eau, rival) (no group configured)
+ \
+ etc...
+
+- WHAT WE NEED :
+
+ * configured LDAP server somewhere on the network (i.e. OpenLDAP)
+ * patched sshd (with this patch ;)
+ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
+ User entry:
+ - attached to the 'ldapPublicKey' objectclass
+ - attached to the 'posixAccount' objectclass
+ - with a filled 'sshPublicKey' attribute
+ Example:
+ dn: uid=eau,ou=users,dc=cuckoos,dc=net
+ objectclass: top
+ objectclass: person
+ objectclass: organizationalPerson
+ objectclass: posixAccount
+ objectclass: ldapPublicKey
+ description: Eric AUGE Account
+ userPassword: blah
+ cn: Eric AUGE
+ sn: Eric AUGE
+ uid: eau
+ uidNumber: 1034
+ gidNumber: 1
+ homeDirectory: /export/home/eau
+ sshPublicKey: ssh-dss AAAAB3...
+ sshPublicKey: ssh-dss AAAAM5...
+
+ Group entry:
+ - attached to the 'posixGroup' objectclass
+ - with a 'cn' groupname attribute
+ - with multiple 'memberUid' attributes filled with usernames allowed in this group
+ Example:
+ # few members
+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+ objectclass: top
+ objectclass: posixGroup
+ description: Unix based servers group
+ cn: unix
+ gidNumber: 1002
+ memberUid: eau
+ memberUid: user1
+ memberUid: user2
+
+
+- HOW IT WORKS :
+
+ * without patch
+ If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
+ and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
+
+ * with the patch
+ If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
+ It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem.
+ (usually in $HOME/.ssh/authorized_keys)
+
+ 2 tokens are added to sshd_config :
+ # here is the new patched ldap related tokens
+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+ AuthorizedKeysCommandRunAs nobody
+
+ The LDAP configuratin is read from common /etc/ldap.conf configuration file.
+There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
+
+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
+
+ * my way (there is plenty :)
+ - create ldif file (i.e. users.ldif)
+ - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
+ - my way in 4 steps :
+ Example:
+
+ # you add this to the user entry in the LDIF file :
+ [...]
+ objectclass: posixAccount
+ objectclass: ldapPublicKey
+ [...]
+ sshPubliKey: ssh-dss AAAABDh12DDUR2...
+ [...]
+
+ # insert your entry and you're done :)
+ ldapadd -D balblabla -w bleh < file.ldif
+
+ all standard options can be present in the 'sshPublicKey' attribute.
+
+- WHY :
+
+ Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP
+ as authentication method (like pam_ldap etc..).
+
+ After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get
+ public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
+ objectclass within LDAP and part of the group the SSH server is in).
+
+ Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase
+ so each user can change it as much as he wants).
+
+ Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
+
+- RULES :
+ Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema.
+ and the additionnal lpk.schema.
+
+ This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication
+ (pamldap, nss_ldap, etc..).
+
+ This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
+
+ Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
+ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
+ If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
+ to log in 'server5' (i hope you got the idea, my english is bad :).
+
+ Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
+ server.
+ When you want to allow a new user to have access to the server parc, you just add him an account on
+ your servers, you add his public key into his entry on the LDAP server, it's done.
+
+ Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
+
+ When the user needs to change his passphrase he can do it directly from his workstation by changing
+ his own key set lock passphrase, and all servers are automatically aware.
+
+ With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
+ so he can add/modify/delete himself his public key when needed.
+
+­ FLAWS :
+ LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
+ allow write to users dn, somebody could replace someuser's public key by its own and impersonate some
+ of your users in all your server farm be VERY CAREFUL.
+
+ MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
+ as the impersonnated user.
+
+ If LDAP server is down then, no fallback on passwd auth.
+
+ the ldap code part has not been well audited yet.
+
+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
+ --- CUT HERE ---
+ dn: uid=jdoe,ou=users,dc=foobar,dc=net
+ objectclass: top
+ objectclass: person
+ objectclass: organizationalPerson
+ objectclass: posixAccount
+ objectclass: ldapPublicKey
+ description: My account
+ cn: John Doe
+ sn: John Doe
+ uid: jdoe
+ uidNumber: 100
+ gidNumber: 100
+ homeDirectory: /home/jdoe
+ sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
+ [...]
