[openssh-lpk] r25 committed - Contribution from ph.mgraziano...
6 views
Skip to first unread message
codesite...@google.com
Mar 12, 2010, 3:33:59âŻAM3/12/10
to opens...@googlegroups.com
Revision: 25
Author: eric.auge
Date: Fri Mar 12 00:33:18 2010
Log: Contribution from ph.mgraziano
OpenSSH 5.4p1 patch update (non official)
http://code.google.com/p/openssh-lpk/source/detail?r=25
Added:
/trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1-64bit.patch
/trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1.patch
=======================================
--- /dev/null
+++ /trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1-64bit.patch Fri Mar 12
00:33:18 2010
@@ -0,0 +1,43 @@
+--- servconf.c.orig 2010-03-10 17:21:35.000000000 -0500
++++ servconf.c 2010-03-10 17:23:10.000000000 -0500
+@@ -733,6 +733,7 @@
+ int cmdline = 0, *intptr, value, n;
+ SyslogFacility *log_facility_ptr;
+ LogLevel *log_level_ptr;
++ unsigned long lvalue, *longptr;
+ ServerOpCodes opcode;
+ int port;
+ u_int i, flags = 0;
+@@ -747,6 +748,7 @@
+ if (!arg || !*arg || *arg == '#')
+ return 0;
+ intptr = NULL;
++ longptr = NULL;
+ charptr = NULL;
+ opcode = parse_token(arg, filename, linenum, &flags);
+
+@@ -1503,11 +1505,20 @@
+ *intptr = value;
+ break;
+ case sBindTimeout:
+- intptr = (int *) &options->lpk.b_timeout.tv_sec;
+- goto parse_int;
++ longptr = (unsigned long *) &options->lpk.b_timeout.tv_sec;
++parse_ulong:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing integer value.",
++ filename, linenum);
++ lvalue = atol(arg);
++ if (*activep && *longptr == -1)
++ *longptr = lvalue;
++ break;
++
+ case sSearchTimeout:
+- intptr = (int *) &options->lpk.s_timeout.tv_sec;
+- goto parse_int;
++ longptr = (unsigned long *) &options->lpk.s_timeout.tv_sec;
++ goto parse_ulong;
+ break;
+ case sLdapConf:
+ arg = cp;
=======================================
--- /dev/null
+++ /trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1.patch Fri Mar 12 00:33:18
2010
@@ -0,0 +1,1893 @@
+This is a forward-port of the OpenSSH LPK support patch.
+
+It adds support for storing OpenSSH public keys in LDAP. It also supports
+grouping of machines in the LDAP data to limit users to specific machines.
+
+The latest homepage for the LPK project is:
+http://code.google.com/p/openssh-lpk/
+
+The 0.3.10 version of the patch includes a fix for 64-bit platforms, as
+discovered by Gentoo, where the bind timeout and search timeout values
were not
+being parsed correctly: http://bugs.gentoo.org/210110
+
+Forward-ported-from: openssh-lpk-5.1p1-0.3.10.patch
+
+diff -Nur gMakefile.in gMakefile.in
+--- gMakefile.in 2010-02-24 02:18:51.000000000 -0500
++++ gMakefile.in 2010-03-10 17:11:13.000000000 -0500
+@@ -91,7 +91,7 @@
+ auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
+- roaming_common.o roaming_serv.o
++ roaming_common.o roaming_serv.o ldapauth.o
+
+ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out
sshd_config.5.out ssh_config.5.out
+ MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8
ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+diff -Nur gREADME.lpk gREADME.lpk
+--- gREADME.lpk 1969-12-31 19:00:00.000000000 -0500
++++ gREADME.lpk 2010-03-10 17:09:37.000000000 -0500
+@@ -0,0 +1,267 @@
++OpenSSH LDAP PUBLIC KEY PATCH
++Copyright (c) 2003 Eric AUGE (e...@phear.org)
++All rights reserved.
++
++Redistribution and use in source and binary forms, with or without
++modification, are permitted provided that the following conditions
++are met:
++1. Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++2. Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++3. The name of the author may not be used to endorse or promote products
++ derived from this software without specific prior written permission.
++
++THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++purposes of this patch:
++
++This patch would help to have authentication centralization policy
++using ssh public key authentication.
++This patch could be an alternative to other "secure" authentication system
++working in a similar way (Kerberos, SecurID, etc...), except the fact
++that it's based on OpenSSH and its public key abilities.
++
++>> FYI: <<
++'uid': means unix accounts existing on the current server
++'lpkServerGroup:' mean server group configured on the current server
('lpkServerGroup' in sshd_config)
++
++example schema:
++
++
++ server1 (uid: eau,rival,toto)
(lpkServerGroup: unix)
++ ___________ /
++ / \ --- - server3 (uid: eau, titi)
(lpkServerGroup: unix)
++ | LDAP Server | \
++ | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup:
unix)
++ | titi ,toto |
++ | userx,.... | server5 (uid: eau) (lpkServerGroup: mail)
++ \___________/ \ /
++ ----- - server4 (uid: eau, rival) (no group
configured)
++ \
++ etc...
++
++- WHAT WE NEED :
++
++ * configured LDAP server somewhere on the network (i.e. OpenLDAP)
++ * patched sshd (with this patch ;)
++ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
++ User entry:
++ - attached to the 'ldapPublicKey' objectclass
++ - attached to the 'posixAccount' objectclass
++ - with a filled 'sshPublicKey' attribute
++ Example:
++ dn: uid=eau,ou=users,dc=cuckoos,dc=net
++ objectclass: top
++ objectclass: person
++ objectclass: organizationalPerson
++ objectclass: posixAccount
++ objectclass: ldapPublicKey
++ description: Eric AUGE Account
++ userPassword: blah
++ cn: Eric AUGE
++ sn: Eric AUGE
++ uid: eau
++ uidNumber: 1034
++ gidNumber: 1
++ homeDirectory: /export/home/eau
++ sshPublicKey: ssh-dss AAAAB3...
++ sshPublicKey: ssh-dss AAAAM5...
++
++ Group entry:
++ - attached to the 'posixGroup' objectclass
++ - with a 'cn' groupname attribute
++ - with multiple 'memberUid' attributes filled with usernames allowed in
this group
++ Example:
++ # few members
++ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
++ objectclass: top
++ objectclass: posixGroup
++ description: Unix based servers group
++ cn: unix
++ gidNumber: 1002
++ memberUid: eau
++ memberUid: user1
++ memberUid: user2
++
++
++- HOW IT WORKS :
++
++ * without patch
++ If a user wants to authenticate to log in a server the sshd, will first
look for authentication method allowed (RSAauth,kerberos,etc..)
++ and if RSAauth and tickets based auth fails, it will fallback to
standard password authentication (if enabled).
++
++ * with the patch
++ If a user want to authenticate to log in a server, the sshd will first
look for auth method including LDAP pubkey, if the ldappubkey options is
enabled.
++ It will do an ldapsearch to get the public key directly from the LDAP
instead of reading it from the server filesystem.
++ (usually in $HOME/.ssh/authorized_keys)
++
++ If groups are enabled, it will also check if the user that wants to
login is in the group of the server he is trying to log into.
++ If it fails, it falls back on RSA auth files
($HOME/.ssh/authorized_keys), etc.. and finally to standard password
authentication (if enabled).
