improove ssh-ldap (documentation)

openssh-5.8p1-ldap2.patch

@@ -0,0 +1,547 @@
+diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
+--- openssh-5.8p1/HOWTO.ldap-keys.ldap2	2011-03-10 18:22:10.469855868 +0100
++++ openssh-5.8p1/HOWTO.ldap-keys	2011-03-10 18:22:11.018980430 +0100
+@@ -1,14 +1,108 @@
+ 
++HOW TO START
++
+ 1) configure LDAP server
+-2) add appropriate schema
++  * Use LDAP server documentation
++2) add appropriate LDAP schema
++  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
++  * LDAP user entry
++        User entry:
++	- attached to the 'ldapPublicKey' objectclass
++	- attached to the 'posixAccount' objectclass
++	- with a filled 'sshPublicKey' attribute 
+ 3) insert users into LDAP
++  * Use LDAP Tree management tool as useful
++  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
++  * Example:
++	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
++	objectclass: top
++	objectclass: person
++	objectclass: organizationalPerson
++	objectclass: posixAccount
++	objectclass: ldapPublicKey
++	description: Jonathan Archer
++	userPassword: Porthos
++	cn: onathan Archer
++	sn: onathan Archer
++	uid: captain
++	uidNumber: 1001
++	gidNumber: 1001
++	homeDirectory: /home/captain
++	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
++	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
+ 4) on the ssh side set in sshd_config
+-AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+-AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
+-5) do not forget to set
+-PubkeyAuthentication yes
++  * Set up the backend
++	AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
++	AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
++  * Do not forget to set
++	PubkeyAuthentication yes
++  * Swith off unnecessary auth methods
++5) confugure ldap.conf
++  * Default ldap.conf is placed in /etc/ssh
++  * The configuration style is the same as other ldap based aplications
++6) if necessary edit ssh-ldap-wrapper
++  * There is a possibility to change ldap.conf location
++  * There are some debug options
++  * Example
++	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
++
++HOW TO MIGRATE FROM LPK
++
++1) goto HOW TO START 4) .... the ldap schema is the same
++
++2) convert the group requests to the appropriate LDAP requests
++
++HOW TO SOLVE PROBLEMS
++
++1) use debug in sshd
++  * /usr/sbin/sshd -d -d -d -d
++2) use debug in ssh-ldap-helper
++  * ssh-ldap-helper -d -d -d -d -s <username>
++3) use tcpdump ... other ldap client &tc..
++
++ADWANTAGES
++
++1) Blocking a user account can be done directly from the LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
++
++DISADVANTAGES
++
++1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
++  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
++  of your users in all your server farm be VERY CAREFUL.
++2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
++  as the impersonnated user.
++3 If LDAP server is down then ma be no fallback on passwd auth.
++  
++MISC.
++  
++1) todo
++  * Possibility to reuse the ssh-ldap-helper.
++  * Tune the LDAP part to all possible LDAP configurations.
++
++2) differences from original lpk
++  * No LDAP code in sshd.
++  * Support for various LDAP platforms and configurations.
++  * LDAP is configured in separate ldap.conf file.
++
++3) docs/link 
++  * http://pacsec.jp/core05/psj05-barisani-en.pdf
++  * http://fritz.potsdam.edu/projects/openssh-lpk/
++  * http://fritz.potsdam.edu/projects/sshgate/
++  * http://dev.inversepath.com/trac/openssh-lpk
++  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
+ 
++4) contributors/ideas/greets
++  - Eric AUGE <eau@phear.org>
++  - Andrea Barisani <andrea@inversepath.com>
++  - Falk Siemonsmeier.
++  - Jacob Rief.
++  - Michael Durchgraf.
++  - frederic peters.
++  - Finlay dobbie.
++  - Stefan Fisher.
++  - Robin H. Johnson.
++  - Adrian Bridgett.
+ 
+-To debug the ssh-ldap-helper is possible to set
+-the necessary flags in the ssh-ldap-wrapper.
++5) Author
++    Jan F. Chadima <jchadima@redhat.com>
+ 
+diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
+--- openssh-5.8p1/ldap-helper.c.ldap2	2011-03-10 18:22:48.870980079 +0100
++++ openssh-5.8p1/ldap-helper.c	2011-03-10 18:07:41.000000000 +0100
+@@ -138,6 +138,7 @@ main(int ac, char **av)
+ 	if (config_single_user) {
+ 		process_user (config_single_user, outfile);
+ 	} else {
++		usage();
+ 		fatal ("Not yet implemented");
+ /* TODO
+  * open unix socket a run the loop on it
+diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt
+--- openssh-5.8p1/lpk-user-example.txt.ldap2	2011-03-10 18:22:10.745854874 +0100
++++ openssh-5.8p1/lpk-user-example.txt	2011-03-10 18:22:11.053980912 +0100
+@@ -1,117 +0,0 @@
+-
+-Post to ML -> User Made Quick Install Doc.
+-Contribution from John Lane <john@lane.uk.net>
+-
+-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+-
