diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/Makefile.in openssh-4.0p1-lpk/Makefile.in --- openssh-4.0p1/Makefile.in 2005-02-26 00:12:38.000000000 +0100 +++ openssh-4.0p1-lpk/Makefile.in 2005-05-25 01:57:00.000000000 +0200 @@ -86,7 +86,7 @@ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o + audit.o audit-bsm.o ldapauth.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/README.lpk openssh-4.0p1-lpk/README.lpk --- openssh-4.0p1/README.lpk 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/README.lpk 2005-05-25 01:57:00.000000000 +0200 @@ -0,0 +1,260 @@ +OpenSSH LDAP PUBLIC KEY PATCH +Copyright (c) 2003 Eric AUGE (eau@phear.org) +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +purposes of this patch: + +This patch would help to have authentication centralization policy +using ssh public key authentication. +This patch could be an alternative to other "secure" authentication system +working in a similar way (Kerberos, SecurID, etc...), except the fact +that it's based on OpenSSH and its public key abilities. + +>> FYI: << +'uid': means unix accounts existing on the current server +'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config) + +example schema: + + + server1 (uid: eau,rival,toto) (lpkServerGroup: unix) + ___________ / + / \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix) + | LDAP Server | \ + | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup: unix) + | titi ,toto | + | userx,.... | server5 (uid: eau) (lpkServerGroup: mail) + \___________/ \ / + ----- - server4 (uid: eau, rival) (no group configured) + \ + etc... + +- WHAT WE NEED : + + * configured LDAP server somewhere on the network (i.e. OpenLDAP) + * patched sshd (with this patch ;) + * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): + User entry: + - attached to the 'ldapPublicKey' objectclass + - attached to the 'posixAccount' objectclass + - with a filled 'sshPublicKey' attribute + Example: + dn: uid=eau,ou=users,dc=cuckoos,dc=net + objectclass: top + objectclass: person + objectclass: organizationalPerson + objectclass: posixAccount + objectclass: ldapPublicKey + description: Eric AUGE Account + userPassword: blah + cn: Eric AUGE + sn: Eric AUGE + uid: eau + uidNumber: 1034 + gidNumber: 1 + homeDirectory: /export/home/eau + sshPublicKey: ssh-dss AAAAB3... + sshPublicKey: ssh-dss AAAAM5... + + Group entry: + - attached to the 'posixGroup' objectclass + - with a 'cn' groupname attribute + - with multiple 'memberUid' attributes filled with usernames allowed in this group + Example: + # few members + dn: cn=unix,ou=groups,dc=cuckoos,dc=net + objectclass: top + objectclass: posixGroup + description: Unix based servers group + cn: unix + gidNumber: 1002 + memberUid: eau + memberUid: user1 + memberUid: user2 + + +- HOW IT WORKS : + + * without patch + If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) + and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). + + * with the patch + If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. + It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. + (usually in $HOME/.ssh/authorized_keys) + + If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into. + If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled). + + 7 tokens are added to sshd_config : + # here is the new patched ldap related tokens + # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup + UseLPK yes # look the pub key into LDAP + LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 # which LDAP server for users ? (URL format) + LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ? + LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ? + LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ? + LpkBindPw asecret # bind DN credidentials + LpkServerGroup agroupname # the group the server is part of + + Right now i'm using anonymous binding to get public keys, because getting public keys of someone doesn't impersonate him¸ but there is some + flaws you have to take care of. + +- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY + + * my way (there is plenty :) + - create ldif file (i.e. users.ldif) + - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub + - my way in 4 steps : + Example: + + # you add this to the user entry in the LDIF file : + [...] + objectclass: posixAccount + objectclass: ldapPublicKey + [...] + sshPubliKey: ssh-dss AAAABDh12DDUR2... + [...] + + # insert your entry and you're done :) + ldapadd -D balblabla -w bleh < file.ldif + + all standard options can be present in the 'sshPublicKey' attribute. + +- WHY : + + Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP + as authentication method (like pam_ldap etc..). + + After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get + public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser' + objectclass within LDAP and part of the group the SSH server is in). + + Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase + so each user can change it as much as he wants). + + Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only). + +- RULES : + Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. + and the additionnal lpk.schema. + + This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication + (pamldap, nss_ldap, etc..). + + This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..). + + Referring to schema at the beginning of this file if user 'eau' is only in group 'unix' + 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'. + If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able + to log in 'server5' (i hope you got the idea, my english is bad :). + + Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP + server. + When you want to allow a new user to have access to the server parc, you just add him an account on + your servers, you add his public key into his entry on the LDAP server, it's done. + + Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys). + + When the user needs to change his passphrase he can do it directly from his workstation by changing + his own key set lock passphrase, and all servers are automatically aware. + + With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself + so he can add/modify/delete himself his public key when needed. + +­ FLAWS : + LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP + allow write to users dn, somebody could replace someuser's public key by its own and impersonate some + of your users in all your server farm be VERY CAREFUL. + + MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login + as the impersonnated user. + + If LDAP server is down then, fallback on passwd auth. + + the ldap code part has not been well audited yet. + +- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif) + --- CUT HERE --- + dn: uid=jdoe,ou=users,dc=foobar,dc=net + objectclass: top + objectclass: person + objectclass: organizationalPerson + objectclass: posixAccount + objectclass: ldapPublicKey + description: My account + cn: John Doe + sn: John Doe + uid: jdoe + uidNumber: 100 + gidNumber: 100 + homeDirectory: /home/jdoe + sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB.... + [...] + --- CUT HERE --- + +- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif) + --- CUT HERE --- + dn: cn=unix,ou=groups,dc=cuckoos,dc=net + objectclass: top + objectclass: posixGroup + description: Unix based servers group + cn: unix + gidNumber: 1002 + memberUid: jdoe + memberUid: user1 + memberUid: user2 + [...] + --- CUT HERE --- + +>> FYI: << +Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry + +- COMPILING: + 1. Apply the patch + 1. ./configure --with-your-options --with-libs="-lldap" --with-ldflags="-L/path/to/your/openldap/lib" --with-cppflags="-I/path/to/your/openldap/include -DWITH_LDAP_PUBKEY" + 3. make + 4. it's done. + +- BLA : + I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. + +- TODO : + - filters in the LDAP URL so ppl can choose on others criteria as well + - TLS support + - auto provisionning + - new schema (snu@opendarwin.org idea) + +- CONTRIBUTORS/IDEAS/GREETS : + - Falk Siemonsmeier -> 3.7 patch port candidate + - Jacob