+ --- CUT HERE ---
+
+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
+ --- CUT HERE ---
+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+ objectclass: top
+ objectclass: posixGroup
+ description: Unix based servers group
+ cn: unix
+ gidNumber: 1002
+ memberUid: jdoe
+ memberUid: user1
+ memberUid: user2
+ [...]
+ --- CUT HERE ---
+
+>> FYI: <<
+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
+
+- COMPILING:
+ 1. Apply the patch
+ 2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
+ 3. make
+ 4. it's done.
+
+- BLA :
+ I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome.
+
+- TODO :
+ Possibility to reuse the ssh-ldap-helper.
+ Tune the LDAP part to all possible LDAP configurations.
+
+- DIFFERENCES FROM ORIGINAL lpk
+ No LDAP code in sshd.
+ Support for various LDAP platforms and configurations.
+ LDAP is configured in separate ldap.conf file.
+
+- DOCS/LINK :
+ http://pacsec.jp/core05/psj05-barisani-en.pdf
+ http://fritz.potsdam.edu/projects/openssh-lpk/
+ http://fritz.potsdam.edu/projects/sshgate/
+ http://dev.inversepath.com/trac/openssh-lpk
+ http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
+
+- CONTRIBUTORS/IDEAS/GREETS :
+ - Eric AUGE <eau@phear.org>
+ - Andrea Barisani <andrea@inversepath.com>
+ - Falk Siemonsmeier.
+ - Jacob Rief.
+ - Michael Durchgraf.
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
+ - Robin H. Johnson.
+ - Adrian Bridgett.
+
+- CONTACT :
+ Jan F. Chadima <jchadima@redhat.com>
+
diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5 diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
--- openssh-5.8p1/ssh-ldap.conf.5.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ssh-ldap.conf.5.ldap 2011-04-01 09:01:19.408648714 +0200
+++ openssh-5.8p1/ssh-ldap.conf.5 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ssh-ldap.conf.5 2011-04-01 09:01:19.418648733 +0200
@@ -0,0 +1,373 @@ @@ -0,0 +1,373 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2796,9 +2494,9 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8 diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
--- openssh-5.8p1/ssh-ldap-helper.8.ldap 2011-02-28 23:21:06.000000000 +0100 --- openssh-5.8p1/ssh-ldap-helper.8.ldap 2011-04-01 09:01:19.432648735 +0200
+++ openssh-5.8p1/ssh-ldap-helper.8 2011-02-28 23:21:06.000000000 +0100 +++ openssh-5.8p1/ssh-ldap-helper.8 2011-04-01 09:01:19.709648247 +0200
@@ -0,0 +1,78 @@ @@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved. +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
@ -2838,11 +2536,12 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
+by setting +by setting
+.Cm AuthorizedKeysCommand +.Cm AuthorizedKeysCommand
+to +to
+.Dq /usr/libexec/ssh-ldap-helper -s %u . +.Dq /usr/libexec/ssh-ldap-wrapper .
+.Pp +.Pp
+.Nm +.Nm
+is not intended to be invoked by the user, but from +is not intended to be invoked by the user, but from
+.Xr sshd 8 . +.Xr sshd 8 via
+.Xr ssh-ldap-wrapper .