+-OpenSSH LDAP keystore Patch
+-===========================
+-
+-NOTE: these notes are a transcript of a specific installation
+-      they work for me, your specifics may be different!
+-      from John Lane March 17th 2005         john@lane.uk.net
+-
+-This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
+-from their LDAP record as an alternative to ~/.ssh/authorized_keys.
+-
+-(Assuming here that necessary build stuff is in $BUILD)
+-
+-cd $BUILD/openssh-4.0p1
+-patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
+-mkdir -p /var/empty &&
+-./configure --prefix=/usr --sysconfdir=/etc/ssh \
+-    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
+-    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
+-Now do.
+-make &&
+-make install
+-
+-Add the following config to /etc/ssh/ssh_config
+-UseLPK yes
+-LpkServers ldap://myhost.mydomain.com
+-LpkUserDN  ou=People,dc=mydomain,dc=com
+-
+-We need to tell sshd about the SSL keys during boot, as root's
+-environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
+-Change the startup code from this:
+-                echo "Starting SSH Server..."
+-                loadproc /usr/sbin/sshd
+-                ;;
+-to this:
+-                echo "Starting SSH Server..."
+-                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
+-                ;;
+-
+-Re-start the sshd daemon:
+-/etc/rc.d/init.d/sshd restart
+-
+-Install the additional LDAP schema
+-cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
+-
+-Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
+-Add the following to the end of the existing block of schema includes
+-include         /etc/openldap/schema/openssh.schema
+-
+-Re-start the LDAP server:
+-/etc/rc.d/init.d/slapd restart
+-
+-To add one or more public keys to a user, eg "testuser" :
+-ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
+-"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
+-
+-append the following to this /tmp/testuser file
+-objectclass: ldapPublicKey
+-sshPublicKey: ssh-rsa
+-AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
+-qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
+-7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
+-
+-Then do a modify:
+-ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
+-/tmp/testuser -Z
+-Enter LDAP Password:
+-modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
+-And check the modify is ok:
+-ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
+-"uid=testuser,ou=People,dc=mydomain,dc=com"
+-Enter LDAP Password:
+-# extended LDIF
+-#
+-# LDAPv3
+-# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
+-# filter: (objectclass=*)
+-# requesting: ALL
+-#
+-
+-# testuser, People, mydomain.com
+-dn: uid=testuser,ou=People,dc=mydomain,dc=com
+-uid: testuser
+-cn: testuser
+-objectClass: account
+-objectClass: posixAccount
+-objectClass: top
+-objectClass: shadowAccount
+-objectClass: ldapPublicKey
+-shadowLastChange: 12757
+-shadowMax: 99999
+-shadowWarning: 7
+-loginShell: /bin/bash
+-uidNumber: 9999
+-gidNumber: 501
+-homeDirectory: /home/testuser
+-userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
+-sshPublicKey: ssh-rsa
+-AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
+-8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
+-
+-# search result
+-search: 3
+-result: 0 Success
+-
+-# numResponses: 2
+-# numEntries: 1
+-
+-Now start a ssh session to user "testuser" from usual ssh client (e.g.
+-puTTY). Login should succeed.
+-
+-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk
+--- openssh-5.8p1/README.lpk.ldap2	2011-03-10 18:22:10.872981060 +0100
++++ openssh-5.8p1/README.lpk	2011-03-10 18:22:11.089980853 +0100
+@@ -1,274 +0,0 @@
+-OpenSSH LDAP PUBLIC KEY PATCH 
+-Copyright (c) 2003 Eric AUGE (eau@phear.org)
+-All rights reserved.
+-
+-Rewriten by Jan F. Chadima (jchadima@redhat.com)
+-Copyright (c) 2010 Red Hat, Inc.
+-The new PKA-LDAP patch is rewritten from the scratch.
+-LDAP schema and part of the documentation is based on original
+-LPK project (http://code.google.com/p/openssh-lpk),
+-copyright (c) 2003 Eric AUGE
+-The new openssh configuration is different from the original LPK one.
+-
+-Redistribution and use in source and binary forms, with or without
+-modification, are permitted provided that the following conditions
+-are met:
+-1. Redistributions of source code must retain the above copyright
+-   notice, this list of conditions and the following disclaimer.
+-2. Redistributions in binary form must reproduce the above copyright
+-   notice, this list of conditions and the following disclaimer in the
+-   documentation and/or other materials provided with the distribution.
+-3. The name of the author may not be used to endorse or promote products
+-   derived from this software without specific prior written permission.