Rief -> ideas (group && cleanups) + - Michael.Durchgraf@dregis.com -> Bugfixes thanks ;) + - frederic.peters@free.fr -> X509 keys LDAP patch (old) + - oink -> bugfixes + - finlay dobbie -> new fresh start with this guy :) + +- CONTACT : + - Eric AUGE , diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/auth-rsa.c openssh-4.0p1-lpk/auth-rsa.c --- openssh-4.0p1/auth-rsa.c 2004-12-11 03:39:50.000000000 +0100 +++ openssh-4.0p1-lpk/auth-rsa.c 2005-05-25 01:57:00.000000000 +0200 @@ -160,10 +160,96 @@ u_long linenum = 0; struct stat st; Key *key; +#ifdef WITH_LDAP_PUBKEY + ldap_key_t * k; + int i = 0; +#endif /* Temporarily use the user's uid. */ temporarily_use_uid(pw); +#ifdef WITH_LDAP_PUBKEY + /* here is the job */ + key = key_new(KEY_RSA1); + + if (options.lpk.on) { + debug("[LDAP] trying LDAP first uid=%s", pw->pw_name); + if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) { + if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { + for (i = 0 ; i < k->num ; i++) { + char *cp, *options = NULL; + + for (cp = k->keys[i]; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + /* + * Check if there are options for this key, and if so, + * save their starting address and skip the option part + * for now. If there are no options, set the starting + * address to NULL. + */ + if (*cp < '0' || *cp > '9') { + int quoted = 0; + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + } else + options = NULL; + + /* Parse the key from the line. */ + if (hostfile_read_key(&cp, &bits, key) == 0) { + debug("[LDAP] line %d: non ssh1 key syntax", i); + continue; + } + /* cp now points to the comment part. */ + + /* Check if the we have found the desired key (identified by its modulus). */ + if (BN_cmp(key->rsa->n, client_n) != 0) + continue; + + /* check the real bits */ + if (bits != BN_num_bits(key->rsa->n)) + logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: " + "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); + + /* We have found the desired key. */ + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i)) + continue; + + /* break out, this key is allowed */ + allowed = 1; + + /* add the return stuff etc... */ + /* Restore the privileged uid. */ + restore_uid(); + + /* return key if allowed */ + if (allowed && rkey != NULL) + *rkey = key; + else + key_free(key); + + ldap_keys_free(k); + return (allowed); + } + } else { + logit("[LDAP] no keys found for '%s'!", pw->pw_name); + } + } else { + logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); + } + } +#endif /* The authorized keys. */ file = authorized_keys_file(pw); debug("trying public RSA key file %s", file); diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/auth2-pubkey.c openssh-4.0p1-lpk/auth2-pubkey.c --- openssh-4.0p1/auth2-pubkey.c 2004-12-11 03:39:50.000000000 +0100 +++ openssh-4.0p1-lpk/auth2-pubkey.c 2005-05-25 01:57:00.000000000 +0200 @@ -43,6 +43,10 @@ #include "monitor_wrap.h" #include "misc.h" +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + /* import */ extern ServerOptions options; extern u_char *session_id2; @@ -176,10 +180,79 @@ struct stat st; Key *found; char *fp; +#ifdef WITH_LDAP_PUBKEY + ldap_key_t * k; + int i = 0; +#endif /* Temporarily use the user's uid. */ temporarily_use_uid(pw); +#ifdef WITH_LDAP_PUBKEY + found_key = 0; + /* allocate a new key type */ + found = key_new(key->type); + + /* first check if the options is enabled, then try.. */ + if (options.lpk.on) { + debug("[LDAP] trying LDAP first uid=%s",pw->pw_name); + if (ldap_ismember(&options.lpk, pw->pw_name) > 0) { + if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { + /* Skip leading whitespace, empty and comment lines. */ + for (i = 0 ; i < k->num ; i++) { + /* dont forget if multiple keys to reset options */ + char *cp, *options = NULL; + + for (cp = (char *)k->keys[i]; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + if (key_read(found, &cp) != 1) { + /* no key? check if there are options for this key */ + int quoted = 0; + debug2("[LDAP] user_key_allowed: check options: '%s'", cp); + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (key_read(found, &cp) != 1) { + debug2("[LDAP] user_key_allowed: advance: '%s'", cp); + /* still no key? advance to next line*/ + continue; + } + } + + if (key_equal(found, key) && + auth_parse_options(pw, options, file, linenum) == 1) { + found_key = 1; + debug("[LDAP] matching key found"); + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + verbose("[LDAP] Found matching %s key: %s", key_type(found), fp); + + /* restoring memory */ + ldap_keys_free(k); + xfree(fp); + restore_uid(); + key_free(found); + return found_key; + break; + } + }/* end of LDAP for() */ + } else { + logit("[LDAP] no keys found for '%s'!", pw->pw_name); + } + } else { + logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); + } + } +#endif debug("trying public key file %s", file); /* Fail quietly if file does not exist */ diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/ldapauth.c openssh-4.0p1-lpk/ldapauth.c --- openssh-4.0p1/ldapauth.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/ldapauth.c 2005-05-25 02:14:10.000000000 +0200 @@ -0,0 +1,317 @@ +/* + * + * Copyright (c) 2005, Eric AUGE + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * + */ + +#include +#include +#include +#include + + +#include "ldapauth.h" + +static char *attrs[] = { + PUBKEYATTR, + NULL +}; + +/* just filter building stuff */ +#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46) +#define REQUEST_GROUP(buffer,pwname,grp) \ + buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname), sizeof(char)); \ + if (!buffer) { \ + perror("calloc()"); \ + return FAILURE; \ + } \ + snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname) + +#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64) +#define REQUEST_USER(buffer, pwname) \ + buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \ + if (!buffer) { \ + perror("calloc()"); \ + return NULL; \ + } \ + snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname) + +/* some portable and working tokenizer, lame though */ +static int tokenize(char ** o, size_t size, char * input) { + unsigned int i = 0, num; + char * charset = " \t"; + char * ptr = input; + + /* leading white spaces are ignored */ + num = strspn(ptr, charset); + ptr += num; + + while ((num = strcspn(ptr, charset))) { + if (i < size-1) { + o[i++] = ptr; + ptr += num; + if (*ptr) + *ptr++ = '\0'; + } + } + o[i] = NULL; + return SUCCESS; +} + +/* init && bind */ +int ldap_connect(ldap_opt_t * ldap) { + int version = LDAP_VERSION3; + + if (!ldap->servers) + return FAILURE; + + ldap->ld = ldap_init(ldap->servers, LDAP_PORT); + if (!ldap->ld) { + ldap_perror(ldap->ld, "ldap_init()"); + return FAILURE; + } + + if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { + ldap_perror(ldap->ld, "ldap_set_option()"); + return FAILURE; + } + + /* TLS support */ + if ( (ldap->tls == -1) || (ldap->tls == 1) ) { + if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) { + /* failed then reinit the initial connect */ + ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()"); + if (ldap->tls == 1) + return FAILURE; + + ldap->ld = ldap_init(ldap->servers, LDAP_PORT); + if (!ldap->ld) { + ldap_perror(ldap->ld, "ldap_init()"); + return FAILURE; + } + + if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { + ldap_perror(ldap->ld, "ldap_set_option()"); + return FAILURE; + } + } + } + + + if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) != LDAP_SUCCESS) { + ldap_perror(ldap->ld, "ldap_simple_bind_s()"); + return FAILURE; + } + + return SUCCESS; +} + +/* must free allocated ressource */ +static char * ldap_build_host(char *host, int port) { + unsigned int size = strlen(host)+11; + char * h = (char *) calloc (size, sizeof(char)); + int rc; + if (!h) + return NULL; + + rc = snprintf(h, size, "%s:%d ", host, port); + if (rc == -1) + return NULL; + return h; +} + +/* a bit dirty but leak free */ +char * ldap_parse_servers(char * servers) { + char * s = NULL; + char * tmp = NULL, *urls[32]; + unsigned int num = 0 , i = 0 , asize = 0; + LDAPURLDesc *urld[32]; + + if (!servers) + return NULL; + + /* local copy of the arg */ + s = strdup(servers); + if (!s) + return NULL; + + /* first separate into URL tokens */ + if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0) + return NULL; + + i = 0; + while (urls[i]) { + if ( ldap_is_ldap_url(urls[i]) ) { + if (ldap_url_parse(urls[i], &urld[i]) != 0) + return NULL; + } + i++; + } + + /* now free(s) */ + free (s); + + /* how much memory do we need */ + num = i; + for (i = 0 ; i < num ; i++) + asize += strlen(urld[i]->lud_host)+11; + + /* alloc */ + s = (char *) calloc( asize+1 , sizeof(char)); + if (!s) { + for (i = 0 ; i < num ; i++) + ldap_free_urldesc(urld[i]); + return NULL; + } + + /* then build the final host string */ + for (i = 0 ; i < num ; i++) { + /* built host part */ + tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port); + strncat(s, tmp, strlen(tmp)); + ldap_free_urldesc(urld[i]); + free(tmp); + } + + return s; +} + +void ldap_options_print(ldap_opt_t * ldap) { + printf("ldap options:\n"); + printf("servers: %s\n", ldap->servers); + if (ldap->u_basedn) + printf("user basedn: %s\n", ldap->u_basedn); + if (ldap->g_basedn) + printf("group basedn: %s\n", ldap->g_basedn); + if (ldap->binddn) + printf("binddn: %s\n", ldap->binddn); + if (ldap->bindpw) + printf("bindpw: %s\n", ldap->bindpw); + if (ldap->sgroup) + printf("group: %s\n", ldap->sgroup); +} + +void ldap_options_free(ldap_opt_t * l) { + if (!l) + return; + if (l->servers) + free(l->servers); + if (l->u_basedn) + free(l->u_basedn); + if (l->g_basedn) + free(l->g_basedn); + if (l->binddn) + free(l->binddn); + if (l->bindpw) + free(l->bindpw); + if (l->sgroup) + free(l->sgroup); + free(l); +} + +/* free keys */ +void ldap_keys_free(ldap_key_t * k) { + ldap_value_free(k->keys); + free(k); + return; +} + +ldap_key_t * ldap_getuserkey(ldap_opt_t *l, char * user) { + ldap_key_t * k = (ldap_key_t *) calloc (1, sizeof(ldap_key_t)); + LDAPMessage *res, *e; + char * filter; + int i; + + if (!k) + return NULL; + + /* build filter for LDAP request */ + REQUEST_USER(filter, user); + + if ( ldap_search_s( l->ld, + l->u_basedn, + LDAP_SCOPE_SUBTREE, + filter, + attrs, 0, &res ) != LDAP_SUCCESS) { + ldap_perror(l->ld, "ldap_search_s()"); + + free(filter); + free(k); + + return NULL; + } + + /* free */ + free(filter); + + /* check if any results */ + i = ldap_count_entries(l->ld,res); + if (i <= 0) { + ldap_msgfree(res); + free(k); + return NULL; + } + + if (i > 1) + printf("[LDAP] duplicate entries, using the FIRST entry returned\n"); + + e = ldap_first_entry(l->ld, res); + k->keys = ldap_get_values(l->ld, e, PUBKEYATTR); + k->num = ldap_count_values(k->keys); + + ldap_msgfree(res); + return k; +} + + +/* -1 if trouble + 0 if user is NOT member of current server group + 1 if user IS MEMBER of current server group + */ +int ldap_ismember(ldap_opt_t * l, char * user) { + LDAPMessage *res; + char * filter; + + if ((!l->sgroup) || !(l->g_basedn)) + return 1; + + /* build filter for LDAP request */ + REQUEST_GROUP(filter, user, l->sgroup); + + if (ldap_search_s ( l->ld, + l->g_basedn, + LDAP_SCOPE_SUBTREE, + filter, + NULL, 0, &res) != LDAP_SUCCESS) { + ldap_perror(l->ld, "ldap_search_s()"); + + free(filter); + return FAILURE; + } + + free(filter); + + /* check if any results */ + if (ldap_count_entries(l->ld, res) > 0) { + ldap_msgfree(res); + return 1; + } + + ldap_msgfree(res); + return 0; +} diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/ldapauth.h openssh-4.0p1-lpk/ldapauth.h --- openssh-4.0p1/ldapauth.h 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/ldapauth.h 2005-05-25 02:14:16.000000000 +0200 @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2005, Eric AUGE + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * + */ + +#ifndef LDAPAUTH_H +#define LDAPAUTH_H + +#include +#include +#include + +/* tokens in use for config */ +#define _DEFAULT_LPK_TOKEN "UseLPK" +#define _DEFAULT_SRV_TOKEN "LpkServers" +#define _DEFAULT_USR_TOKEN "LpkUserDN" +#define _DEFAULT_GRP_TOKEN "LpkGroupDN" +#define _DEFAULT_BDN_TOKEN "LpkBindDN" +#define _DEFAULT_BPW_TOKEN "LpkBindPw" +#define _DEFAULT_MYG_TOKEN "LpkServerGroup" +#define _DEFAULT_TLS_TOKEN "LpkForceTLS" + +/* default options */ +#define _DEFAULT_LPK_ON 0 +#define _DEFAULT_LPK_SERVERS NULL +#define _DEFAULT_LPK_UDN NULL +#define _DEFAULT_LPK_GDN NULL +#define _DEFAULT_LPK_BINDDN NULL +#define _DEFAULT_LPK_BINDPW NULL +#define _DEFAULT_LPK_SGROUP NULL +#define _DEFAULT_LPK_TLS -1 + +/* defines */ +#define FAILURE -1 +#define SUCCESS 0 +#define PUBKEYATTR "sshPublicKey" + +/* structures */ +typedef struct ldap_options { + int on; /* Use it or NOT */ + LDAP * ld; /* LDAP file desc */ + char * servers; /* parsed servers for ldaplib failover handling */ + char * u_basedn; /* user basedn */ + char * g_basedn; /* group basedn */ + char * binddn; /* binddn */ + char * bindpw; /* bind password */ + char * sgroup; /* server group */ + int tls; /* TLS only */ +} ldap_opt_t; + +typedef struct ldap_keys { + char ** keys; /* the public keys retrieved */ + unsigned int num; /* number of keys */ +} ldap_key_t; + + +/* function headers */ +int ldap_connect(ldap_opt_t *); +char * ldap_parse_servers(char *); +void ldap_options_print(ldap_opt_t *); +void ldap_options_free(ldap_opt_t *); +void ldap_keys_free(ldap_key_t *); +ldap_key_t * ldap_getuserkey(ldap_opt_t *, char *); +int ldap_ismember(ldap_opt_t *, char *); + +#endif diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/lpk-user-example.txt openssh-4.0p1-lpk/lpk-user-example.txt --- openssh-4.0p1/lpk-user-example.txt 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/lpk-user-example.txt 2005-05-25 01:57:00.000000000 +0200 @@ -0,0 +1,117 @@ + +Post to ML -> User Made Quick Install Doc. +Contribution from John Lane + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +OpenSSH LDAP keystore Patch +=========================== + +NOTE: these notes are a transcript of a specific installation + they work for me, your specifics may be different! + from John Lane March 17th 2005 john@lane.uk.net + +This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys +from their LDAP record as an alternative to ~/.ssh/authorized_keys. + +(Assuming here that necessary build stuff is in $BUILD) + +cd $BUILD/openssh-4.0p1 +patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch +mkdir -p /var/empty && +./configure --prefix=/usr --sysconfdir=/etc/ssh \ + --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ + --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" +Now do. +make && +make install + +Add the following config to /etc/ssh/ssh_config +UseLPK yes +LpkServers ldap://myhost.mydomain.com +LpkUserDN ou=People,dc=mydomain,dc=com + +We need to tell sshd about the SSL keys during boot, as root's +environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. +Change the startup code from this: + echo "Starting SSH Server..." + loadproc /usr/sbin/sshd + ;; +to this: + echo "Starting SSH Server..." + LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd + ;; + +Re-start the sshd daemon: +/etc/rc.d/init.d/sshd restart + +Install the additional LDAP schema +cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema + +Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: +Add the following to the end of the existing block of schema includes +include /etc/openldap/schema/openssh.schema + +Re-start the LDAP server: +/etc/rc.d/init.d/slapd restart + +To add one or more public keys to a user, eg "testuser" : +ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D +"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser + +append the following to this /tmp/testuser file +objectclass: ldapPublicKey +sshPublicKey: ssh-rsa +AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS +qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI +7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key + +Then do a modify: +ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f +/tmp/testuser -Z +Enter LDAP Password: +modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" +And check the modify is ok: +ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D +"uid=testuser,ou=People,dc=mydomain,dc=com" +Enter LDAP Password: +# extended LDIF +# +# LDAPv3 +# base with scope sub +# filter: (objectclass=*) +# requesting: ALL +# + +# testuser, People, mydomain.com +dn: uid=testuser,ou=People,dc=mydomain,dc=com +uid: testuser +cn: testuser +objectClass: account +objectClass: posixAccount +objectClass: top +objectClass: shadowAccount +objectClass: ldapPublicKey +shadowLastChange: 12757 +shadowMax: 99999 +shadowWarning: 7 +loginShell: /bin/bash +uidNumber: 9999 +gidNumber: 501 +homeDirectory: /home/testuser +userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= +sshPublicKey: ssh-rsa +AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z +8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key + +# search result +search: 3 +result: 0 Success + +# numResponses: 2 +# numEntries: 1 + +Now start a ssh session to user "testuser" from usual ssh client (e.g. +puTTY). Login should succeed. + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/openssh-lpk.schema openssh-4.0p1-lpk/openssh-lpk.schema --- openssh-4.0p1/openssh-lpk.schema 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/openssh-lpk.schema 2005-05-25 01:57:00.000000000 +0200 @@ -0,0 +1,18 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey +# Author: Eric AUGE +# +# Based on the proposal of : Mark Ruijter +# + + +# octetString SYNTAX +attributetype ( 1.3.6.1.4.1.22054.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + +# printableString SYNTAX yes|no +objectclass ( 1.3.6.1.4.1.22054.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/servconf.c openssh-4.0p1-lpk/servconf.c --- openssh-4.0p1/servconf.c 2005-03-01 11:24:33.000000000 +0100 +++ openssh-4.0p1-lpk/servconf.c 2005-05-25 01:57:00.000000000 +0200 @@ -23,6 +23,10 @@ #include "kex.h" #include "mac.h" +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -101,7 +105,18 @@ options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; options->num_accept_env = 0; - +#ifdef WITH_LDAP_PUBKEY + /* XXX dirty */ + options->lpk.ld = NULL; + options->lpk.on = -1; + options->lpk.servers = NULL; + options->lpk.u_basedn = NULL; + options->lpk.g_basedn = NULL; + options->lpk.binddn = NULL; + options->lpk.bindpw = NULL; + options->lpk.sgroup = NULL; + options->lpk.tls = -1; +#endif /* Needs to be accessable in many places */ use_privsep = -1; } @@ -229,7 +244,24 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; - +#ifdef WITH_LDAP_PUBKEY + if (options->lpk.on == -1) + options->lpk.on = _DEFAULT_LPK_ON; + if (options->lpk.servers == NULL) + options->lpk.servers = _DEFAULT_LPK_SERVERS; + if (options->lpk.u_basedn == NULL) + options->lpk.u_basedn = _DEFAULT_LPK_UDN; + if (options->lpk.g_basedn == NULL) + options->lpk.g_basedn = _DEFAULT_LPK_GDN; + if (options->lpk.binddn == NULL) + options->lpk.binddn = _DEFAULT_LPK_BINDDN; + if (options->lpk.bindpw == NULL) + options->lpk.bindpw = _DEFAULT_LPK_BINDPW; + if (options->lpk.sgroup == NULL) + options->lpk.sgroup = _DEFAULT_LPK_SGROUP; + if (options->lpk.tls == -1) + options->lpk.tls = _DEFAULT_LPK_TLS; +#endif /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@ -273,6 +305,9 @@ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sUsePrivilegeSeparation, sDeprecated, sUnsupported +#ifdef WITH_LDAP_PUBKEY + ,sLdapPublickey, sLdapServers, sLdapUserDN, sLdapGroupDN, sBindDN, sBindPw, sMyGroup, sForceTLS +#endif } ServerOpCodes; /* Textual representation of the tokens. */ @@ -371,6 +406,16 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, +#ifdef WITH_LDAP_PUBKEY + { _DEFAULT_LPK_TOKEN, sLdapPublickey }, + { _DEFAULT_SRV_TOKEN, sLdapServers }, + { _DEFAULT_USR_TOKEN, sLdapUserDN }, + { _DEFAULT_GRP_TOKEN, sLdapGroupDN }, + { _DEFAULT_BDN_TOKEN, sBindDN }, + { _DEFAULT_BPW_TOKEN, sBindPw }, + { _DEFAULT_MYG_TOKEN, sMyGroup }, + { _DEFAULT_TLS_TOKEN, sForceTLS }, +#endif { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, { NULL, sBadOption } @@ -949,6 +994,80 @@ while (arg) arg = strdelim(&cp); break; +#ifdef