++
++ 7 tokens are added to sshd_config :
++ # here is the new patched ldap related tokens
++ # entries in your LDAP must be posixAccount & strongAuthenticationUser
& posixGroup
++ UseLPK yes # look the pub key into LDAP
++ LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 #
which LDAP server for users ? (URL format)
++ LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ?
++ LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ?
++ LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ?
++ LpkBindPw asecret # bind DN credidentials
++ LpkServerGroup agroupname # the group the server is part of
++
++ Right now i'm using anonymous binding to get public keys, because
getting public keys of someone doesn't impersonate him¸ but there is some
++ flaws you have to take care of.
++
++- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
++
++ * my way (there is plenty :)
++ - create ldif file (i.e. users.ldif)
++ - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat
~/.ssh/identity.pub
++ - my way in 4 steps :
++ Example:
++
++ # you add this to the user entry in the LDIF file :
++ [...]
++ objectclass: posixAccount
++ objectclass: ldapPublicKey
++ [...]
++ sshPubliKey: ssh-dss AAAABDh12DDUR2...
++ [...]
++
++ # insert your entry and you're done :)
++ ldapadd -D balblabla -w bleh < file.ldif
++
++ all standard options can be present in the 'sshPublicKey' attribute.
++
++- WHY :
++
++ Simply because, i was looking for a way to centralize all sysadmins
authentication, easily, without completely using LDAP
++ as authentication method (like pam_ldap etc..).
++
++ After looking into Kerberos, SecurID, and other centralized secure
authentications systems, the use of RSA and LDAP to get
++ public key for authentication allows us to control who has access to
which server (the user needs an account and to be
in 'strongAuthenticationUser'
++ objectclass within LDAP and part of the group the SSH server is in).
++
++ Passwords update are no longer a nightmare for a server farm (key pair
passphrase is stored on each user's box and private key is locally
encrypted using his passphrase
++ so each user can change it as much as he wants).
++
++ Blocking a user account can be done directly from the LDAP (if sshd is
using RSAAuth + ldap only).
++
++- RULES :
++ Entry in the LDAP server must respect 'posixAccount'
and 'ldapPublicKey' which are defined in core.schema.
++ and the additionnal lpk.schema.
++
++ This patch could allow a smooth transition between standard auth
(/etc/passwd) and complete LDAP based authentication
++ (pamldap, nss_ldap, etc..).
++
++ This can be an alternative to other (old?/expensive?) authentication
methods (Kerberos/SecurID/..).
++
++ Referring to schema at the beginning of this file if user 'eau' is only
in group 'unix'
++ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4'
BUT NOT 'server5'.
++ If you then modify the LDAP 'mail' group entry to add 'memberUid: eau'
THEN user 'eau' would be able
++ to log in 'server5' (i hope you got the idea, my english is bad :).
++
++ Each server's sshd is patched and configured to ask the public key and
the group infos in the LDAP
++ server.
++ When you want to allow a new user to have access to the server parc,
you just add him an account on
++ your servers, you add his public key into his entry on the LDAP server,
it's done.
++
++ Because sshds are looking public keys into the LDAP directly instead of
a file ($HOME/.ssh/authorized_keys).
++
++ When the user needs to change his passphrase he can do it directly from
his workstation by changing
++ his own key set lock passphrase, and all servers are automatically
aware.
++
++ With a CAREFUL LDAP server configuration you could allow a user to
add/delete/modify his own entry himself
++ so he can add/modify/delete himself his public key when needed.
++
++Â FLAWS :
++ LDAP must be well configured, getting the public key of some user is
not a problem, but if anonymous LDAP
++ allow write to users dn, somebody could replace someuser's public key
by its own and impersonate some
++ of your users in all your server farm be VERY CAREFUL.
++
++ MITM attack when sshd is requesting the public key, could lead to a
compromise of your servers allowing login
++ as the impersonnated user.
++
++ If LDAP server is down then, fallback on passwd auth.
++
++ the ldap code part has not been well audited yet.
++
++- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
++ --- CUT HERE ---
++ dn: uid=jdoe,ou=users,dc=foobar,dc=net
++ objectclass: top
++ objectclass: person
++ objectclass: organizationalPerson
++ objectclass: posixAccount
++ objectclass: ldapPublicKey
++ description: My account
++ cn: John Doe
++ sn: John Doe
++ uid: jdoe
++ uidNumber: 100
++ gidNumber: 100
++ homeDirectory: /home/jdoe
++ sshPublicKey: ssh-dss
AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
++ [...]
++ --- CUT HERE ---
++
++- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
++ --- CUT HERE ---
++ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
++ objectclass: top
++ objectclass: posixGroup
++ description: Unix based servers group
++ cn: unix
++ gidNumber: 1002
++ memberUid: jdoe
++ memberUid: user1
++ memberUid: user2
++ [...]
++ --- CUT HERE ---
++
++>> FYI: <<
++Multiple 'sshPublicKey' in a user entry are allowed, as well as
multiple 'memberUid' attributes in a group entry
++
++- COMPILING:
++ 1. Apply the patch
++ 2. ./configure --with-your-options
--with-ldap=/prefix/to/ldap_libs_and_includes
++ 3. make
++ 4. it's done.
++
++- BLA :
++ I hope this could help, and i hope to be clear enough,, or give ideas.
questions/comments/improvements are welcome.
++
++- TODO :
++ Redesign differently.
++
++- DOCS/LINK :
++ http://pacsec.jp/core05/psj05-barisani-en.pdf
++ http://fritz.potsdam.edu/projects/openssh-lpk/
++ http://fritz.potsdam.edu/projects/sshgate/
++ http://dev.inversepath.com/trac/openssh-lpk
++ http://lam.sf.net/ (
http://lam.sourceforge.net/documentation/supportedSchemas.htm )
++
++- CONTRIBUTORS/IDEAS/GREETS :
++ - Falk Siemonsmeier.
++ - Jacob Rief.
++ - Michael Durchgraf.
++ - frederic peters.
++ - Finlay dobbie.
++ - Stefan Fisher.
++ - Robin H. Johnson.
++ - Adrian Bridgett.
++
++- CONTACT :
++ - Eric AUGE <e...@phear.org>
++ - Andrea Barisani <and...@inversepath.com>
+diff -Nur gauth-rsa.c gauth-rsa.c
+--- gauth-rsa.c 2010-03-04 05:53:35.000000000 -0500
++++ gauth-rsa.c 2010-03-10 17:09:37.000000000 -0500
+@@ -177,10 +177,96 @@
+ FILE *f;
+ u_long linenum = 0;
+ Key *key;
++#ifdef WITH_LDAP_PUBKEY
++ ldap_key_t * k;
++ unsigned int i = 0;
++#endif
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
++#ifdef WITH_LDAP_PUBKEY
++ /* here is the job */
++ key = key_new(KEY_RSA1);
++
++ if (options.lpk.on) {
++ debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
++ if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++ if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
++ for (i = 0 ; i < k->num ; i++) {
++ char *cp, *options = NULL;
++
++ for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++ ;
++ if (!*cp || *cp == '\n' || *cp == '#')
++ continue;
++
++ /*
++ * Check if there are options for this key, and if so,
++ * save their starting address and skip the option part
++ * for now. If there are no options, set the starting
++ * address to NULL.
