resolve warnings in port_linux.c

openssh-5.8p1-ldap.patch

@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
---- openssh-5.8p1/configure.ac.ldap	2011-02-28 23:21:05.000000000 +0100
-+++ openssh-5.8p1/configure.ac	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/configure.ac.ldap	2011-04-01 09:01:18.559688927 +0200
++++ openssh-5.8p1/configure.ac	2011-04-01 09:01:18.972717095 +0200
 @@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
  	]
  )
@@ -109,26 +109,120 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
  AC_CHECK_FUNCS( \
  	arc4random \
 diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
---- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/HOWTO.ldap-keys	2011-02-28 23:21:06.000000000 +0100
-@@ -0,0 +1,14 @@
+--- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-04-01 09:01:19.000648742 +0200
++++ openssh-5.8p1/HOWTO.ldap-keys	2011-04-01 09:01:19.564648857 +0200
+@@ -0,0 +1,108 @@
++
++HOW TO START
 +
 +1) configure LDAP server
-+2) add appropriate schema
++  * Use LDAP server documentation
++2) add appropriate LDAP schema
++  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
++  * LDAP user entry
++        User entry:
++	- attached to the 'ldapPublicKey' objectclass
++	- attached to the 'posixAccount' objectclass
++	- with a filled 'sshPublicKey' attribute 
 +3) insert users into LDAP
++  * Use LDAP Tree management tool as useful
++  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
++  * Example:
++	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
++	objectclass: top
++	objectclass: person
++	objectclass: organizationalPerson
++	objectclass: posixAccount
++	objectclass: ldapPublicKey
++	description: Jonathan Archer
++	userPassword: Porthos
++	cn: onathan Archer
++	sn: onathan Archer
++	uid: captain
++	uidNumber: 1001
++	gidNumber: 1001
++	homeDirectory: /home/captain
++	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
++	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
 +4) on the ssh side set in sshd_config
-+AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
-+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
-+5) do not forget to set
-+PubkeyAuthentication yes
++  * Set up the backend
++	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
++	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
++  * Do not forget to set
++	PubkeyAuthentication yes
++  * Swith off unnecessary auth methods
++5) confugure ldap.conf
++  * Default ldap.conf is placed in /etc/ssh
++  * The configuration style is the same as other ldap based aplications
++6) if necessary edit ssh-ldap-wrapper
++  * There is a possibility to change ldap.conf location
++  * There are some debug options
++  * Example
++	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
 +
++HOW TO MIGRATE FROM LPK
 +
-+To debug the ssh-ldap-helper is possible to set
-+the necessary flags in the ssh-ldap-wrapper.
++1) goto HOW TO START 4) .... the ldap schema is the same
++
++2) convert the group requests to the appropriate LDAP requests
++
++HOW TO SOLVE PROBLEMS
++
++1) use debug in sshd
++  * /usr/sbin/sshd -d -d -d -d
++2) use debug in ssh-ldap-helper
++  * ssh-ldap-helper -d -d -d -d -s <username>
++3) use tcpdump ... other ldap client etc.
++
++ADVANTAGES
++
++1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
++
++DISADVANTAGES
++
++1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
++  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
++  of your users in all your server farm -- be VERY CAREFUL.
++2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
++  as the impersonated user.
++3) If LDAP server is down there may be no fallback on passwd auth.
++  
++MISC.
++  
++1) todo
++  * Possibility to reuse the ssh-ldap-helper.
++  * Tune the LDAP part to accept  all possible LDAP configurations.
++
++2) differences from original lpk
++  * No LDAP code in sshd.
++  * Support for various LDAP platforms and configurations.
++  * LDAP is configured in separate ldap.conf file.
++
++3) docs/link 
++  * http://pacsec.jp/core05/psj05-barisani-en.pdf
++  * http://fritz.potsdam.edu/projects/openssh-lpk/
++  * http://fritz.potsdam.edu/projects/sshgate/
++  * http://dev.inversepath.com/trac/openssh-lpk
++  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
++
++4) contributors/ideas/greets
++  - Eric AUGE <eau@phear.org>
++  - Andrea Barisani <andrea@inversepath.com>
++  - Falk Siemonsmeier.
++  - Jacob Rief.
++  - Michael Durchgraf.
++  - frederic peters.
++  - Finlay dobbie.
++  - Stefan Fisher.
++  - Robin H. Johnson.
++  - Adrian Bridgett.