+.Pp +.Pp
+The options are as follows: +The options are as follows:
+.Bl -tag -width Ds +.Bl -tag -width Ds
@ -2878,8 +2577,8 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
--- openssh-5.8p1/ssh-ldap-wrapper.ldap 2011-02-28 23:21:07.000000000 +0100 --- openssh-5.8p1/ssh-ldap-wrapper.ldap 2011-04-01 09:01:19.456648676 +0200
+++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-28 23:21:07.000000000 +0100 +++ openssh-5.8p1/ssh-ldap-wrapper 2011-04-01 09:01:19.464648753 +0200
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+#!/bin/sh +#!/bin/sh
+ +

547
openssh-5.8p1-ldap2.patch
View File

@ -1,547 +0,0 @@
diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
--- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-03-10 21:45:52.706855323 +0100
+++ openssh-5.8p1/HOWTO.ldap-keys 2011-03-10 19:35:50.000000000 +0100
@@ -1,14 +1,108 @@
+HOW TO START
+
1) configure LDAP server
-2) add appropriate schema
+ * Use LDAP server documentation
+2) add appropriate LDAP schema
+ * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
+ * LDAP user entry
+ User entry:
+ - attached to the 'ldapPublicKey' objectclass
+ - attached to the 'posixAccount' objectclass
+ - with a filled 'sshPublicKey' attribute
3) insert users into LDAP
+ * Use LDAP Tree management tool as useful
+ * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
+ * Example:
+ dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
+ objectclass: top
+ objectclass: person
+ objectclass: organizationalPerson
+ objectclass: posixAccount
+ objectclass: ldapPublicKey
+ description: Jonathan Archer
+ userPassword: Porthos
+ cn: onathan Archer
+ sn: onathan Archer
+ uid: captain
+ uidNumber: 1001
+ gidNumber: 1001
+ homeDirectory: /home/captain
+ sshPublicKey: ssh-rss AAAAB3.... =captain@universe
+ sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
4) on the ssh side set in sshd_config
-AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
-AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
-5) do not forget to set
-PubkeyAuthentication yes
+ * Set up the backend
+ AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+ AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
+ * Do not forget to set
+ PubkeyAuthentication yes
+ * Swith off unnecessary auth methods
+5) confugure ldap.conf
+ * Default ldap.conf is placed in /etc/ssh
+ * The configuration style is the same as other ldap based aplications
+6) if necessary edit ssh-ldap-wrapper
+ * There is a possibility to change ldap.conf location
+ * There are some debug options
+ * Example
+ /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
+
+HOW TO MIGRATE FROM LPK
+
+1) goto HOW TO START 4) .... the ldap schema is the same
+
+2) convert the group requests to the appropriate LDAP requests
+
+HOW TO SOLVE PROBLEMS
+
+1) use debug in sshd
+ * /usr/sbin/sshd -d -d -d -d
+2) use debug in ssh-ldap-helper
+ * ssh-ldap-helper -d -d -d -d -s <username>
+3) use tcpdump ... other ldap client etc.
+
+ADVANTAGES
+
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
+
+DISADVANTAGES
+
+1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
+ allows write to users dn, somebody could replace some user's public key by his own and impersonate some
+ of your users in all your server farm -- be VERY CAREFUL.
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
+ as the impersonated user.
+3) If LDAP server is down there may be no fallback on passwd auth.
+
+MISC.
+
+1) todo
+ * Possibility to reuse the ssh-ldap-helper.
+ * Tune the LDAP part to accept all possible LDAP configurations.
+
+2) differences from original lpk
+ * No LDAP code in sshd.
+ * Support for various LDAP platforms and configurations.
+ * LDAP is configured in separate ldap.conf file.
+
+3) docs/link
+ * http://pacsec.jp/core05/psj05-barisani-en.pdf
+ * http://fritz.potsdam.edu/projects/openssh-lpk/
+ * http://fritz.potsdam.edu/projects/sshgate/
+ * http://dev.inversepath.com/trac/openssh-lpk
+ * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
+4) contributors/ideas/greets
+ - Eric AUGE <eau@phear.org>
+ - Andrea Barisani <andrea@inversepath.com>
+ - Falk Siemonsmeier.
+ - Jacob Rief.
+ - Michael Durchgraf.
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
+ - Robin H. Johnson.
+ - Adrian Bridgett.
-To debug the ssh-ldap-helper is possible to set
-the necessary flags in the ssh-ldap-wrapper.
+5) Author
+ Jan F. Chadima <jchadima@redhat.com>
diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
--- openssh-5.8p1/ldap-helper.c.ldap2 2011-03-10 21:45:52.872854838 +0100
+++ openssh-5.8p1/ldap-helper.c 2011-03-10 21:45:53.342855061 +0100
@@ -138,6 +138,7 @@ main(int ac, char **av)
if (config_single_user) {
process_user (config_single_user, outfile);
} else {
+ usage();
fatal ("Not yet implemented");
/* TODO
* open unix socket a run the loop on it
diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt
--- openssh-5.8p1/lpk-user-example.txt.ldap2 2011-03-10 21:45:52.986980339 +0100
+++ openssh-5.8p1/lpk-user-example.txt 2011-03-10 21:45:53.379854929 +0100
@@ -1,117 +0,0 @@
-
-Post to ML -> User Made Quick Install Doc.