++ */
++ if (*cp < '0' || *cp > '9') {
++ int quoted = 0;
++ options = cp;
++ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
++ if (*cp == '\\' && cp[1] == '"')
++ cp++; /* Skip both */
++ else if (*cp == '"')
++ quoted = !quoted;
++ }
++ } else
++ options = NULL;
++
++ /* Parse the key from the line. */
++ if (hostfile_read_key(&cp, &bits, key) == 0) {
++ debug("[LDAP] line %d: non ssh1 key syntax", i);
++ continue;
++ }
++ /* cp now points to the comment part. */
++
++ /* Check if the we have found the desired key (identified by its
modulus). */
++ if (BN_cmp(key->rsa->n, client_n) != 0)
++ continue;
++
++ /* check the real bits */
++ if (bits != (unsigned int)BN_num_bits(key->rsa->n))
++ logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "
++ "actual %d vs. announced %d.", (unsigned long)i,
BN_num_bits(key->rsa->n), bits);
++
++ /* We have found the desired key. */
++ /*
++ * If our options do not allow this key to be used,
++ * do not send challenge.
++ */
++ if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i))
++ continue;
++
++ /* break out, this key is allowed */
++ allowed = 1;
++
++ /* add the return stuff etc... */
++ /* Restore the privileged uid. */
++ restore_uid();
++
++ /* return key if allowed */
++ if (allowed && rkey != NULL)
++ *rkey = key;
++ else
++ key_free(key);
++
++ ldap_keys_free(k);
++ return (allowed);
++ }
++ } else {
++ logit("[LDAP] no keys found for '%s'!", pw->pw_name);
++ }
++ } else {
++ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
++ }
++ }
++#endif
+ /* The authorized keys. */
+ file = authorized_keys_file(pw);
+ debug("trying public RSA key file %s", file);
+diff -Nur gauth2-pubkey.c gauth2-pubkey.c
+--- gauth2-pubkey.c 2010-03-04 05:53:35.000000000 -0500
++++ gauth2-pubkey.c 2010-03-10 17:09:37.000000000 -0500
+@@ -58,6 +58,10 @@
+ #include "misc.h"
+ #include "authfile.h"
+
++#ifdef WITH_LDAP_PUBKEY
++#include "ldapauth.h"
++#endif
++
+ /* import */
+ extern ServerOptions options;
+ extern u_char *session_id2;
+@@ -187,10 +191,79 @@
+ u_long linenum = 0;
+ Key *found;
+ char *fp;
++#ifdef WITH_LDAP_PUBKEY
++ ldap_key_t * k;
++ unsigned int i = 0;
++#endif
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
++#ifdef WITH_LDAP_PUBKEY
++ found_key = 0;
++ /* allocate a new key type */
++ found = key_new(key->type);
++
++ /* first check if the options is enabled, then try.. */
++ if (options.lpk.on) {
++ debug("[LDAP] trying LDAP first uid=%s",pw->pw_name);
++ if (ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++ if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
++ /* Skip leading whitespace, empty and comment lines. */
++ for (i = 0 ; i < k->num ; i++) {
++ /* dont forget if multiple keys to reset options */
++ char *cp, *options = NULL;
++
++ for (cp = (char *)k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++ ;
++ if (!*cp || *cp == '\n' || *cp == '#')
++ continue;
++
++ if (key_read(found, &cp) != 1) {
++ /* no key? check if there are options for this key */
++ int quoted = 0;
++ debug2("[LDAP] user_key_allowed: check options: '%s'", cp);
++ options = cp;
++ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
++ if (*cp == '\\' && cp[1] == '"')
++ cp++; /* Skip both */
++ else if (*cp == '"')
++ quoted = !quoted;
++ }
++ /* Skip remaining whitespace. */
++ for (; *cp == ' ' || *cp == '\t'; cp++)
++ ;
++ if (key_read(found, &cp) != 1) {
++ debug2("[LDAP] user_key_allowed: advance: '%s'", cp);
++ /* still no key? advance to next line*/
++ continue;
++ }
++ }
++
++ if (key_equal(found, key) &&
++ auth_parse_options(pw, options, file, linenum) == 1) {
++ found_key = 1;
++ debug("[LDAP] matching key found");
++ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
++ verbose("[LDAP] Found matching %s key: %s", key_type(found), fp);
++
++ /* restoring memory */
++ ldap_keys_free(k);
++ xfree(fp);
++ restore_uid();
++ key_free(found);
++ return found_key;
++ break;
++ }
++ }/* end of LDAP for() */
++ } else {
++ logit("[LDAP] no keys found for '%s'!", pw->pw_name);
++ }
++ } else {
++ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
++ }
++ }
++#endif
+ debug("trying public key file %s", file);
+ f = auth_openkeyfile(file, pw, options.strict_modes);
+
+diff -Nur gconfig.h.in gconfig.h.in
+--- gconfig.h.in 2010-03-07 19:30:57.000000000 -0500
++++ gconfig.h.in 2010-03-10 17:09:37.000000000 -0500
+@@ -575,6 +575,9 @@
+ /* Define to 1 if you have the <linux/if_tun.h> header file. */
+ #undef HAVE_LINUX_IF_TUN_H
+
++/* Define if you want LDAP support */
++#undef WITH_LDAP_PUBKEY
++
+ /* Define if your libraries define login() */
+ #undef HAVE_LOGIN
+
+diff -Nur gconfigure gconfigure
+--- gconfigure 2010-03-07 19:30:59.000000000 -0500
++++ gconfigure 2010-03-10 17:09:37.000000000 -0500
+@@ -1340,6 +1340,7 @@
+ --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in
PATH)
+ --with-libedit[=PATH] Enable libedit support for sftp
+ --with-audit=module Enable EXPERIMENTAL audit support
(modules=debug,bsm)
++ --with-ldap[=PATH] Enable LDAP pubkey support (optionally in PATH)
+ --with-ssl-dir=PATH Specify path to OpenSSL installation
+ --without-openssl-header-check Disable OpenSSL version consistency check
+ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support
+@@ -12845,6 +12846,85 @@
+ fi
+
+
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++
++# Check whether --with-ldap was given.