++
++5) Author
++    Jan F. Chadima <jchadima@redhat.com>
 +
 diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
---- openssh-5.8p1/ldapbody.c.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapbody.c	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapbody.c.ldap	2011-04-01 09:01:19.024648747 +0200
++++ openssh-5.8p1/ldapbody.c	2011-04-01 09:01:19.032648722 +0200
 @@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -625,8 +719,8 @@ diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
 +}
 +
 diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
---- openssh-5.8p1/ldapbody.h.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapbody.h	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapbody.h.ldap	2011-04-01 09:01:19.047648768 +0200
++++ openssh-5.8p1/ldapbody.h	2011-04-01 09:01:19.057648739 +0200
 @@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -666,8 +760,8 @@ diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
 +#endif /* LDAPBODY_H */
 +
 diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
---- openssh-5.8p1/ldapconf.c.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapconf.c	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapconf.c.ldap	2011-04-01 09:01:19.073648744 +0200
++++ openssh-5.8p1/ldapconf.c	2011-04-01 09:01:19.082648746 +0200
 @@ -0,0 +1,682 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1352,8 +1446,8 @@ diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
 +}
 +
 diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
---- openssh-5.8p1/ldapconf.h.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapconf.h	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapconf.h.ldap	2011-04-01 09:01:19.097648717 +0200
++++ openssh-5.8p1/ldapconf.h	2011-04-01 09:01:19.107648734 +0200
 @@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1427,8 +1521,8 @@ diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
 +
 +#endif /* LDAPCONF_H */
 diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
---- openssh-5.8p1/ldap.conf.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldap.conf	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldap.conf.ldap	2011-04-01 09:01:19.122648724 +0200
++++ openssh-5.8p1/ldap.conf	2011-04-01 09:01:19.131648759 +0200
 @@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@@ -1519,9 +1613,9 @@ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
 +#tls_key
 +
 diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
---- openssh-5.8p1/ldap-helper.c.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldap-helper.c	2011-02-28 23:21:06.000000000 +0100
-@@ -0,0 +1,154 @@
+--- openssh-5.8p1/ldap-helper.c.ldap	2011-04-01 09:01:19.145658994 +0200
++++ openssh-5.8p1/ldap-helper.c	2011-04-01 09:01:19.608648889 +0200
+@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
@@ -1662,6 +1756,7 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
 +	if (config_single_user) {
 +		process_user (config_single_user, outfile);
 +	} else {
++		usage();
 +		fatal ("Not yet implemented");
 +/* TODO
 + * open unix socket a run the loop on it
@@ -1677,8 +1772,8 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
 +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 +
 diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
---- openssh-5.8p1/ldap-helper.h.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldap-helper.h	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldap-helper.h.ldap	2011-04-01 09:01:19.168648731 +0200
++++ openssh-5.8p1/ldap-helper.h	2011-04-01 09:01:19.177648726 +0200
 @@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1713,8 +1808,8 @@ diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
 +
 +#endif /* LDAP_HELPER_H */
 diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
---- openssh-5.8p1/ldapincludes.h.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapincludes.h	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapincludes.h.ldap	2011-04-01 09:01:19.192648737 +0200
++++ openssh-5.8p1/ldapincludes.h	2011-04-01 09:01:19.202648683 +0200
 @@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1758,8 +1853,8 @@ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
 +
 +#endif /* LDAPINCLUDES_H */
 diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
---- openssh-5.8p1/ldapmisc.c.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapmisc.c	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapmisc.c.ldap	2011-04-01 09:01:19.216648692 +0200
++++ openssh-5.8p1/ldapmisc.c	2011-04-01 09:01:19.225648767 +0200
 @@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@@ -1841,8 +1936,8 @@ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
 +#endif
 +
 diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
---- openssh-5.8p1/ldapmisc.h.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ldapmisc.h	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ldapmisc.h.ldap	2011-04-01 09:01:19.240648724 +0200
++++ openssh-5.8p1/ldapmisc.h	2011-04-01 09:01:19.249648718 +0200
 @@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1880,129 +1975,9 @@ diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
 +#endif /* LDAPMISC_H */
 +
 diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
---- openssh-5.8p1/lpk-user-example.txt.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/lpk-user-example.txt	2011-02-28 23:21:06.000000000 +0100
-@@ -0,0 +1,117 @@
-+
-+Post to ML -> User Made Quick Install Doc.
-+Contribution from John Lane <john@lane.uk.net>
-+
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-+
-+OpenSSH LDAP keystore Patch
-+===========================
-+
-+NOTE: these notes are a transcript of a specific installation
-+      they work for me, your specifics may be different!
-+      from John Lane March 17th 2005         john@lane.uk.net
-+
-+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
-+from their LDAP record as an alternative to ~/.ssh/authorized_keys.
-+
-+(Assuming here that necessary build stuff is in $BUILD)
-+
-+cd $BUILD/openssh-4.0p1
-+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
-+mkdir -p /var/empty &&
-+./configure --prefix=/usr --sysconfdir=/etc/ssh \
-+    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
-+    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
-+Now do.
-+make &&
-+make install
-+
-+Add the following config to /etc/ssh/ssh_config
-+UseLPK yes
-+LpkServers ldap://myhost.mydomain.com
-+LpkUserDN  ou=People,dc=mydomain,dc=com
-+
-+We need to tell sshd about the SSL keys during boot, as root's
-+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
-+Change the startup code from this:
-+                echo "Starting SSH Server..."
-+                loadproc /usr/sbin/sshd
-+                ;;
-+to this:
-+                echo "Starting SSH Server..."
