From b934981de5f26e0e430796422dc6a7307449cc7e Mon Sep 17 00:00:00 2001 From: Jan F Date: Fri, 25 Feb 2011 12:07:01 +0100 Subject: [PATCH] reenable auth-keys ldap backend --- ...6p1-ldap.patch => openssh-5.8p1-ldap.patch | 0 openssh-5.8p1-ldap2.patch | 57 +++++++++++++++++++ openssh.spec | 12 +++- 3 files changed, 66 insertions(+), 3 deletions(-) rename openssh-5.6p1-ldap.patch => openssh-5.8p1-ldap.patch (100%) create mode 100644 openssh-5.8p1-ldap2.patch diff --git a/openssh-5.6p1-ldap.patch b/openssh-5.8p1-ldap.patch similarity index 100% rename from openssh-5.6p1-ldap.patch rename to openssh-5.8p1-ldap.patch diff --git a/openssh-5.8p1-ldap2.patch b/openssh-5.8p1-ldap2.patch new file mode 100644 index 0000000..416c93e --- /dev/null +++ b/openssh-5.8p1-ldap2.patch @@ -0,0 +1,57 @@ +diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys +--- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-02-25 11:48:59.000000000 +0100 ++++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-25 11:48:59.000000000 +0100 +@@ -0,0 +1,14 @@ ++ ++1) configure LDAP server ++2) add appropriate schema ++3) insert users into LDAP ++4) on the ssh side set in sshd_config ++AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper ++AuthorizedKeysCommandRunAs ++5) do not forget to set ++PubkeyAuthentication yes ++ ++ ++To debug the ssh-ldap-helper is possible to set ++the necessary flags in the ssh-ldap-wrapper. ++ +diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c +--- openssh-5.8p1/ldap-helper.c.ldap2 2011-02-25 11:48:59.000000000 +0100 ++++ openssh-5.8p1/ldap-helper.c 2011-02-25 11:48:59.000000000 +0100 +@@ -51,7 +51,7 @@ usage(void) + fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n"); + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n"); + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n"); +- fprintf(stderr, " -w Warn on unknown commands int the config file.\n"); ++ fprintf(stderr, " -w Warn on unknown commands in the config file.\n"); + exit(1); + } + +diff -up openssh-5.8p1/Makefile.in.ldap2 openssh-5.8p1/Makefile.in +--- openssh-5.8p1/Makefile.in.ldap2 2011-02-25 11:48:59.000000000 +0100 ++++ openssh-5.8p1/Makefile.in 2011-02-25 11:55:59.000000000 +0100 +@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server + SSH_KEYSIGN=$(libexecdir)/ssh-keysign + SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper ++SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper + RAND_HELPER=$(libexecdir)/ssh-rand-helper + PRIVSEP_PATH=@PRIVSEP_PATH@ + SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ +@@ -277,6 +278,7 @@ install-files: + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ ++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + fi + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) +diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap2 openssh-5.8p1/ssh-ldap-wrapper +--- openssh-5.8p1/ssh-ldap-wrapper.ldap2 2011-02-25 11:48:59.000000000 +0100 ++++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-25 11:48:59.000000000 +0100 +@@ -0,0 +1,4 @@ ++#!/bin/sh ++ ++exec /usr/libexec/openssh/ssh-ldap-helper -s "$1" ++ diff --git a/openssh.spec b/openssh.spec index ec0b24a..1d2e5b9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p1 -%define openssh_rel 9 +%define openssh_rel 10 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 30 @@ -115,7 +115,8 @@ Patch10: pam_ssh_agent_auth-0.9-build.patch Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Patch20: openssh-5.8p1-authorized-keys-command.patch -Patch21: openssh-5.6p1-ldap.patch +Patch21: openssh-5.8p1-ldap.patch +Patch121: openssh-5.8p1-ldap2.patch #?mail-conf Patch22: openssh-5.8p1-selinux.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 @@ -314,6 +315,7 @@ popd %patch20 -p1 -b .akc %if %{ldap} %patch21 -p1 -b .ldap +%patch121 -p1 -b .ldap2 %endif %if %{WITH_SELINUX} #SELinux @@ -596,8 +598,9 @@ fi %if %{ldap} %files ldap %defattr(-,root,root) -%doc README.lpk lpk-user-example.txt openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf +%doc HOWTO.ldap-keys README.lpk lpk-user-example.txt openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper %attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8* %attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5* %endif @@ -619,6 +622,9 @@ fi %endif %changelog +* Fri Feb 25 2011 Jan F. Chadima - 5.8p1-10 + 0.9.2-30 +- reenable auth-keys ldap backend + * Fri Feb 25 2011 Jan F. Chadima - 5.8p1-9 + 0.9.2-30 - another audit improovements