++if test "${with_ldap+set}" = set; then
++ withval=$with_ldap;
++ if test "x$withval" != "xno" ; then
++
++ if test "x$withval" != "xyes" ; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ LDFLAGS="$LDFLAGS -L${withval}/lib"
++ fi
++
++
++cat >>confdefs.h <<\_ACEOF
++#define WITH_LDAP_PUBKEY 1
++_ACEOF
++
++ LIBS="-lldap $LIBS"
++ LDAP_MSG="yes"
++
++ { echo "$as_me:$LINENO: checking for LDAP support" >&5
++echo $ECHO_N "checking for LDAP support... $ECHO_C" >&6; }
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++#include <sys/types.h>
++ #include <ldap.h>
++int
++main ()
++{
++(void)ldap_init(0, 0);
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ { echo "$as_me:$LINENO: result: yes" >&5
++echo "${ECHO_T}yes" >&6; }
++else
++ echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++ { echo "$as_me:$LINENO: result: no" >&5
++echo "${ECHO_T}no" >&6; }
++ { { echo "$as_me:$LINENO: error: ** Incomplete or missing ldap
libraries **" >&5
++echo "$as_me: error: ** Incomplete or missing ldap libraries **" >&2;}
++ { (exit 1); exit 1; }; }
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++ fi
++
++
++fi
++
++
+
+
+
+@@ -30786,6 +30866,7 @@
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " TCP Wrappers support: $TCPW_MSG"
++echo " LDAP support: $LDAP_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+diff -Nur gconfigure.ac gconfigure.ac
+--- gconfigure.ac 2010-03-04 23:04:35.000000000 -0500
++++ gconfigure.ac 2010-03-10 17:09:37.000000000 -0500
+@@ -1323,6 +1323,37 @@
+ esac ]
+ )
+
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++AC_ARG_WITH(ldap,
++ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in
PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++
++ if test "x$withval" != "xyes" ; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ LDFLAGS="$LDFLAGS -L${withval}/lib"
++ fi
++
++ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
++ LIBS="-lldap $LIBS"
++ LDAP_MSG="yes"
++
++ AC_MSG_CHECKING([for LDAP support])
++ AC_TRY_COMPILE(
++ [#include <sys/types.h>
++ #include <ldap.h>],
++ [(void)ldap_init(0, 0);],
++ [AC_MSG_RESULT(yes)],
++ [
++ AC_MSG_RESULT(no)
++ AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
++ ]
++ )
++ fi
++ ]
++)
++
+ dnl Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS( \
+ arc4random \
+@@ -4185,6 +4216,7 @@
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " TCP Wrappers support: $TCPW_MSG"
++echo " LDAP support: $LDAP_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+diff -Nur gldapauth.c gldapauth.c
+--- gldapauth.c 1969-12-31 19:00:00.000000000 -0500
++++ gldapauth.c 2010-03-10 17:09:37.000000000 -0500
+@@ -0,0 +1,575 @@
++/*
++ * $Id: openssh-lpk-4.3p1-0.3.7.patch,v 1.3 2006/04/18 15:29:09 eau Exp $
++ */
++
++/*
++ *
++ * Copyright (c) 2005, Eric AUGE <e...@phear.org>
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
++ *
++ * Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
++ * Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
++ * Neither the name of the phear.org nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
++ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
++ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY,
++ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ *
++ */
++
++#include "includes.h"
++
++#ifdef WITH_LDAP_PUBKEY
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <string.h>
++
++#include "ldapauth.h"
++#include "log.h"
++
++static char *attrs[] = {
++ PUBKEYATTR,
++ NULL
++};
++
++/* filter building infos */
++#define FILTER_GROUP_PREFIX "(&(objectclass=posixGroup)"
++#define FILTER_OR_PREFIX "(|"
++#define FILTER_OR_SUFFIX ")"
++#define FILTER_CN_PREFIX "(cn="
++#define FILTER_CN_SUFFIX ")"
++#define FILTER_UID_FORMAT "(memberUid=%s)"
++#define FILTER_GROUP_SUFFIX ")"
++#define FILTER_GROUP_SIZE(group) (size_t)
(strlen(group)+(ldap_count_group(group)*5)+52)
++
++/* just filter building stuff */
++#define REQUEST_GROUP_SIZE(filter, uid) (size_t)
(strlen(filter)+strlen(uid)+1)
++#define REQUEST_GROUP(buffer, prefilter, pwname) \
++ buffer = (char *) calloc(REQUEST_GROUP_SIZE(prefilter, pwname),
sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return FAILURE; \
++ } \
++ snprintf(buffer, REQUEST_GROUP_SIZE(prefilter,pwname), prefilter,
pwname)
++/*
++XXX OLD group building macros
++#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46)
++#define REQUEST_GROUP(buffer,pwname,grp) \
++ buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname),
sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return FAILURE; \
++ } \
++
snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname)
++ */
++
++/*
++XXX stock upstream version without extra filter support
++#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64)
++#define REQUEST_USER(buffer, pwname) \
++ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return NULL; \
++ } \
++
snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname)
++ */
++
++#define REQUEST_USER_SIZE(uid, filter) (size_t)
(strlen(uid)+64+(filter != NULL ? strlen(filter) : 0))
++#define REQUEST_USER(buffer, pwname, customfilter) \
++ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname, customfilter),
sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return NULL; \
++ } \
++ snprintf(buffer, REQUEST_USER_SIZE(pwname, customfilter), \
++
"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)", \
++ pwname, (customfilter != NULL ? customfilter : ""))
++
++/* some portable and working tokenizer, lame though */
++static int tokenize(char ** o, size_t size, char * input) {
++ unsigned int i = 0, num;
++ const char * charset = " \t";
++ char * ptr = input;
++
++ /* leading white spaces are ignored */
++ num = strspn(ptr, charset);
++ ptr += num;
++
++ while ((num = strcspn(ptr, charset))) {
++ if (i < size-1) {
++ o[i++] = ptr;
++ ptr += num;
++ if (*ptr)
++ *ptr++ = '\0';
++ }
++ }
++ o[i] = NULL;
++ return SUCCESS;
++}
++
++void ldap_close(ldap_opt_t * ldap) {
++
++ if (!ldap)
++ return;
++
++ if ( ldap_unbind_ext(ldap->ld, NULL, NULL) < 0)
++ ldap_perror(ldap->ld, "ldap_unbind()");
++
++ ldap->ld = NULL;
++ FLAG_SET_DISCONNECTED(ldap->flags);
++
++ return;
++}
++
++/* init && bind */
++int ldap_connect(ldap_opt_t * ldap) {
++ int version = LDAP_VERSION3;
++
++ if (!ldap->servers)
++ return FAILURE;
++
++ /* Connection Init and setup */
++ ldap->ld = ldap_init(ldap->servers, LDAP_PORT);
++ if (!ldap->ld) {
++ ldap_perror(ldap->ld, "ldap_init()");
++ return FAILURE;
++ }
++
++ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION,
&version) != LDAP_OPT_SUCCESS) {
++
ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION)");
++ return FAILURE;
++ }
++
++ /* Timeouts setup */
++ if (ldap_set_option(ldap->ld, LDAP_OPT_NETWORK_TIMEOUT,
&ldap->b_timeout) != LDAP_SUCCESS) {
++
ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT)");
++ }
++ if (ldap_set_option(ldap->ld, LDAP_OPT_TIMEOUT, &ldap->s_timeout) !=
LDAP_SUCCESS) {
++ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_TIMEOUT)");
++ }
++
++ /* TLS support */
++ if ( (ldap->tls == -1) || (ldap->tls == 1) ) {
++ if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) {
++ /* failed then reinit the initial connect */
++ ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()");
++ if (ldap->tls == 1)
++ return FAILURE;
++
++ ldap->ld = ldap_init(ldap->servers, LDAP_PORT);
++ if (!ldap->ld) {
++ ldap_perror(ldap->ld, "ldap_init()");
++ return FAILURE;
++ }
++
++ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION,
&version) != LDAP_OPT_SUCCESS) {
++ ldap_perror(ldap->ld, "ldap_set_option()");
++ return FAILURE;
++ }
++ }
++ }
++
++
++ if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) !=
LDAP_SUCCESS) {
++ ldap_perror(ldap->ld, "ldap_simple_bind_s()");
++ return FAILURE;
++ }
++
++ /* says it is connected */
++ FLAG_SET_CONNECTED(ldap->flags);
++
++ return SUCCESS;
++}
++
++/* must free allocated ressource */
++static char * ldap_build_host(char *host, int port) {
++ unsigned int size = strlen(host)+11;
++ char * h = (char *) calloc (size, sizeof(char));
++ int rc;
++ if (!h)
++ return NULL;
++
++ rc = snprintf(h, size, "%s:%d ", host, port);
++ if (rc == -1)
++ return NULL;
++ return h;
++}
++
++static int ldap_count_group(const char * input) {
++ const char * charset = " \t";
++ const char * ptr = input;
++ unsigned int count = 0;
++ unsigned int num;
++
++ num = strspn(ptr, charset);
++ ptr += num;
++
++ while ((num = strcspn(ptr, charset))) {
++ count++;
++ ptr += num;
++ ptr++;
++ }
++
++ return count;
++}
++
++/* format filter */
++char * ldap_parse_groups(const char * groups) {
++ unsigned int buffer_size = FILTER_GROUP_SIZE(groups);
++ char * buffer = (char *) calloc(buffer_size, sizeof(char));
++ char * g = NULL;
++ char * garray[32];
++ unsigned int i = 0;
++
++ if ((!groups)||(!buffer))
++ return NULL;
++
++ g = strdup(groups);
++ if (!g) {
++ free(buffer);
++ return NULL;
++ }
++
++ /* first separate into n tokens */
++ if ( tokenize(garray, sizeof(garray)/sizeof(*garray), g) < 0) {
++ free(g);
++ free(buffer);
++ return NULL;
++ }
++
++ /* build the final filter format */
++ strlcat(buffer, FILTER_GROUP_PREFIX, buffer_size);
++ strlcat(buffer, FILTER_OR_PREFIX, buffer_size);
++ i = 0;
++ while (garray[i]) {
++ strlcat(buffer, FILTER_CN_PREFIX, buffer_size);
++ strlcat(buffer, garray[i], buffer_size);
++ strlcat(buffer, FILTER_CN_SUFFIX, buffer_size);
++ i++;
++ }
++ strlcat(buffer, FILTER_OR_SUFFIX, buffer_size);
++ strlcat(buffer, FILTER_UID_FORMAT, buffer_size);
++ strlcat(buffer, FILTER_GROUP_SUFFIX, buffer_size);
++
++ free(g);
++ return buffer;
++}
++
++/* a bit dirty but leak free */
++char * ldap_parse_servers(const char * servers) {
++ char * s = NULL;
++ char * tmp = NULL, *urls[32];
++ unsigned int num = 0 , i = 0 , asize = 0;
++ LDAPURLDesc *urld[32];
++
++ if (!servers)
++ return NULL;
++
++ /* local copy of the arg */
++ s = strdup(servers);
++ if (!s)
++ return NULL;
++
++ /* first separate into URL tokens */
++ if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0)
++ return NULL;
++
++ i = 0;
++ while (urls[i]) {
++ if (! ldap_is_ldap_url(urls[i]) ||
++ (ldap_url_parse(urls[i], &urld[i]) != 0)) {
++ return NULL;
++ }
++ i++;
++ }
++
++ /* now free(s) */
++ free (s);
++
++ /* how much memory do we need */
++ num = i;
++ for (i = 0 ; i < num ; i++)
++ asize += strlen(urld[i]->lud_host)+11;
++
++ /* alloc */
++ s = (char *) calloc( asize+1 , sizeof(char));
++ if (!s) {
++ for (i = 0 ; i < num ; i++)
++ ldap_free_urldesc(urld[i]);
++ return NULL;
++ }
++
++ /* then build the final host string */
++ for (i = 0 ; i < num ; i++) {
++ /* built host part */
++ tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port);
++ strncat(s, tmp, strlen(tmp));
++ ldap_free_urldesc(urld[i]);
++ free(tmp);
++ }
++
++ return s;
++}
++
++void ldap_options_print(ldap_opt_t * ldap) {
++ debug("ldap options:");
++ debug("servers: %s", ldap->servers);
++ if (ldap->u_basedn)
++ debug("user basedn: %s", ldap->u_basedn);
++ if (ldap->g_basedn)
++ debug("group basedn: %s", ldap->g_basedn);
++ if (ldap->binddn)
++ debug("binddn: %s", ldap->binddn);
++ if (ldap->bindpw)
++ debug("bindpw: %s", ldap->bindpw);
++ if (ldap->sgroup)
++ debug("group: %s", ldap->sgroup);
++ if (ldap->filter)
***The diff for this file has been truncated for email.***
Author: eric.auge
Date: Fri Mar 12 00:33:18 2010
Log: Contribution from ph.mgraziano
OpenSSH 5.4p1 patch update (non official)
http://code.google.com/p/openssh-lpk/source/detail?r=25
Added:
/trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1-64bit.patch
/trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1.patch
=======================================
--- /dev/null
+++ /trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1-64bit.patch Fri Mar 12
00:33:18 2010
@@ -0,0 +1,43 @@
+--- servconf.c.orig 2010-03-10 17:21:35.000000000 -0500
++++ servconf.c 2010-03-10 17:23:10.000000000 -0500
+@@ -733,6 +733,7 @@
+ int cmdline = 0, *intptr, value, n;
+ SyslogFacility *log_facility_ptr;
+ LogLevel *log_level_ptr;
++ unsigned long lvalue, *longptr;
+ ServerOpCodes opcode;
+ int port;
+ u_int i, flags = 0;
+@@ -747,6 +748,7 @@
+ if (!arg || !*arg || *arg == '#')
+ return 0;
+ intptr = NULL;
++ longptr = NULL;
+ charptr = NULL;
+ opcode = parse_token(arg, filename, linenum, &flags);
+
+@@ -1503,11 +1505,20 @@
+ *intptr = value;
+ break;
+ case sBindTimeout:
+- intptr = (int *) &options->lpk.b_timeout.tv_sec;
+- goto parse_int;
++ longptr = (unsigned long *) &options->lpk.b_timeout.tv_sec;
++parse_ulong:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing integer value.",
++ filename, linenum);
++ lvalue = atol(arg);
++ if (*activep && *longptr == -1)
++ *longptr = lvalue;
++ break;
++
+ case sSearchTimeout:
+- intptr = (int *) &options->lpk.s_timeout.tv_sec;
+- goto parse_int;
++ longptr = (unsigned long *) &options->lpk.s_timeout.tv_sec;
++ goto parse_ulong;
+ break;
+ case sLdapConf:
+ arg = cp;
=======================================
--- /dev/null
+++ /trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1.patch Fri Mar 12 00:33:18
2010
@@ -0,0 +1,1893 @@
+This is a forward-port of the OpenSSH LPK support patch.
+
+It adds support for storing OpenSSH public keys in LDAP. It also supports
+grouping of machines in the LDAP data to limit users to specific machines.
+
+The latest homepage for the LPK project is:
+http://code.google.com/p/openssh-lpk/
+
+The 0.3.10 version of the patch includes a fix for 64-bit platforms, as
+discovered by Gentoo, where the bind timeout and search timeout values
were not
+being parsed correctly: http://bugs.gentoo.org/210110
+
+Forward-ported-from: openssh-lpk-5.1p1-0.3.10.patch
+
+diff -Nur gMakefile.in gMakefile.in
+--- gMakefile.in 2010-02-24 02:18:51.000000000 -0500
++++ gMakefile.in 2010-03-10 17:11:13.000000000 -0500
+@@ -91,7 +91,7 @@
+ auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
+- roaming_common.o roaming_serv.o
++ roaming_common.o roaming_serv.o ldapauth.o
+
+ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out
sshd_config.5.out ssh_config.5.out
+ MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8
ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+diff -Nur gREADME.lpk gREADME.lpk
+--- gREADME.lpk 1969-12-31 19:00:00.000000000 -0500
++++ gREADME.lpk 2010-03-10 17:09:37.000000000 -0500
+@@ -0,0 +1,267 @@
++OpenSSH LDAP PUBLIC KEY PATCH
++Copyright (c) 2003 Eric AUGE (e...@phear.org)
++All rights reserved.