-+                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
-+                ;;
-+
-+Re-start the sshd daemon:
-+/etc/rc.d/init.d/sshd restart
-+
-+Install the additional LDAP schema
-+cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
-+
-+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
-+Add the following to the end of the existing block of schema includes
-+include         /etc/openldap/schema/openssh.schema
-+
-+Re-start the LDAP server:
-+/etc/rc.d/init.d/slapd restart
-+
-+To add one or more public keys to a user, eg "testuser" :
-+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
-+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
-+
-+append the following to this /tmp/testuser file
-+objectclass: ldapPublicKey
-+sshPublicKey: ssh-rsa
-+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
-+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
-+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
-+
-+Then do a modify:
-+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
-+/tmp/testuser -Z
-+Enter LDAP Password:
-+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
-+And check the modify is ok:
-+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
-+"uid=testuser,ou=People,dc=mydomain,dc=com"
-+Enter LDAP Password:
-+# extended LDIF
-+#
-+# LDAPv3
-+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
-+# filter: (objectclass=*)
-+# requesting: ALL
-+#
-+
-+# testuser, People, mydomain.com
-+dn: uid=testuser,ou=People,dc=mydomain,dc=com
-+uid: testuser
-+cn: testuser
-+objectClass: account
-+objectClass: posixAccount
-+objectClass: top
-+objectClass: shadowAccount
-+objectClass: ldapPublicKey
-+shadowLastChange: 12757
-+shadowMax: 99999
-+shadowWarning: 7
-+loginShell: /bin/bash
-+uidNumber: 9999
-+gidNumber: 501
-+homeDirectory: /home/testuser
-+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
-+sshPublicKey: ssh-rsa
-+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
-+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
-+
-+# search result
-+search: 3
-+result: 0 Success
-+
-+# numResponses: 2
-+# numEntries: 1
-+
-+Now start a ssh session to user "testuser" from usual ssh client (e.g.
-+puTTY). Login should succeed.
-+
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
---- openssh-5.8p1/Makefile.in.ldap	2011-02-28 23:21:03.000000000 +0100
-+++ openssh-5.8p1/Makefile.in	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/Makefile.in.ldap	2011-04-01 09:01:15.209648708 +0200
++++ openssh-5.8p1/Makefile.in	2011-04-01 09:01:19.307648329 +0200
 @@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@@ -2089,8 +2064,8 @@ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
  
  tests interop-tests:	$(TARGETS)
 diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
---- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-04-01 09:01:19.333648708 +0200
++++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-04-01 09:01:19.343648766 +0200
 @@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2114,8 +2089,8 @@ diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lp
 +	MUST ( sshPublicKey $ uid ) 
 +	)
 diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
---- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/openssh-lpk-sun.schema	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-04-01 09:01:19.358648705 +0200
++++ openssh-5.8p1/openssh-lpk-sun.schema	2011-04-01 09:01:19.368648739 +0200
 @@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2141,286 +2116,9 @@ diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun
 +	MUST ( sshPublicKey $ uid ) 
 +	)
 diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
---- openssh-5.8p1/README.lpk.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/README.lpk	2011-02-28 23:21:06.000000000 +0100
-@@ -0,0 +1,274 @@
-+OpenSSH LDAP PUBLIC KEY PATCH 
-+Copyright (c) 2003 Eric AUGE (eau@phear.org)
-+All rights reserved.
-+
-+Rewriten by Jan F. Chadima (jchadima@redhat.com)
-+Copyright (c) 2010 Red Hat, Inc.
-+The new PKA-LDAP patch is rewritten from the scratch.
-+LDAP schema and part of the documentation is based on original
-+LPK project (http://code.google.com/p/openssh-lpk),
-+copyright (c) 2003 Eric AUGE
-+The new openssh configuration is different from the original LPK one.
-+
-+Redistribution and use in source and binary forms, with or without
-+modification, are permitted provided that the following conditions
-+are met:
-+1. Redistributions of source code must retain the above copyright
-+   notice, this list of conditions and the following disclaimer.
-+2. Redistributions in binary form must reproduce the above copyright
-+   notice, this list of conditions and the following disclaimer in the
-+   documentation and/or other materials provided with the distribution.
-+3. The name of the author may not be used to endorse or promote products
-+   derived from this software without specific prior written permission.
-+
-+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+
-+purposes of this patch:
-+
-+This patch would help to have authentication centralization policy
-+using ssh public key authentication.
-+This patch could be an alternative to other "secure" authentication system
-+working in a similar way (Kerberos, SecurID, etc...), except the fact 
-+that it's based on OpenSSH and its public key abilities.
-+
-+>> FYI: <<
-+'uid': means unix accounts existing on the current server
-+'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
-+
-+example schema:
-+
-+
-+                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
-+                ___________      /
-+               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
-+              | LDAP Server |    \
-+	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
-+	      | titi ,toto  |
-+	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
-+               \___________/ \       /
-+	                       ----- - server4 (uid: eau, rival)  (no group configured)
-+			             \
-+				        etc...
-+
-+- WHAT WE NEED :
-+
-+  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
-+  * patched sshd (with this patch ;)
-+  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
-+        User entry:
-+	- attached to the 'ldapPublicKey' objectclass
-+	- attached to the 'posixAccount' objectclass
-+	- with a filled 'sshPublicKey' attribute 
-+	Example:
-+		dn: uid=eau,ou=users,dc=cuckoos,dc=net
-+		objectclass: top
-+		objectclass: person
-+		objectclass: organizationalPerson
-+		objectclass: posixAccount
-+		objectclass: ldapPublicKey
-+		description: Eric AUGE Account
-+		userPassword: blah
-+		cn: Eric AUGE
-+		sn: Eric AUGE
-+		uid: eau
-+		uidNumber: 1034
-+		gidNumber: 1
-+		homeDirectory: /export/home/eau
-+		sshPublicKey: ssh-dss AAAAB3...
-+		sshPublicKey: ssh-dss AAAAM5...