+-
+-THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+-IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+-OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+-IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+-NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+-THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-
+-purposes of this patch:
+-
+-This patch would help to have authentication centralization policy
+-using ssh public key authentication.
+-This patch could be an alternative to other "secure" authentication system
+-working in a similar way (Kerberos, SecurID, etc...), except the fact 
+-that it's based on OpenSSH and its public key abilities.
+-
+->> FYI: <<
+-'uid': means unix accounts existing on the current server
+-'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
+-
+-example schema:
+-
+-
+-                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
+-                ___________      /
+-               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
+-              | LDAP Server |    \
+-	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
+-	      | titi ,toto  |
+-	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
+-               \___________/ \       /
+-	                       ----- - server4 (uid: eau, rival)  (no group configured)
+-			             \
+-				        etc...
+-
+-- WHAT WE NEED :
+-
+-  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
+-  * patched sshd (with this patch ;)
+-  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
+-        User entry:
+-	- attached to the 'ldapPublicKey' objectclass
+-	- attached to the 'posixAccount' objectclass
+-	- with a filled 'sshPublicKey' attribute 
+-	Example:
+-		dn: uid=eau,ou=users,dc=cuckoos,dc=net
+-		objectclass: top
+-		objectclass: person
+-		objectclass: organizationalPerson
+-		objectclass: posixAccount
+-		objectclass: ldapPublicKey
+-		description: Eric AUGE Account
+-		userPassword: blah
+-		cn: Eric AUGE
+-		sn: Eric AUGE
+-		uid: eau
+-		uidNumber: 1034
+-		gidNumber: 1
+-		homeDirectory: /export/home/eau
+-		sshPublicKey: ssh-dss AAAAB3...
+-		sshPublicKey: ssh-dss AAAAM5...
+-
+-	Group entry:
+-	- attached to the 'posixGroup' objectclass
+-	- with a 'cn' groupname attribute
+-	- with multiple 'memberUid' attributes filled with usernames allowed in this group
+-	Example:
+-		# few members
+-		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+-		objectclass: top
+-		objectclass: posixGroup
+-		description: Unix based servers group
+-		cn: unix
+-		gidNumber: 1002
+-		memberUid: eau
+-		memberUid: user1
+-		memberUid: user2
+-
+-
+-- HOW IT WORKS :
+-
+-  * without patch
+-  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
+-  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
+-
+-  * with the patch
+-  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
+-  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
+-  (usually in $HOME/.ssh/authorized_keys)
+-
+-  2 tokens are added to sshd_config :
+-  # here is the new patched ldap related tokens
+-  AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+-  AuthorizedKeysCommandRunAs nobody
+-
+-  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
+-There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
+-
+-- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
+-
+-  * my way (there is plenty :)
+-  - create ldif file (i.e. users.ldif)
+-  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
+-  - my way in 4 steps :
+-  Example:
+-
+-  # you add this to the user entry in the LDIF file :
+-  [...]
+-  objectclass: posixAccount
+-  objectclass: ldapPublicKey
+-  [...]
+-  sshPubliKey: ssh-dss AAAABDh12DDUR2...
+-  [...]
+-
+-  # insert your entry and you're done :)
+-  ldapadd -D balblabla -w bleh < file.ldif 
+-  
+-  all standard options can be present in the 'sshPublicKey' attribute.
+-
+-- WHY :
+-
+-  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
+-  as authentication method (like pam_ldap etc..).  
+-  
+-  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
+-  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
+-  objectclass within LDAP and part of the group the SSH server is in). 
+-
+-  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
+-  so each user can change it as much as he wants). 
+-
+-  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
+-
+-- RULES :  
+-  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
+-  and the additionnal lpk.schema.
+-
+-  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
+-  (pamldap, nss_ldap, etc..).
+-
+-  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
+-  
+-  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
+-  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
+-  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