++
++Redistribution and use in source and binary forms, with or without
++modification, are permitted provided that the following conditions
++are met:
++1. Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++2. Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++3. The name of the author may not be used to endorse or promote products
++ derived from this software without specific prior written permission.
++
++THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++purposes of this patch:
++
++This patch would help to have authentication centralization policy
++using ssh public key authentication.
++This patch could be an alternative to other "secure" authentication system
++working in a similar way (Kerberos, SecurID, etc...), except the fact
++that it's based on OpenSSH and its public key abilities.
++
++>> FYI: <<
++'uid': means unix accounts existing on the current server
++'lpkServerGroup:' mean server group configured on the current server
('lpkServerGroup' in sshd_config)
++
++example schema:
++
++
++ server1 (uid: eau,rival,toto)
(lpkServerGroup: unix)
++ ___________ /
++ / \ --- - server3 (uid: eau, titi)
(lpkServerGroup: unix)
++ | LDAP Server | \
++ | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup:
unix)
++ | titi ,toto |
++ | userx,.... | server5 (uid: eau) (lpkServerGroup: mail)
++ \___________/ \ /
++ ----- - server4 (uid: eau, rival) (no group
configured)
++ \
++ etc...
++
++- WHAT WE NEED :
++
++ * configured LDAP server somewhere on the network (i.e. OpenLDAP)
++ * patched sshd (with this patch ;)
++ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
++ User entry:
++ - attached to the 'ldapPublicKey' objectclass
++ - attached to the 'posixAccount' objectclass
++ - with a filled 'sshPublicKey' attribute
++ Example:
++ dn: uid=eau,ou=users,dc=cuckoos,dc=net
++ objectclass: top
++ objectclass: person
++ objectclass: organizationalPerson
++ objectclass: posixAccount
++ objectclass: ldapPublicKey
++ description: Eric AUGE Account
++ userPassword: blah
++ cn: Eric AUGE
++ sn: Eric AUGE
++ uid: eau
++ uidNumber: 1034
++ gidNumber: 1
++ homeDirectory: /export/home/eau
++ sshPublicKey: ssh-dss AAAAB3...
++ sshPublicKey: ssh-dss AAAAM5...
++
++ Group entry:
++ - attached to the 'posixGroup' objectclass
++ - with a 'cn' groupname attribute
++ - with multiple 'memberUid' attributes filled with usernames allowed in
this group
++ Example:
++ # few members
++ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
++ objectclass: top
++ objectclass: posixGroup
++ description: Unix based servers group
++ cn: unix
++ gidNumber: 1002
++ memberUid: eau
++ memberUid: user1
++ memberUid: user2
++
++
++- HOW IT WORKS :
++
++ * without patch
++ If a user wants to authenticate to log in a server the sshd, will first
look for authentication method allowed (RSAauth,kerberos,etc..)
++ and if RSAauth and tickets based auth fails, it will fallback to
standard password authentication (if enabled).
++
++ * with the patch
++ If a user want to authenticate to log in a server, the sshd will first
look for auth method including LDAP pubkey, if the ldappubkey options is
enabled.
++ It will do an ldapsearch to get the public key directly from the LDAP
instead of reading it from the server filesystem.
++ (usually in $HOME/.ssh/authorized_keys)
++
++ If groups are enabled, it will also check if the user that wants to
login is in the group of the server he is trying to log into.
++ If it fails, it falls back on RSA auth files
($HOME/.ssh/authorized_keys), etc.. and finally to standard password
authentication (if enabled).
++
++ 7 tokens are added to sshd_config :
++ # here is the new patched ldap related tokens
++ # entries in your LDAP must be posixAccount & strongAuthenticationUser
& posixGroup
++ UseLPK yes # look the pub key into LDAP
++ LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 #
which LDAP server for users ? (URL format)
++ LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ?
++ LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ?
++ LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ?
++ LpkBindPw asecret # bind DN credidentials
++ LpkServerGroup agroupname # the group the server is part of
++
++ Right now i'm using anonymous binding to get public keys, because
getting public keys of someone doesn't impersonate him¸ but there is some
++ flaws you have to take care of.
++
++- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
++
++ * my way (there is plenty :)
++ - create ldif file (i.e. users.ldif)
++ - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat
~/.ssh/identity.pub
++ - my way in 4 steps :
++ Example:
++
++ # you add this to the user entry in the LDIF file :
++ [...]
++ objectclass: posixAccount
++ objectclass: ldapPublicKey
++ [...]
++ sshPubliKey: ssh-dss AAAABDh12DDUR2...
++ [...]
++
++ # insert your entry and you're done :)
++ ldapadd -D balblabla -w bleh < file.ldif
++
++ all standard options can be present in the 'sshPublicKey' attribute.
++
++- WHY :
++
++ Simply because, i was looking for a way to centralize all sysadmins
authentication, easily, without completely using LDAP
++ as authentication method (like pam_ldap etc..).
++
++ After looking into Kerberos, SecurID, and other centralized secure
authentications systems, the use of RSA and LDAP to get
++ public key for authentication allows us to control who has access to
which server (the user needs an account and to be
in 'strongAuthenticationUser'
++ objectclass within LDAP and part of the group the SSH server is in).
++
++ Passwords update are no longer a nightmare for a server farm (key pair
passphrase is stored on each user's box and private key is locally
encrypted using his passphrase
++ so each user can change it as much as he wants).
++
++ Blocking a user account can be done directly from the LDAP (if sshd is
using RSAAuth + ldap only).
++
++- RULES :
++ Entry in the LDAP server must respect 'posixAccount'
and 'ldapPublicKey' which are defined in core.schema.
++ and the additionnal lpk.schema.
++
++ This patch could allow a smooth transition between standard auth
(/etc/passwd) and complete LDAP based authentication
++ (pamldap, nss_ldap, etc..).
++
++ This can be an alternative to other (old?/expensive?) authentication
methods (Kerberos/SecurID/..).
++
++ Referring to schema at the beginning of this file if user 'eau' is only
in group 'unix'
++ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4'
BUT NOT 'server5'.
++ If you then modify the LDAP 'mail' group entry to add 'memberUid: eau'
THEN user 'eau' would be able
++ to log in 'server5' (i hope you got the idea, my english is bad :).
++
++ Each server's sshd is patched and configured to ask the public key and
the group infos in the LDAP
++ server.
++ When you want to allow a new user to have access to the server parc,
you just add him an account on
++ your servers, you add his public key into his entry on the LDAP server,
it's done.
++
++ Because sshds are looking public keys into the LDAP directly instead of
a file ($HOME/.ssh/authorized_keys).
++
++ When the user needs to change his passphrase he can do it directly from
his workstation by changing
++ his own key set lock passphrase, and all servers are automatically
aware.
++
++ With a CAREFUL LDAP server configuration you could allow a user to
add/delete/modify his own entry himself
++ so he can add/modify/delete himself his public key when needed.