-+
-+	Group entry:
-+	- attached to the 'posixGroup' objectclass
-+	- with a 'cn' groupname attribute
-+	- with multiple 'memberUid' attributes filled with usernames allowed in this group
-+	Example:
-+		# few members
-+		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
-+		objectclass: top
-+		objectclass: posixGroup
-+		description: Unix based servers group
-+		cn: unix
-+		gidNumber: 1002
-+		memberUid: eau
-+		memberUid: user1
-+		memberUid: user2
-+
-+
-+- HOW IT WORKS :
-+
-+  * without patch
-+  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
-+  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
-+
-+  * with the patch
-+  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
-+  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
-+  (usually in $HOME/.ssh/authorized_keys)
-+
-+  2 tokens are added to sshd_config :
-+  # here is the new patched ldap related tokens
-+  AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
-+  AuthorizedKeysCommandRunAs nobody
-+
-+  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
-+There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
-+
-+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
-+
-+  * my way (there is plenty :)
-+  - create ldif file (i.e. users.ldif)
-+  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
-+  - my way in 4 steps :
-+  Example:
-+
-+  # you add this to the user entry in the LDIF file :
-+  [...]
-+  objectclass: posixAccount
-+  objectclass: ldapPublicKey
-+  [...]
-+  sshPubliKey: ssh-dss AAAABDh12DDUR2...
-+  [...]
-+
-+  # insert your entry and you're done :)
-+  ldapadd -D balblabla -w bleh < file.ldif 
-+  
-+  all standard options can be present in the 'sshPublicKey' attribute.
-+
-+- WHY :
-+
-+  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
-+  as authentication method (like pam_ldap etc..).  
-+  
-+  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
-+  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
-+  objectclass within LDAP and part of the group the SSH server is in). 
-+
-+  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
-+  so each user can change it as much as he wants). 
-+
-+  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
-+
-+- RULES :  
-+  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
-+  and the additionnal lpk.schema.
-+
-+  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
-+  (pamldap, nss_ldap, etc..).
-+
-+  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
-+  
-+  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
-+  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
-+  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
-+  to log in 'server5' (i hope you got the idea, my english is bad :).
-+
-+  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
-+  server.
-+  When you want to allow a new user to have access to the server parc, you just add him an account on 
-+  your servers, you add his public key into his entry on the LDAP server, it's done. 
-+
-+  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
-+
-+  When the user needs to change his passphrase he can do it directly from his workstation by changing 
-+  his own key set lock passphrase, and all servers are automatically aware.
-+ 
-+  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
-+  so he can add/modify/delete himself his public key when needed.
-+
-+­ FLAWS :
-+  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
-+  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
-+  of your users in all your server farm be VERY CAREFUL.
-+  
-+  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
-+  as the impersonnated user.
-+
-+  If LDAP server is down then, no fallback on passwd auth.
-+  
-+  the ldap code part has not been well audited yet.
-+
-+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
-+    --- CUT HERE ---
-+    dn: uid=jdoe,ou=users,dc=foobar,dc=net
-+    objectclass: top
-+    objectclass: person
-+    objectclass: organizationalPerson
-+    objectclass: posixAccount
-+    objectclass: ldapPublicKey
-+    description: My account
-+    cn: John Doe
-+    sn: John Doe
-+    uid: jdoe
-+    uidNumber: 100
-+    gidNumber: 100
-+    homeDirectory: /home/jdoe
-+    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
-+    [...]
-+    --- CUT HERE ---
-+
-+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
-+    --- CUT HERE ---
-+    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
-+    objectclass: top
-+    objectclass: posixGroup
-+    description: Unix based servers group
-+    cn: unix
-+    gidNumber: 1002
-+    memberUid: jdoe
-+    memberUid: user1
-+    memberUid: user2
-+    [...]
-+    --- CUT HERE ---
-+
-+>> FYI: << 
-+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
-+
-+- COMPILING:
-+  1. Apply the patch
-+  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
-+  3. make
-+  4. it's done.
-+
-+- BLA :
-+  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
-+  
-+- TODO :
-+  Possibility to reuse the ssh-ldap-helper.
-+  Tune the LDAP part to all possible LDAP configurations.
-+
-+- DIFFERENCES FROM ORIGINAL lpk
-+  No LDAP code in sshd.
-+  Support for various LDAP platforms and configurations.
-+  LDAP is configured in separate ldap.conf file.
-+
-+- DOCS/LINK :
-+  http://pacsec.jp/core05/psj05-barisani-en.pdf
-+  http://fritz.potsdam.edu/projects/openssh-lpk/
-+  http://fritz.potsdam.edu/projects/sshgate/
-+  http://dev.inversepath.com/trac/openssh-lpk
-+  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
-+
-+- CONTRIBUTORS/IDEAS/GREETS :
-+  - Eric AUGE <eau@phear.org>
-+  - Andrea Barisani <andrea@inversepath.com>
-+  - Falk Siemonsmeier.
-+  - Jacob Rief.
-+  - Michael Durchgraf.
-+  - frederic peters.
-+  - Finlay dobbie.
-+  - Stefan Fisher.
-+  - Robin H. Johnson.
-+  - Adrian Bridgett.