WITH_LDAP_PUBKEY + case sLdapPublickey: + intptr = &options->lpk.on; + goto parse_flag; + case sLdapServers: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL) + fatal("%s line %d: error in ldap servers", filename, linenum); + memset(arg,0,strlen(arg)); + break; + case sLdapUserDN: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.u_basedn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sLdapGroupDN: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.g_basedn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sBindDN: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing binddn",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.binddn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sBindPw: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing bindpw",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.bindpw = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sMyGroup: + p = line; + while (*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing groupname",filename, linenum); + arg[strlen(arg)] = '\0'; + options->lpk.sgroup = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sForceTLS: + intptr = &options->lpk.tls; + goto parse_flag; +#endif default: fatal("%s line %d: Missing handler for opcode %s (%d)", diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/servconf.h openssh-4.0p1-lpk/servconf.h --- openssh-4.0p1/servconf.h 2005-01-20 00:57:56.000000000 +0100 +++ openssh-4.0p1-lpk/servconf.h 2005-05-25 01:57:00.000000000 +0200 @@ -18,6 +18,10 @@ #include "buffer.h" +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + #define MAX_PORTS 256 /* Max # ports. */ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ @@ -134,6 +138,9 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int use_pam; /* Enable auth via PAM */ +#ifdef WITH_LDAP_PUBKEY + ldap_opt_t lpk; +#endif } ServerOptions; void initialize_server_options(ServerOptions *); diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd.c openssh-4.0p1-lpk/sshd.c --- openssh-4.0p1/sshd.c 2005-03-06 12:38:52.000000000 +0100 +++ openssh-4.0p1-lpk/sshd.c 2005-05-25 02:45:50.000000000 +0200 @@ -93,6 +93,10 @@ int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -1076,6 +1080,13 @@ exit(1); } +#ifdef WITH_LDAP_PUBKEY + /* ldap_options_print(&options.lpk); */ + /* XXX initialize/check ldap connection and set *LD */ + if (options.lpk.on && ldap_connect(&options.lpk) < 0) { + error("[LDAP] Could not initialize ldap connections"); + } +#endif debug("sshd version %.100s", SSH_RELEASE); /* load private host keys */ diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd_config openssh-4.0p1-lpk/sshd_config --- openssh-4.0p1/sshd_config 2005-01-20 00:57:56.000000000 +0100 +++ openssh-4.0p1-lpk/sshd_config 2005-05-25 02:02:59.000000000 +0200 @@ -99,6 +99,17 @@ # no default banner path #Banner /some/path + +# here is the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK no +#LpkServers ldap://127.0.0.4 ldap://127.0.0.3 ldap://127.0.0.1/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkForceTLS no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd_config.5 openssh-4.0p1-lpk/sshd_config.5 --- openssh-4.0p1/sshd_config.5 2005-03-01 11:24:34.000000000 +0100 +++ openssh-4.0p1-lpk/sshd_config.5 2005-05-25 01:57:00.000000000 +0200 @@ -760,6 +760,32 @@ program. The default is .Pa /usr/X11R6/bin/xauth . +.It Cm UseLPK +Enable LDAP public key resolution. The argument must be +.Dq yes +or +.Dq no . +.It Cm LpkServers +Specifies LDAP one or more [:space:] separated server's url the following form may be used: +.Pp +.Bl -item -offset indent -compact +.It +.Cm LpkServers +.Sm off +.Ar LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3 +.Sm on +.It Cm LpkUserDN/LpkGroupDN +.Sm off +.Ar LpkUserDN ou=groups,dc=phear,dc=org +.Sm on +.El +.Pp +.It Cm LpkBindDN +Specifies a LDAP bind DN to use when doing ldap lookups. +.It Cm LpkBindPw +Specifies a LDAP bind Password associated to the previous token. +.It Cm LpkServerGroup +Specifies the group is the host is part of. .El .Ss Time Formats .Nm sshd