+-  to log in 'server5' (i hope you got the idea, my english is bad :).
+-
+-  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
+-  server.
+-  When you want to allow a new user to have access to the server parc, you just add him an account on 
+-  your servers, you add his public key into his entry on the LDAP server, it's done. 
+-
+-  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
+-
+-  When the user needs to change his passphrase he can do it directly from his workstation by changing 
+-  his own key set lock passphrase, and all servers are automatically aware.
+- 
+-  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
+-  so he can add/modify/delete himself his public key when needed.
+-
+-­ FLAWS :
+-  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
+-  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
+-  of your users in all your server farm be VERY CAREFUL.
+-  
+-  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
+-  as the impersonnated user.
+-
+-  If LDAP server is down then, no fallback on passwd auth.
+-  
+-  the ldap code part has not been well audited yet.
+-
+-- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
+-    --- CUT HERE ---
+-    dn: uid=jdoe,ou=users,dc=foobar,dc=net
+-    objectclass: top
+-    objectclass: person
+-    objectclass: organizationalPerson
+-    objectclass: posixAccount
+-    objectclass: ldapPublicKey
+-    description: My account
+-    cn: John Doe
+-    sn: John Doe
+-    uid: jdoe
+-    uidNumber: 100
+-    gidNumber: 100
+-    homeDirectory: /home/jdoe
+-    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
+-    [...]
+-    --- CUT HERE ---
+-
+-- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
+-    --- CUT HERE ---
+-    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+-    objectclass: top
+-    objectclass: posixGroup
+-    description: Unix based servers group
+-    cn: unix
+-    gidNumber: 1002
+-    memberUid: jdoe
+-    memberUid: user1
+-    memberUid: user2
+-    [...]
+-    --- CUT HERE ---
+-
+->> FYI: << 
+-Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
+-
+-- COMPILING:
+-  1. Apply the patch
+-  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
+-  3. make
+-  4. it's done.
+-
+-- BLA :
+-  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
+-  
+-- TODO :
+-  Possibility to reuse the ssh-ldap-helper.
+-  Tune the LDAP part to all possible LDAP configurations.
+-
+-- DIFFERENCES FROM ORIGINAL lpk
+-  No LDAP code in sshd.
+-  Support for various LDAP platforms and configurations.
+-  LDAP is configured in separate ldap.conf file.
+-
+-- DOCS/LINK :
+-  http://pacsec.jp/core05/psj05-barisani-en.pdf
+-  http://fritz.potsdam.edu/projects/openssh-lpk/
+-  http://fritz.potsdam.edu/projects/sshgate/
+-  http://dev.inversepath.com/trac/openssh-lpk
+-  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
+-
+-- CONTRIBUTORS/IDEAS/GREETS :
+-  - Eric AUGE <eau@phear.org>
+-  - Andrea Barisani <andrea@inversepath.com>
+-  - Falk Siemonsmeier.
+-  - Jacob Rief.
+-  - Michael Durchgraf.
+-  - frederic peters.
+-  - Finlay dobbie.
+-  - Stefan Fisher.
+-  - Robin H. Johnson.
+-  - Adrian Bridgett.
+-
+-- CONTACT :
+-    Jan F. Chadima <jchadima@redhat.com>
+-
+diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8
+--- openssh-5.8p1/ssh-ldap-helper.8.ldap2	2011-03-10 18:22:10.921854948 +0100
++++ openssh-5.8p1/ssh-ldap-helper.8	2011-03-10 18:20:17.000000000 +0100
+@@ -37,11 +37,12 @@ sshd configuration file
+ by setting
+ .Cm AuthorizedKeysCommand
+ to
+-.Dq /usr/libexec/ssh-ldap-helper -s %u .
++.Dq /usr/libexec/ssh-ldap-wrapper .
+ .Pp
+ .Nm
+ is not intended to be invoked by the user, but from
+-.Xr sshd 8 .
++.Xr sshd 8 via
++.Xr ssh-ldap-wrapper .
+ .Pp
+ The options are as follows:
+ .Bl -tag -width Ds

openssh.spec

@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 16
+%define openssh_rel 17
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30
 
@@ -622,7 +622,7 @@ fi
 %if %{ldap}
 %files ldap
 %defattr(-,root,root)
-%doc HOWTO.ldap-keys README.lpk lpk-user-example.txt openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
+%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
 %attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
@@ -652,6 +652,9 @@ fi
 %endif
 
 %changelog
+* Thu Mar 10 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-17 + 0.9.2-30
+- improove ssh-ldap (documentation)
+
 * Tue Mar  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
 - improve session keys audit
 
@@ -659,7 +662,7 @@ fi
 - CVE-2010-4755
 
 * Fri Mar  4 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-14 + 0.9.2-30
-- improove ssk-keycat (documentation)
+- improove ssh-keycat (documentation)
 
 * Thu Mar  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-13 + 0.9.2-30
 - improve audit of logins and auths