-+
-+- CONTACT :
-+    Jan F. Chadima <jchadima@redhat.com>
-+
 diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
---- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ssh-ldap.conf.5	2011-02-28 23:21:06.000000000 +0100
+--- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-04-01 09:01:19.408648714 +0200
++++ openssh-5.8p1/ssh-ldap.conf.5	2011-04-01 09:01:19.418648733 +0200
 @@ -0,0 +1,373 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@@ -2796,9 +2494,9 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
 diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
---- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-02-28 23:21:06.000000000 +0100
-+++ openssh-5.8p1/ssh-ldap-helper.8	2011-02-28 23:21:06.000000000 +0100
-@@ -0,0 +1,78 @@
+--- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-04-01 09:01:19.432648735 +0200
++++ openssh-5.8p1/ssh-ldap-helper.8	2011-04-01 09:01:19.709648247 +0200
+@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
 +.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
@@ -2838,11 +2536,12 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 +by setting
 +.Cm AuthorizedKeysCommand
 +to
-+.Dq /usr/libexec/ssh-ldap-helper -s %u .
++.Dq /usr/libexec/ssh-ldap-wrapper .
 +.Pp
 +.Nm
 +is not intended to be invoked by the user, but from
-+.Xr sshd 8 .
++.Xr sshd 8 via
++.Xr ssh-ldap-wrapper .
 +.Pp
 +The options are as follows:
 +.Bl -tag -width Ds
@@ -2878,8 +2577,8 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
 diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
---- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-02-28 23:21:07.000000000 +0100
-+++ openssh-5.8p1/ssh-ldap-wrapper	2011-02-28 23:21:07.000000000 +0100
+--- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-04-01 09:01:19.456648676 +0200
++++ openssh-5.8p1/ssh-ldap-wrapper	2011-04-01 09:01:19.464648753 +0200
 @@ -0,0 +1,4 @@
 +#!/bin/sh
 +

openssh-5.8p1-ldap2.patch

@@ -1,547 +0,0 @@
-diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
---- openssh-5.8p1/HOWTO.ldap-keys.ldap2	2011-03-10 21:45:52.706855323 +0100
-+++ openssh-5.8p1/HOWTO.ldap-keys	2011-03-10 19:35:50.000000000 +0100
-@@ -1,14 +1,108 @@
- 
-+HOW TO START
-+
- 1) configure LDAP server
--2) add appropriate schema
-+  * Use LDAP server documentation
-+2) add appropriate LDAP schema
-+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
-+  * LDAP user entry
-+        User entry:
-+	- attached to the 'ldapPublicKey' objectclass
-+	- attached to the 'posixAccount' objectclass
-+	- with a filled 'sshPublicKey' attribute 
- 3) insert users into LDAP
-+  * Use LDAP Tree management tool as useful
-+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
-+  * Example:
-+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
-+	objectclass: top
-+	objectclass: person
-+	objectclass: organizationalPerson
-+	objectclass: posixAccount
-+	objectclass: ldapPublicKey
-+	description: Jonathan Archer
-+	userPassword: Porthos
-+	cn: onathan Archer
-+	sn: onathan Archer
-+	uid: captain
-+	uidNumber: 1001
-+	gidNumber: 1001
-+	homeDirectory: /home/captain
-+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
-+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
- 4) on the ssh side set in sshd_config
--AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
--AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
--5) do not forget to set
--PubkeyAuthentication yes
-+  * Set up the backend
-+	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
-+	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
-+  * Do not forget to set
-+	PubkeyAuthentication yes
-+  * Swith off unnecessary auth methods
-+5) confugure ldap.conf
-+  * Default ldap.conf is placed in /etc/ssh
-+  * The configuration style is the same as other ldap based aplications
-+6) if necessary edit ssh-ldap-wrapper
-+  * There is a possibility to change ldap.conf location
-+  * There are some debug options
-+  * Example
-+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
-+
-+HOW TO MIGRATE FROM LPK
-+
-+1) goto HOW TO START 4) .... the ldap schema is the same
-+
-+2) convert the group requests to the appropriate LDAP requests
-+
-+HOW TO SOLVE PROBLEMS
-+
-+1) use debug in sshd
-+  * /usr/sbin/sshd -d -d -d -d
-+2) use debug in ssh-ldap-helper
-+  * ssh-ldap-helper -d -d -d -d -s <username>
-+3) use tcpdump ... other ldap client etc.
-+
-+ADVANTAGES
-+
-+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
-+
-+DISADVANTAGES
-+
-+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
-+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
-+  of your users in all your server farm -- be VERY CAREFUL.
-+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
-+  as the impersonated user.
-+3) If LDAP server is down there may be no fallback on passwd auth.
-+  
-+MISC.
-+  
-+1) todo
-+  * Possibility to reuse the ssh-ldap-helper.
-+  * Tune the LDAP part to accept  all possible LDAP configurations.
-+
-+2) differences from original lpk
-+  * No LDAP code in sshd.
-+  * Support for various LDAP platforms and configurations.
-+  * LDAP is configured in separate ldap.conf file.
-+
-+3) docs/link 
-+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
-+  * http://fritz.potsdam.edu/projects/openssh-lpk/
-+  * http://fritz.potsdam.edu/projects/sshgate/
-+  * http://dev.inversepath.com/trac/openssh-lpk
-+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
- 
-+4) contributors/ideas/greets
-+  - Eric AUGE <eau@phear.org>
-+  - Andrea Barisani <andrea@inversepath.com>
-+  - Falk Siemonsmeier.
-+  - Jacob Rief.
-+  - Michael Durchgraf.
-+  - frederic peters.
-+  - Finlay dobbie.
-+  - Stefan Fisher.
-+  - Robin H. Johnson.
-+  - Adrian Bridgett.
