From 9992a8e919e0c081d5553100cd73f09b41287d89 Mon Sep 17 00:00:00 2001 From: Jan F Date: Thu, 10 Mar 2011 21:48:09 +0100 Subject: [PATCH] improove ssh-ldap (documentation) --- openssh-5.8p1-ldap2.patch | 36 ++++++++++++++++++------------------ openssh.spec | 36 ++++++++++++++++++------------------ 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/openssh-5.8p1-ldap2.patch b/openssh-5.8p1-ldap2.patch index 425b623..9520582 100644 --- a/openssh-5.8p1-ldap2.patch +++ b/openssh-5.8p1-ldap2.patch @@ -1,6 +1,6 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys ---- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-03-10 18:22:10.469855868 +0100 -+++ openssh-5.8p1/HOWTO.ldap-keys 2011-03-10 18:22:11.018980430 +0100 +--- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-03-10 21:45:52.706855323 +0100 ++++ openssh-5.8p1/HOWTO.ldap-keys 2011-03-10 19:35:50.000000000 +0100 @@ -1,14 +1,108 @@ +HOW TO START @@ -67,26 +67,26 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys + * /usr/sbin/sshd -d -d -d -d +2) use debug in ssh-ldap-helper + * ssh-ldap-helper -d -d -d -d -s -+3) use tcpdump ... other ldap client &tc.. ++3) use tcpdump ... other ldap client etc. + -+ADWANTAGES ++ADVANTAGES + -+1) Blocking a user account can be done directly from the LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). ++1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). + +DISADVANTAGES + +1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP -+ allow write to users dn, somebody could replace someuser's public key by its own and impersonate some -+ of your users in all your server farm be VERY CAREFUL. ++ allows write to users dn, somebody could replace some user's public key by his own and impersonate some ++ of your users in all your server farm -- be VERY CAREFUL. +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login -+ as the impersonnated user. -+3 If LDAP server is down then ma be no fallback on passwd auth. ++ as the impersonated user. ++3) If LDAP server is down there may be no fallback on passwd auth. + +MISC. + +1) todo + * Possibility to reuse the ssh-ldap-helper. -+ * Tune the LDAP part to all possible LDAP configurations. ++ * Tune the LDAP part to accept all possible LDAP configurations. + +2) differences from original lpk + * No LDAP code in sshd. @@ -118,8 +118,8 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys + Jan F. Chadima diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c ---- openssh-5.8p1/ldap-helper.c.ldap2 2011-03-10 18:22:48.870980079 +0100 -+++ openssh-5.8p1/ldap-helper.c 2011-03-10 18:07:41.000000000 +0100 +--- openssh-5.8p1/ldap-helper.c.ldap2 2011-03-10 21:45:52.872854838 +0100 ++++ openssh-5.8p1/ldap-helper.c 2011-03-10 21:45:53.342855061 +0100 @@ -138,6 +138,7 @@ main(int ac, char **av) if (config_single_user) { process_user (config_single_user, outfile); @@ -129,8 +129,8 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c /* TODO * open unix socket a run the loop on it diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt ---- openssh-5.8p1/lpk-user-example.txt.ldap2 2011-03-10 18:22:10.745854874 +0100 -+++ openssh-5.8p1/lpk-user-example.txt 2011-03-10 18:22:11.053980912 +0100 +--- openssh-5.8p1/lpk-user-example.txt.ldap2 2011-03-10 21:45:52.986980339 +0100 ++++ openssh-5.8p1/lpk-user-example.txt 2011-03-10 21:45:53.379854929 +0100 @@ -1,117 +0,0 @@ - -Post to ML -> User Made Quick Install Doc. @@ -250,8 +250,8 @@ diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example - -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk ---- openssh-5.8p1/README.lpk.ldap2 2011-03-10 18:22:10.872981060 +0100 -+++ openssh-5.8p1/README.lpk 2011-03-10 18:22:11.089980853 +0100 +--- openssh-5.8p1/README.lpk.ldap2 2011-03-10 21:45:53.112979980 +0100 ++++ openssh-5.8p1/README.lpk 2011-03-10 21:45:53.416856007 +0100 @@ -1,274 +0,0 @@ -OpenSSH LDAP PUBLIC KEY PATCH -Copyright (c) 2003 Eric AUGE (eau@phear.org) @@ -528,8 +528,8 @@ diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk - Jan F. Chadima - diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8 ---- openssh-5.8p1/ssh-ldap-helper.8.ldap2 2011-03-10 18:22:10.921854948 +0100 -+++ openssh-5.8p1/ssh-ldap-helper.8 2011-03-10 18:20:17.000000000 +0100 +--- openssh-5.8p1/ssh-ldap-helper.8.ldap2 2011-03-10 21:45:53.170854817 +0100 ++++ openssh-5.8p1/ssh-ldap-helper.8 2011-03-10 21:45:53.454980272 +0100 @@ -37,11 +37,12 @@ sshd configuration file by setting .Cm AuthorizedKeysCommand diff --git a/openssh.spec b/openssh.spec index 1331976..99e44fc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -341,25 +341,25 @@ popd %if %{WITH_SELINUX} #SELinux %patch22 -p1 -b .selinux -%patch23 -p1 -b .role -%patch24 -p1 -b .mls +###%patch23 -p1 -b .role +###%patch24 -p1 -b .mls %endif -%patch30 -p1 -b .keygen -%patch31 -p1 -b .ip-opts -%patch32 -p1 -b .randclean -%patch34 -p1 -b .kuserok -%patch35 -p1 -b .glob -%patch50 -p1 -b .fips -%patch51 -p1 -b .x11 -%patch52 -p1 -b .exit-deadlock -%patch53 -p1 -b .progress -%patch54 -p1 -b .grab-info -%patch56 -p1 -b .edns -%patch57 -p1 -b .manpage -%patch58 -p1 -b .keycat -%patch158 -p1 -b .keycat2 -%patch60 -p1 -b .gsskex -%patch61 -p1 -b .canohost +###%patch30 -p1 -b .keygen +###%patch31 -p1 -b .ip-opts +###%patch32 -p1 -b .randclean +###%patch34 -p1 -b .kuserok +###%patch35 -p1 -b .glob +###%patch50 -p1 -b .fips +###%patch51 -p1 -b .x11 +###%patch52 -p1 -b .exit-deadlock +###%patch53 -p1 -b .progress +###%patch54 -p1 -b .grab-info +###%patch56 -p1 -b .edns +###%patch57 -p1 -b .manpage +###%patch58 -p1 -b .keycat +###%patch158 -p1 -b .keycat2 +###%patch60 -p1 -b .gsskex +###%patch61 -p1 -b .canohost autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}