-Contribution from John Lane <john@lane.uk.net>
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-OpenSSH LDAP keystore Patch
-===========================
-
-NOTE: these notes are a transcript of a specific installation
- they work for me, your specifics may be different!
- from John Lane March 17th 2005 john@lane.uk.net
-
-This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
-from their LDAP record as an alternative to ~/.ssh/authorized_keys.
-
-(Assuming here that necessary build stuff is in $BUILD)
-
-cd $BUILD/openssh-4.0p1
-patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
-mkdir -p /var/empty &&
-./configure --prefix=/usr --sysconfdir=/etc/ssh \
- --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
- --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
-Now do.
-make &&
-make install
-
-Add the following config to /etc/ssh/ssh_config
-UseLPK yes
-LpkServers ldap://myhost.mydomain.com
-LpkUserDN ou=People,dc=mydomain,dc=com
-
-We need to tell sshd about the SSL keys during boot, as root's
-environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
-Change the startup code from this:
- echo "Starting SSH Server..."
- loadproc /usr/sbin/sshd
- ;;
-to this:
- echo "Starting SSH Server..."
- LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
- ;;
-
-Re-start the sshd daemon:
-/etc/rc.d/init.d/sshd restart
-
-Install the additional LDAP schema
-cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema
-
-Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
-Add the following to the end of the existing block of schema includes
-include /etc/openldap/schema/openssh.schema
-
-Re-start the LDAP server:
-/etc/rc.d/init.d/slapd restart
-
-To add one or more public keys to a user, eg "testuser" :
-ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
-"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
-
-append the following to this /tmp/testuser file
-objectclass: ldapPublicKey
-sshPublicKey: ssh-rsa
-AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
-qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
-7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
-
-Then do a modify:
-ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
-/tmp/testuser -Z
-Enter LDAP Password:
-modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
-And check the modify is ok:
-ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
-"uid=testuser,ou=People,dc=mydomain,dc=com"
-Enter LDAP Password:
-# extended LDIF
-#
-# LDAPv3
-# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
-# filter: (objectclass=*)
-# requesting: ALL
-#
-
-# testuser, People, mydomain.com
-dn: uid=testuser,ou=People,dc=mydomain,dc=com
-uid: testuser
-cn: testuser
-objectClass: account
-objectClass: posixAccount
-objectClass: top
-objectClass: shadowAccount
-objectClass: ldapPublicKey
-shadowLastChange: 12757
-shadowMax: 99999
-shadowWarning: 7
-loginShell: /bin/bash
-uidNumber: 9999
-gidNumber: 501
-homeDirectory: /home/testuser
-userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
-sshPublicKey: ssh-rsa
-AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
-8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
-
-# search result
-search: 3
-result: 0 Success
-
-# numResponses: 2
-# numEntries: 1
-
-Now start a ssh session to user "testuser" from usual ssh client (e.g.
-puTTY). Login should succeed.
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk
--- openssh-5.8p1/README.lpk.ldap2 2011-03-10 21:45:53.112979980 +0100
+++ openssh-5.8p1/README.lpk 2011-03-10 21:45:53.416856007 +0100
@@ -1,274 +0,0 @@
-OpenSSH LDAP PUBLIC KEY PATCH
-Copyright (c) 2003 Eric AUGE (eau@phear.org)
-All rights reserved.
-
-Rewriten by Jan F. Chadima (jchadima@redhat.com)
-Copyright (c) 2010 Red Hat, Inc.
-The new PKA-LDAP patch is rewritten from the scratch.
-LDAP schema and part of the documentation is based on original
-LPK project (http://code.google.com/p/openssh-lpk),
-copyright (c) 2003 Eric AUGE
-The new openssh configuration is different from the original LPK one.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. The name of the author may not be used to endorse or promote products
- derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-purposes of this patch:
-
-This patch would help to have authentication centralization policy
-using ssh public key authentication.