- 
--To debug the ssh-ldap-helper is possible to set
--the necessary flags in the ssh-ldap-wrapper.
-+5) Author
-+    Jan F. Chadima <jchadima@redhat.com>
- 
-diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
---- openssh-5.8p1/ldap-helper.c.ldap2	2011-03-10 21:45:52.872854838 +0100
-+++ openssh-5.8p1/ldap-helper.c	2011-03-10 21:45:53.342855061 +0100
-@@ -138,6 +138,7 @@ main(int ac, char **av)
- 	if (config_single_user) {
- 		process_user (config_single_user, outfile);
- 	} else {
-+		usage();
- 		fatal ("Not yet implemented");
- /* TODO
-  * open unix socket a run the loop on it
-diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt
---- openssh-5.8p1/lpk-user-example.txt.ldap2	2011-03-10 21:45:52.986980339 +0100
-+++ openssh-5.8p1/lpk-user-example.txt	2011-03-10 21:45:53.379854929 +0100
-@@ -1,117 +0,0 @@
--
--Post to ML -> User Made Quick Install Doc.
--Contribution from John Lane <john@lane.uk.net>
--
--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--
--OpenSSH LDAP keystore Patch
--===========================
--
--NOTE: these notes are a transcript of a specific installation
--      they work for me, your specifics may be different!
--      from John Lane March 17th 2005         john@lane.uk.net
--
--This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
--from their LDAP record as an alternative to ~/.ssh/authorized_keys.
--
--(Assuming here that necessary build stuff is in $BUILD)
--
--cd $BUILD/openssh-4.0p1
--patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
--mkdir -p /var/empty &&
--./configure --prefix=/usr --sysconfdir=/etc/ssh \
--    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
--    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
--Now do.
--make &&
--make install
--
--Add the following config to /etc/ssh/ssh_config
--UseLPK yes
--LpkServers ldap://myhost.mydomain.com
--LpkUserDN  ou=People,dc=mydomain,dc=com
--
--We need to tell sshd about the SSL keys during boot, as root's
--environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
--Change the startup code from this:
--                echo "Starting SSH Server..."
--                loadproc /usr/sbin/sshd
--                ;;
--to this:
--                echo "Starting SSH Server..."
--                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
--                ;;
--
--Re-start the sshd daemon:
--/etc/rc.d/init.d/sshd restart
--
--Install the additional LDAP schema
--cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
--
--Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
--Add the following to the end of the existing block of schema includes
--include         /etc/openldap/schema/openssh.schema
--
--Re-start the LDAP server:
--/etc/rc.d/init.d/slapd restart
--
--To add one or more public keys to a user, eg "testuser" :
--ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
--"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
--
--append the following to this /tmp/testuser file
--objectclass: ldapPublicKey
--sshPublicKey: ssh-rsa
--AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
--qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
--7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
--
--Then do a modify:
--ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
--/tmp/testuser -Z
--Enter LDAP Password:
--modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
--And check the modify is ok:
--ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
--"uid=testuser,ou=People,dc=mydomain,dc=com"
--Enter LDAP Password:
--# extended LDIF
--#
--# LDAPv3
--# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
--# filter: (objectclass=*)
--# requesting: ALL
--#
--
--# testuser, People, mydomain.com
--dn: uid=testuser,ou=People,dc=mydomain,dc=com
--uid: testuser
--cn: testuser
--objectClass: account
--objectClass: posixAccount
--objectClass: top
--objectClass: shadowAccount
--objectClass: ldapPublicKey
--shadowLastChange: 12757
--shadowMax: 99999
--shadowWarning: 7
--loginShell: /bin/bash
--uidNumber: 9999
--gidNumber: 501
--homeDirectory: /home/testuser
--userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
--sshPublicKey: ssh-rsa
--AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
--8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
--
--# search result
--search: 3
--result: 0 Success
--
--# numResponses: 2
--# numEntries: 1
--
--Now start a ssh session to user "testuser" from usual ssh client (e.g.
--puTTY). Login should succeed.
--
--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk
---- openssh-5.8p1/README.lpk.ldap2	2011-03-10 21:45:53.112979980 +0100
-+++ openssh-5.8p1/README.lpk	2011-03-10 21:45:53.416856007 +0100
-@@ -1,274 +0,0 @@
--OpenSSH LDAP PUBLIC KEY PATCH 
--Copyright (c) 2003 Eric AUGE (eau@phear.org)
--All rights reserved.
--
--Rewriten by Jan F. Chadima (jchadima@redhat.com)
--Copyright (c) 2010 Red Hat, Inc.
--The new PKA-LDAP patch is rewritten from the scratch.
--LDAP schema and part of the documentation is based on original
--LPK project (http://code.google.com/p/openssh-lpk),
--copyright (c) 2003 Eric AUGE
--The new openssh configuration is different from the original LPK one.
--
--Redistribution and use in source and binary forms, with or without
--modification, are permitted provided that the following conditions
--are met:
--1. Redistributions of source code must retain the above copyright
--   notice, this list of conditions and the following disclaimer.
--2. Redistributions in binary form must reproduce the above copyright
--   notice, this list of conditions and the following disclaimer in the
--   documentation and/or other materials provided with the distribution.
--3. The name of the author may not be used to endorse or promote products
--   derived from this software without specific prior written permission.
--
--THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
--IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
--OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
--IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
--INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
--NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
--DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
--THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
--(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
--THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--
--purposes of this patch:
--
--This patch would help to have authentication centralization policy
--using ssh public key authentication.