++
++Â FLAWS :
++ LDAP must be well configured, getting the public key of some user is
not a problem, but if anonymous LDAP
++ allow write to users dn, somebody could replace someuser's public key
by its own and impersonate some
++ of your users in all your server farm be VERY CAREFUL.
++
++ MITM attack when sshd is requesting the public key, could lead to a
compromise of your servers allowing login
++ as the impersonnated user.
++
++ If LDAP server is down then, fallback on passwd auth.
++
++ the ldap code part has not been well audited yet.
++
++- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
++ --- CUT HERE ---
++ dn: uid=jdoe,ou=users,dc=foobar,dc=net
++ objectclass: top
++ objectclass: person
++ objectclass: organizationalPerson
++ objectclass: posixAccount
++ objectclass: ldapPublicKey
++ description: My account
++ cn: John Doe
++ sn: John Doe
++ uid: jdoe
++ uidNumber: 100
++ gidNumber: 100
++ homeDirectory: /home/jdoe
++ sshPublicKey: ssh-dss
AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
++ [...]
++ --- CUT HERE ---
++
++- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
++ --- CUT HERE ---
++ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
++ objectclass: top
++ objectclass: posixGroup
++ description: Unix based servers group
++ cn: unix
++ gidNumber: 1002
++ memberUid: jdoe
++ memberUid: user1
++ memberUid: user2
++ [...]
++ --- CUT HERE ---
++
++>> FYI: <<
++Multiple 'sshPublicKey' in a user entry are allowed, as well as
multiple 'memberUid' attributes in a group entry
++
++- COMPILING:
++ 1. Apply the patch
++ 2. ./configure --with-your-options
--with-ldap=/prefix/to/ldap_libs_and_includes
++ 3. make
++ 4. it's done.
++
++- BLA :
++ I hope this could help, and i hope to be clear enough,, or give ideas.
questions/comments/improvements are welcome.
++
++- TODO :
++ Redesign differently.
++
++- DOCS/LINK :
++ http://pacsec.jp/core05/psj05-barisani-en.pdf
++ http://fritz.potsdam.edu/projects/openssh-lpk/
++ http://fritz.potsdam.edu/projects/sshgate/
++ http://dev.inversepath.com/trac/openssh-lpk
++ http://lam.sf.net/ (
http://lam.sourceforge.net/documentation/supportedSchemas.htm )
++
++- CONTRIBUTORS/IDEAS/GREETS :
++ - Falk Siemonsmeier.
++ - Jacob Rief.
++ - Michael Durchgraf.
++ - frederic peters.
++ - Finlay dobbie.
++ - Stefan Fisher.
++ - Robin H. Johnson.
++ - Adrian Bridgett.
++
++- CONTACT :
++ - Eric AUGE <e...@phear.org>
++ - Andrea Barisani <and...@inversepath.com>
+diff -Nur gauth-rsa.c gauth-rsa.c
+--- gauth-rsa.c 2010-03-04 05:53:35.000000000 -0500
++++ gauth-rsa.c 2010-03-10 17:09:37.000000000 -0500
+@@ -177,10 +177,96 @@
+ FILE *f;
+ u_long linenum = 0;
+ Key *key;
++#ifdef WITH_LDAP_PUBKEY
++ ldap_key_t * k;
++ unsigned int i = 0;
++#endif
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
++#ifdef WITH_LDAP_PUBKEY
++ /* here is the job */
++ key = key_new(KEY_RSA1);
++
++ if (options.lpk.on) {
++ debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
++ if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++ if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
++ for (i = 0 ; i < k->num ; i++) {
++ char *cp, *options = NULL;
++
++ for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++ ;
++ if (!*cp || *cp == '\n' || *cp == '#')
++ continue;
++
++ /*
++ * Check if there are options for this key, and if so,
++ * save their starting address and skip the option part
++ * for now. If there are no options, set the starting
++ * address to NULL.
++ */
++ if (*cp < '0' || *cp > '9') {
++ int quoted = 0;
++ options = cp;
++ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
++ if (*cp == '\\' && cp[1] == '"')
++ cp++; /* Skip both */
++ else if (*cp == '"')
++ quoted = !quoted;
++ }
++ } else
++ options = NULL;
++
++ /* Parse the key from the line. */
++ if (hostfile_read_key(&cp, &bits, key) == 0) {
++ debug("[LDAP] line %d: non ssh1 key syntax", i);
++ continue;
++ }
++ /* cp now points to the comment part. */
++
++ /* Check if the we have found the desired key (identified by its
modulus). */
++ if (BN_cmp(key->rsa->n, client_n) != 0)
++ continue;
++
++ /* check the real bits */
++ if (bits != (unsigned int)BN_num_bits(key->rsa->n))
++ logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "
++ "actual %d vs. announced %d.", (unsigned long)i,
BN_num_bits(key->rsa->n), bits);
++
++ /* We have found the desired key. */
++ /*
++ * If our options do not allow this key to be used,
++ * do not send challenge.
++ */
++ if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i))
++ continue;
++
++ /* break out, this key is allowed */
++ allowed = 1;
++
++ /* add the return stuff etc... */
++ /* Restore the privileged uid. */
++ restore_uid();
++
++ /* return key if allowed */
++ if (allowed && rkey != NULL)
++ *rkey = key;
++ else
++ key_free(key);
++
++ ldap_keys_free(k);
++ return (allowed);
++ }
++ } else {
++ logit("[LDAP] no keys found for '%s'!", pw->pw_name);
++ }
++ } else {
++ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
++ }
++ }
++#endif
+ /* The authorized keys. */
+ file = authorized_keys_file(pw);
+ debug("trying public RSA key file %s", file);
+diff -Nur gauth2-pubkey.c gauth2-pubkey.c
+--- gauth2-pubkey.c 2010-03-04 05:53:35.000000000 -0500
++++ gauth2-pubkey.c 2010-03-10 17:09:37.000000000 -0500
+@@ -58,6 +58,10 @@
+ #include "misc.h"
+ #include "authfile.h"
+
++#ifdef WITH_LDAP_PUBKEY
++#include "ldapauth.h"
++#endif
++
+ /* import */
+ extern ServerOptions options;
+ extern u_char *session_id2;
+@@ -187,10 +191,79 @@
+ u_long linenum = 0;
+ Key *found;
+ char *fp;
++#ifdef WITH_LDAP_PUBKEY
++ ldap_key_t * k;
++ unsigned int i = 0;
++#endif
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
++#ifdef WITH_LDAP_PUBKEY
++ found_key = 0;
++ /* allocate a new key type */
++ found = key_new(key->type);
++
++ /* first check if the options is enabled, then try.. */
++ if (options.lpk.on) {
++ debug("[LDAP] trying LDAP first uid=%s",pw->pw_name);
++ if (ldap_ismember(&options.lpk, pw->pw_name) > 0) {
++ if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
++ /* Skip leading whitespace, empty and comment lines. */
++ for (i = 0 ; i < k->num ; i++) {
++ /* dont forget if multiple keys to reset options */
++ char *cp, *options = NULL;
++
++ for (cp = (char *)k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++)
++ ;
++ if (!*cp || *cp == '\n' || *cp == '#')
++ continue;
++
++ if (key_read(found, &cp) != 1) {
++ /* no key? check if there are options for this key */
++ int quoted = 0;
++ debug2("[LDAP] user_key_allowed: check options: '%s'", cp);
++ options = cp;
++ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
++ if (*cp == '\\' && cp[1] == '"')
++ cp++; /* Skip both */