-This patch could be an alternative to other "secure" authentication system
-working in a similar way (Kerberos, SecurID, etc...), except the fact
-that it's based on OpenSSH and its public key abilities.
-
->> FYI: <<
-'uid': means unix accounts existing on the current server
-'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
-
-example schema:
-
-
- server1 (uid: eau,rival,toto) (ServerGroup: unix)
- ___________ /
- / \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
- | LDAP Server | \
- | eau ,rival | server2 (uid: rival, eau) (ServerGroup: unix)
- | titi ,toto |
- | userx,.... | server5 (uid: eau) (ServerGroup: mail)
- \___________/ \ /
- ----- - server4 (uid: eau, rival) (no group configured)
- \
- etc...
-
-- WHAT WE NEED :
-
- * configured LDAP server somewhere on the network (i.e. OpenLDAP)
- * patched sshd (with this patch ;)
- * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
- User entry:
- - attached to the 'ldapPublicKey' objectclass
- - attached to the 'posixAccount' objectclass
- - with a filled 'sshPublicKey' attribute
- Example:
- dn: uid=eau,ou=users,dc=cuckoos,dc=net
- objectclass: top
- objectclass: person
- objectclass: organizationalPerson
- objectclass: posixAccount
- objectclass: ldapPublicKey
- description: Eric AUGE Account
- userPassword: blah
- cn: Eric AUGE
- sn: Eric AUGE
- uid: eau
- uidNumber: 1034
- gidNumber: 1
- homeDirectory: /export/home/eau
- sshPublicKey: ssh-dss AAAAB3...
- sshPublicKey: ssh-dss AAAAM5...
-
- Group entry:
- - attached to the 'posixGroup' objectclass
- - with a 'cn' groupname attribute
- - with multiple 'memberUid' attributes filled with usernames allowed in this group
- Example:
- # few members
- dn: cn=unix,ou=groups,dc=cuckoos,dc=net
- objectclass: top
- objectclass: posixGroup
- description: Unix based servers group
- cn: unix
- gidNumber: 1002
- memberUid: eau
- memberUid: user1
- memberUid: user2
-
-
-- HOW IT WORKS :
-
- * without patch
- If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
- and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
-
- * with the patch
- If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
- It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem.
- (usually in $HOME/.ssh/authorized_keys)
-
- 2 tokens are added to sshd_config :
- # here is the new patched ldap related tokens
- AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
- AuthorizedKeysCommandRunAs nobody
-
- The LDAP configuratin is read from common /etc/ldap.conf configuration file.
-There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
-
-- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
-
- * my way (there is plenty :)
- - create ldif file (i.e. users.ldif)
- - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
- - my way in 4 steps :
- Example:
-
- # you add this to the user entry in the LDIF file :
- [...]
- objectclass: posixAccount
- objectclass: ldapPublicKey
- [...]
- sshPubliKey: ssh-dss AAAABDh12DDUR2...
- [...]
-
- # insert your entry and you're done :)
- ldapadd -D balblabla -w bleh < file.ldif
-
- all standard options can be present in the 'sshPublicKey' attribute.
-
-- WHY :
-
- Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP
- as authentication method (like pam_ldap etc..).
-
- After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get
- public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
- objectclass within LDAP and part of the group the SSH server is in).
-
- Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase
- so each user can change it as much as he wants).
-
- Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
-
-- RULES :
- Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema.
- and the additionnal lpk.schema.
-
- This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication
- (pamldap, nss_ldap, etc..).
-
- This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
-
- Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
- 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
- If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
- to log in 'server5' (i hope you got the idea, my english is bad :).
-
- Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
- server.
- When you want to allow a new user to have access to the server parc, you just add him an account on
- your servers, you add his public key into his entry on the LDAP server, it's done.
-
- Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
-
- When the user needs to change his passphrase he can do it directly from his workstation by changing
- his own key set lock passphrase, and all servers are automatically aware.
-
- With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
- so he can add/modify/delete himself his public key when needed.
-
-­ FLAWS :
- LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
- allow write to users dn, somebody could replace someuser's public key by its own and impersonate some
- of your users in all your server farm be VERY CAREFUL.
-
- MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
- as the impersonnated user.
-
- If LDAP server is down then, no fallback on passwd auth.