--This patch could be an alternative to other "secure" authentication system
--working in a similar way (Kerberos, SecurID, etc...), except the fact 
--that it's based on OpenSSH and its public key abilities.
--
-->> FYI: <<
--'uid': means unix accounts existing on the current server
--'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
--
--example schema:
--
--
--                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
--                ___________      /
--               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
--              | LDAP Server |    \
--	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
--	      | titi ,toto  |
--	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
--               \___________/ \       /
--	                       ----- - server4 (uid: eau, rival)  (no group configured)
--			             \
--				        etc...
--
--- WHAT WE NEED :
--
--  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
--  * patched sshd (with this patch ;)
--  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
--        User entry:
--	- attached to the 'ldapPublicKey' objectclass
--	- attached to the 'posixAccount' objectclass
--	- with a filled 'sshPublicKey' attribute 
--	Example:
--		dn: uid=eau,ou=users,dc=cuckoos,dc=net
--		objectclass: top
--		objectclass: person
--		objectclass: organizationalPerson
--		objectclass: posixAccount
--		objectclass: ldapPublicKey
--		description: Eric AUGE Account
--		userPassword: blah
--		cn: Eric AUGE
--		sn: Eric AUGE
--		uid: eau
--		uidNumber: 1034
--		gidNumber: 1
--		homeDirectory: /export/home/eau
--		sshPublicKey: ssh-dss AAAAB3...
--		sshPublicKey: ssh-dss AAAAM5...
--
--	Group entry:
--	- attached to the 'posixGroup' objectclass
--	- with a 'cn' groupname attribute
--	- with multiple 'memberUid' attributes filled with usernames allowed in this group
--	Example:
--		# few members
--		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
--		objectclass: top
--		objectclass: posixGroup
--		description: Unix based servers group
--		cn: unix
--		gidNumber: 1002
--		memberUid: eau
--		memberUid: user1
--		memberUid: user2
--
--
--- HOW IT WORKS :
--
--  * without patch
--  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
--  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
--
--  * with the patch
--  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
--  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
--  (usually in $HOME/.ssh/authorized_keys)
--
--  2 tokens are added to sshd_config :
--  # here is the new patched ldap related tokens
--  AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
--  AuthorizedKeysCommandRunAs nobody
--
--  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
--There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
--
--- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
--
--  * my way (there is plenty :)
--  - create ldif file (i.e. users.ldif)
--  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
--  - my way in 4 steps :
--  Example:
--
--  # you add this to the user entry in the LDIF file :
--  [...]
--  objectclass: posixAccount
--  objectclass: ldapPublicKey
--  [...]
--  sshPubliKey: ssh-dss AAAABDh12DDUR2...
--  [...]
--
--  # insert your entry and you're done :)
--  ldapadd -D balblabla -w bleh < file.ldif 
--  
--  all standard options can be present in the 'sshPublicKey' attribute.
--
--- WHY :
--
--  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
--  as authentication method (like pam_ldap etc..).  
--  
--  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
--  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
--  objectclass within LDAP and part of the group the SSH server is in). 
--
--  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
--  so each user can change it as much as he wants). 
--
--  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
--
--- RULES :  
--  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
--  and the additionnal lpk.schema.
--
--  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
--  (pamldap, nss_ldap, etc..).
--
--  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
--  
--  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
--  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
--  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
--  to log in 'server5' (i hope you got the idea, my english is bad :).
--
--  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
--  server.
--  When you want to allow a new user to have access to the server parc, you just add him an account on 
--  your servers, you add his public key into his entry on the LDAP server, it's done. 
--
--  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
--
--  When the user needs to change his passphrase he can do it directly from his workstation by changing 
--  his own key set lock passphrase, and all servers are automatically aware.
-- 
--  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
--  so he can add/modify/delete himself his public key when needed.
--
--­ FLAWS :
--  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
--  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
--  of your users in all your server farm be VERY CAREFUL.
--  
--  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
--  as the impersonnated user.
--
--  If LDAP server is down then, no fallback on passwd auth.
--  
--  the ldap code part has not been well audited yet.
--
--- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
--    --- CUT HERE ---
--    dn: uid=jdoe,ou=users,dc=foobar,dc=net
--    objectclass: top
--    objectclass: person
--    objectclass: organizationalPerson
--    objectclass: posixAccount
--    objectclass: ldapPublicKey
--    description: My account
--    cn: John Doe
--    sn: John Doe
--    uid: jdoe
--    uidNumber: 100
--    gidNumber: 100
--    homeDirectory: /home/jdoe
--    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
--    [...]
--    --- CUT HERE ---
--
--- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
--    --- CUT HERE ---
--    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
--    objectclass: top
--    objectclass: posixGroup
--    description: Unix based servers group
--    cn: unix
--    gidNumber: 1002
--    memberUid: jdoe
--    memberUid: user1
--    memberUid: user2
--    [...]
--    --- CUT HERE ---
--
-->> FYI: << 
--Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
--
--- COMPILING:
--  1. Apply the patch
--  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
--  3. make
--  4. it's done.
--
--- BLA :
--  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
--  
--- TODO :
--  Possibility to reuse the ssh-ldap-helper.
--  Tune the LDAP part to all possible LDAP configurations.
--
--- DIFFERENCES FROM ORIGINAL lpk
--  No LDAP code in sshd.
--  Support for various LDAP platforms and configurations.
--  LDAP is configured in separate ldap.conf file.
--
--- DOCS/LINK :
--  http://pacsec.jp/core05/psj05-barisani-en.pdf
--  http://fritz.potsdam.edu/projects/openssh-lpk/
--  http://fritz.potsdam.edu/projects/sshgate/
--  http://dev.inversepath.com/trac/openssh-lpk
--  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
--
--- CONTRIBUTORS/IDEAS/GREETS :
--  - Eric AUGE <eau@phear.org>
--  - Andrea Barisani <andrea@inversepath.com>
--  - Falk Siemonsmeier.
--  - Jacob Rief.
--  - Michael Durchgraf.
--  - frederic peters.
--  - Finlay dobbie.
--  - Stefan Fisher.
--  - Robin H. Johnson.
--  - Adrian Bridgett.
--
--- CONTACT :
--    Jan F. Chadima <jchadima@redhat.com>
--
-diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8
---- openssh-5.8p1/ssh-ldap-helper.8.ldap2	2011-03-10 21:45:53.170854817 +0100
-+++ openssh-5.8p1/ssh-ldap-helper.8	2011-03-10 21:45:53.454980272 +0100
-@@ -37,11 +37,12 @@ sshd configuration file
- by setting
- .Cm AuthorizedKeysCommand
- to
--.Dq /usr/libexec/ssh-ldap-helper -s %u .
-+.Dq /usr/libexec/ssh-ldap-wrapper .
- .Pp
- .Nm
- is not intended to be invoked by the user, but from
--.Xr sshd 8 .
-+.Xr sshd 8 via
-+.Xr ssh-ldap-wrapper .
- .Pp
- The options are as follows:
- .Bl -tag -width Ds

openssh.spec

@@ -104,20 +104,13 @@ Patch100: openssh-5.8p1-fingerprint.patch
 Patch200: openssh-5.8p1-exit.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 Patch8: openssh-5.8p1-audit0.patch
-Patch108: openssh-5.8p1-audit0a.patch
 Patch1: openssh-5.8p1-audit1.patch
-Patch101: openssh-5.8p1-audit1a.patch
 Patch2: openssh-5.8p1-audit2.patch
-Patch102: openssh-5.8p1-audit2a.patch
 Patch3: openssh-5.8p1-audit3.patch
-Patch103: openssh-5.8p1-audit3a.patch
 Patch4: openssh-5.8p1-audit4.patch
-Patch104: openssh-5.8p1-audit4a.patch
 Patch5: openssh-5.8p1-audit5.patch
-Patch105: openssh-5.8p1-audit5a.patch
 #?
 Patch7: openssh-5.8p1-entropy.patch
-Patch107: openssh-5.8p1-entropy2.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
 Patch9: openssh-5.8p1-vendor.patch
 # --- pam_ssh-agent ---
@@ -127,7 +120,6 @@ Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch
 Patch20: openssh-5.8p1-authorized-keys-command.patch
 #?
 Patch21: openssh-5.8p1-ldap.patch
-Patch121: openssh-5.8p1-ldap2.patch
 #-mail-conf
 Patch22: openssh-5.8p1-selinux.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
@@ -169,7 +161,6 @@ Patch56: openssh-5.2p1-edns.patch
 Patch57: openssh-5.1p1-scp-manpage.patch
 #?
 Patch58: openssh-5.8p1-keycat.patch
-Patch158: openssh-5.8p1-keycat2.patch
 #http://www.sxw.org.uk/computing/patches/openssh.html
 Patch60: openssh-5.8p1-gsskex.patch
 #?
@@ -329,19 +320,12 @@ The module is most useful for su and sudo service stacks.
 %patch100 -p1 -b .fingerprint
 %patch200 -p1 -b .exit
 %patch8 -p1 -b .audit0
-%patch108 -p1 -b .audit0a
 %patch1 -p1 -b .audit1
-%patch101 -p1 -b .audit1a
 %patch2 -p1 -b .audit2
-%patch102 -p1 -b .audit2a
 %patch3 -p1 -b .audit3
-%patch103 -p1 -b .audit3a
 %patch4 -p1 -b .audit4
-%patch104 -p1 -b .audit4a
 %patch5 -p1 -b .audit5
-%patch105 -p1 -b .audit5a
 %patch7 -p1 -b .entropy
-%patch107 -p1 -b .entropy2
 %patch9 -p1 -b .vendor
 %if %{pam_ssh_agent}
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -354,7 +338,6 @@ popd
 %patch20 -p1 -b .akc
 %if %{ldap}
 %patch21 -p1 -b .ldap
-%patch121 -p1 -b .ldap2
 %endif
 %if %{WITH_SELINUX}
 #SELinux
@@ -368,6 +351,8 @@ popd
 %patch32 -p1 -b .randclean
 %patch34 -p1 -b .kuserok
 %patch35 -p1 -b .glob
+%patch36 -p1 -b .pwchange
+
 %patch50 -p1 -b .fips
 %patch51 -p1 -b .x11
 %patch52 -p1 -b .exit-deadlock
@@ -376,7 +361,6 @@ popd
 %patch56 -p1 -b .edns
 %patch57 -p1 -b .manpage
 %patch58 -p1 -b .keycat
-%patch158 -p1 -b .keycat2
 %patch60 -p1 -b .gsskex
 %patch61 -p1 -b .canohost