-
- the ldap code part has not been well audited yet.
-
-- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
- --- CUT HERE ---
- dn: uid=jdoe,ou=users,dc=foobar,dc=net
- objectclass: top
- objectclass: person
- objectclass: organizationalPerson
- objectclass: posixAccount
- objectclass: ldapPublicKey
- description: My account
- cn: John Doe
- sn: John Doe
- uid: jdoe
- uidNumber: 100
- gidNumber: 100
- homeDirectory: /home/jdoe
- sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
- [...]
- --- CUT HERE ---
-
-- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
- --- CUT HERE ---
- dn: cn=unix,ou=groups,dc=cuckoos,dc=net
- objectclass: top
- objectclass: posixGroup
- description: Unix based servers group
- cn: unix
- gidNumber: 1002
- memberUid: jdoe
- memberUid: user1
- memberUid: user2
- [...]
- --- CUT HERE ---
-
->> FYI: <<
-Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
-
-- COMPILING:
- 1. Apply the patch
- 2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
- 3. make
- 4. it's done.
-
-- BLA :
- I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome.
-
-- TODO :
- Possibility to reuse the ssh-ldap-helper.
- Tune the LDAP part to all possible LDAP configurations.
-
-- DIFFERENCES FROM ORIGINAL lpk
- No LDAP code in sshd.
- Support for various LDAP platforms and configurations.
- LDAP is configured in separate ldap.conf file.
-
-- DOCS/LINK :
- http://pacsec.jp/core05/psj05-barisani-en.pdf
- http://fritz.potsdam.edu/projects/openssh-lpk/
- http://fritz.potsdam.edu/projects/sshgate/
- http://dev.inversepath.com/trac/openssh-lpk
- http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
-
-- CONTRIBUTORS/IDEAS/GREETS :
- - Eric AUGE <eau@phear.org>
- - Andrea Barisani <andrea@inversepath.com>
- - Falk Siemonsmeier.
- - Jacob Rief.
- - Michael Durchgraf.
- - frederic peters.
- - Finlay dobbie.
- - Stefan Fisher.
- - Robin H. Johnson.
- - Adrian Bridgett.
-
-- CONTACT :
- Jan F. Chadima <jchadima@redhat.com>
-
diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8
--- openssh-5.8p1/ssh-ldap-helper.8.ldap2 2011-03-10 21:45:53.170854817 +0100
+++ openssh-5.8p1/ssh-ldap-helper.8 2011-03-10 21:45:53.454980272 +0100
@@ -37,11 +37,12 @@ sshd configuration file
by setting
.Cm AuthorizedKeysCommand
to
-.Dq /usr/libexec/ssh-ldap-helper -s %u .
+.Dq /usr/libexec/ssh-ldap-wrapper .
.Pp
.Nm
is not intended to be invoked by the user, but from
-.Xr sshd 8 .
+.Xr sshd 8 via
+.Xr ssh-ldap-wrapper .
.Pp
The options are as follows:
.Bl -tag -width Ds

20
openssh.spec
View File

@ -104,20 +104,13 @@ Patch100: openssh-5.8p1-fingerprint.patch
Patch200: openssh-5.8p1-exit.patch Patch200: openssh-5.8p1-exit.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch8: openssh-5.8p1-audit0.patch Patch8: openssh-5.8p1-audit0.patch
Patch108: openssh-5.8p1-audit0a.patch
Patch1: openssh-5.8p1-audit1.patch Patch1: openssh-5.8p1-audit1.patch
Patch101: openssh-5.8p1-audit1a.patch
Patch2: openssh-5.8p1-audit2.patch Patch2: openssh-5.8p1-audit2.patch
Patch102: openssh-5.8p1-audit2a.patch
Patch3: openssh-5.8p1-audit3.patch Patch3: openssh-5.8p1-audit3.patch
Patch103: openssh-5.8p1-audit3a.patch
Patch4: openssh-5.8p1-audit4.patch Patch4: openssh-5.8p1-audit4.patch
Patch104: openssh-5.8p1-audit4a.patch
Patch5: openssh-5.8p1-audit5.patch Patch5: openssh-5.8p1-audit5.patch
Patch105: openssh-5.8p1-audit5a.patch
#? #?
Patch7: openssh-5.8p1-entropy.patch Patch7: openssh-5.8p1-entropy.patch
Patch107: openssh-5.8p1-entropy2.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch9: openssh-5.8p1-vendor.patch Patch9: openssh-5.8p1-vendor.patch
# --- pam_ssh-agent --- # --- pam_ssh-agent ---
@ -127,7 +120,6 @@ Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch
Patch20: openssh-5.8p1-authorized-keys-command.patch Patch20: openssh-5.8p1-authorized-keys-command.patch
#? #?
Patch21: openssh-5.8p1-ldap.patch Patch21: openssh-5.8p1-ldap.patch
Patch121: openssh-5.8p1-ldap2.patch
#-mail-conf #-mail-conf
Patch22: openssh-5.8p1-selinux.patch Patch22: openssh-5.8p1-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
@ -169,7 +161,6 @@ Patch56: openssh-5.2p1-edns.patch
Patch57: openssh-5.1p1-scp-manpage.patch Patch57: openssh-5.1p1-scp-manpage.patch
#? #?
Patch58: openssh-5.8p1-keycat.patch Patch58: openssh-5.8p1-keycat.patch
Patch158: openssh-5.8p1-keycat2.patch
#http://www.sxw.org.uk/computing/patches/openssh.html #http://www.sxw.org.uk/computing/patches/openssh.html
Patch60: openssh-5.8p1-gsskex.patch Patch60: openssh-5.8p1-gsskex.patch
#? #?
@ -329,19 +320,12 @@ The module is most useful for su and sudo service stacks.
%patch100 -p1 -b .fingerprint %patch100 -p1 -b .fingerprint
%patch200 -p1 -b .exit %patch200 -p1 -b .exit
%patch8 -p1 -b .audit0 %patch8 -p1 -b .audit0
%patch108 -p1 -b .audit0a
%patch1 -p1 -b .audit1 %patch1 -p1 -b .audit1
%patch101 -p1 -b .audit1a
%patch2 -p1 -b .audit2 %patch2 -p1 -b .audit2
%patch102 -p1 -b .audit2a
%patch3 -p1 -b .audit3 %patch3 -p1 -b .audit3
%patch103 -p1 -b .audit3a
%patch4 -p1 -b .audit4 %patch4 -p1 -b .audit4
%patch104 -p1 -b .audit4a
%patch5 -p1 -b .audit5 %patch5 -p1 -b .audit5
%patch105 -p1 -b .audit5a
%patch7 -p1 -b .entropy %patch7 -p1 -b .entropy
%patch107 -p1 -b .entropy2
%patch9 -p1 -b .vendor %patch9 -p1 -b .vendor
%if %{pam_ssh_agent} %if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -354,7 +338,6 @@ popd
%patch20 -p1 -b .akc %patch20 -p1 -b .akc
%if %{ldap} %if %{ldap}
%patch21 -p1 -b .ldap %patch21 -p1 -b .ldap
%patch121 -p1 -b .ldap2
%endif %endif
%if %{WITH_SELINUX} %if %{WITH_SELINUX}
#SELinux #SELinux
@ -368,6 +351,8 @@ popd
%patch32 -p1 -b .randclean %patch32 -p1 -b .randclean
%patch34 -p1 -b .kuserok %patch34 -p1 -b .kuserok
%patch35 -p1 -b .glob %patch35 -p1 -b .glob
%patch36 -p1 -b .pwchange
%patch50 -p1 -b .fips %patch50 -p1 -b .fips
%patch51 -p1 -b .x11 %patch51 -p1 -b .x11
%patch52 -p1 -b .exit-deadlock %patch52 -p1 -b .exit-deadlock
@ -376,7 +361,6 @@ popd
%patch56 -p1 -b .edns %patch56 -p1 -b .edns
%patch57 -p1 -b .manpage %patch57 -p1 -b .manpage
%patch58 -p1 -b .keycat %patch58 -p1 -b .keycat
%patch158 -p1 -b .keycat2
%patch60 -p1 -b .gsskex %patch60 -p1 -b .gsskex
%patch61 -p1 -b .canohost %patch61 -p1 -b .canohost