++ else if (*cp == '"')
++ quoted = !quoted;
++ }
++ /* Skip remaining whitespace. */
++ for (; *cp == ' ' || *cp == '\t'; cp++)
++ ;
++ if (key_read(found, &cp) != 1) {
++ debug2("[LDAP] user_key_allowed: advance: '%s'", cp);
++ /* still no key? advance to next line*/
++ continue;
++ }
++ }
++
++ if (key_equal(found, key) &&
++ auth_parse_options(pw, options, file, linenum) == 1) {
++ found_key = 1;
++ debug("[LDAP] matching key found");
++ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
++ verbose("[LDAP] Found matching %s key: %s", key_type(found), fp);
++
++ /* restoring memory */
++ ldap_keys_free(k);
++ xfree(fp);
++ restore_uid();
++ key_free(found);
++ return found_key;
++ break;
++ }
++ }/* end of LDAP for() */
++ } else {
++ logit("[LDAP] no keys found for '%s'!", pw->pw_name);
++ }
++ } else {
++ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
++ }
++ }
++#endif
+ debug("trying public key file %s", file);
+ f = auth_openkeyfile(file, pw, options.strict_modes);
+
+diff -Nur gconfig.h.in gconfig.h.in
+--- gconfig.h.in 2010-03-07 19:30:57.000000000 -0500
++++ gconfig.h.in 2010-03-10 17:09:37.000000000 -0500
+@@ -575,6 +575,9 @@
+ /* Define to 1 if you have the <linux/if_tun.h> header file. */
+ #undef HAVE_LINUX_IF_TUN_H
+
++/* Define if you want LDAP support */
++#undef WITH_LDAP_PUBKEY
++
+ /* Define if your libraries define login() */
+ #undef HAVE_LOGIN
+
+diff -Nur gconfigure gconfigure
+--- gconfigure 2010-03-07 19:30:59.000000000 -0500
++++ gconfigure 2010-03-10 17:09:37.000000000 -0500
+@@ -1340,6 +1340,7 @@
+ --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in
PATH)
+ --with-libedit[=PATH] Enable libedit support for sftp
+ --with-audit=module Enable EXPERIMENTAL audit support
(modules=debug,bsm)
++ --with-ldap[=PATH] Enable LDAP pubkey support (optionally in PATH)
+ --with-ssl-dir=PATH Specify path to OpenSSL installation
+ --without-openssl-header-check Disable OpenSSL version consistency check
+ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support
+@@ -12845,6 +12846,85 @@
+ fi
+
+
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++
++# Check whether --with-ldap was given.
++if test "${with_ldap+set}" = set; then
++ withval=$with_ldap;
++ if test "x$withval" != "xno" ; then
++
++ if test "x$withval" != "xyes" ; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ LDFLAGS="$LDFLAGS -L${withval}/lib"
++ fi
++
++
++cat >>confdefs.h <<\_ACEOF
++#define WITH_LDAP_PUBKEY 1
++_ACEOF
++
++ LIBS="-lldap $LIBS"
++ LDAP_MSG="yes"
++
++ { echo "$as_me:$LINENO: checking for LDAP support" >&5
++echo $ECHO_N "checking for LDAP support... $ECHO_C" >&6; }
++ cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++#include <sys/types.h>
++ #include <ldap.h>
++int
++main ()
++{
++(void)ldap_init(0, 0);
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
++ (eval "$ac_compile") 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest.$ac_objext; then
++ { echo "$as_me:$LINENO: result: yes" >&5
++echo "${ECHO_T}yes" >&6; }
++else
++ echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++ { echo "$as_me:$LINENO: result: no" >&5
++echo "${ECHO_T}no" >&6; }
++ { { echo "$as_me:$LINENO: error: ** Incomplete or missing ldap
libraries **" >&5
++echo "$as_me: error: ** Incomplete or missing ldap libraries **" >&2;}
++ { (exit 1); exit 1; }; }
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++ fi
++
++
++fi
++
++
+
+
+
+@@ -30786,6 +30866,7 @@
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " TCP Wrappers support: $TCPW_MSG"
++echo " LDAP support: $LDAP_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+diff -Nur gconfigure.ac gconfigure.ac
+--- gconfigure.ac 2010-03-04 23:04:35.000000000 -0500
++++ gconfigure.ac 2010-03-10 17:09:37.000000000 -0500
+@@ -1323,6 +1323,37 @@
+ esac ]
+ )
+
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++AC_ARG_WITH(ldap,
++ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in
PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++
++ if test "x$withval" != "xyes" ; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ LDFLAGS="$LDFLAGS -L${withval}/lib"
++ fi
++
++ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
++ LIBS="-lldap $LIBS"
++ LDAP_MSG="yes"
++
++ AC_MSG_CHECKING([for LDAP support])
++ AC_TRY_COMPILE(
++ [#include <sys/types.h>
++ #include <ldap.h>],
++ [(void)ldap_init(0, 0);],
++ [AC_MSG_RESULT(yes)],
++ [
++ AC_MSG_RESULT(no)
++ AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
++ ]
++ )
++ fi
++ ]
++)
++
+ dnl Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS( \
+ arc4random \
+@@ -4185,6 +4216,7 @@
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " TCP Wrappers support: $TCPW_MSG"
++echo " LDAP support: $LDAP_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+diff -Nur gldapauth.c gldapauth.c
+--- gldapauth.c 1969-12-31 19:00:00.000000000 -0500
++++ gldapauth.c 2010-03-10 17:09:37.000000000 -0500
+@@ -0,0 +1,575 @@
++/*
++ * $Id: openssh-lpk-4.3p1-0.3.7.patch,v 1.3 2006/04/18 15:29:09 eau Exp $
++ */
++
++/*
++ *
++ * Copyright (c) 2005, Eric AUGE <e...@phear.org>
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
++ *
++ * Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
++ * Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
++ * Neither the name of the phear.org nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
++ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
++ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY,
++ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ *
++ */
++
++#include "includes.h"
++
++#ifdef WITH_LDAP_PUBKEY
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <string.h>
++
++#include "ldapauth.h"
++#include "log.h"
++
++static char *attrs[] = {
++ PUBKEYATTR,
++ NULL
++};
++
++/* filter building infos */
++#define FILTER_GROUP_PREFIX "(&(objectclass=posixGroup)"
++#define FILTER_OR_PREFIX "(|"
++#define FILTER_OR_SUFFIX ")"
++#define FILTER_CN_PREFIX "(cn="
++#define FILTER_CN_SUFFIX ")"
++#define FILTER_UID_FORMAT "(memberUid=%s)"
++#define FILTER_GROUP_SUFFIX ")"
++#define FILTER_GROUP_SIZE(group) (size_t)
(strlen(group)+(ldap_count_group(group)*5)+52)
++
++/* just filter building stuff */
++#define REQUEST_GROUP_SIZE(filter, uid) (size_t)
(strlen(filter)+strlen(uid)+1)
++#define REQUEST_GROUP(buffer, prefilter, pwname) \
++ buffer = (char *) calloc(REQUEST_GROUP_SIZE(prefilter, pwname),
sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return FAILURE; \
++ } \
++ snprintf(buffer, REQUEST_GROUP_SIZE(prefilter,pwname), prefilter,
pwname)
++/*
++XXX OLD group building macros
++#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46)
++#define REQUEST_GROUP(buffer,pwname,grp) \
++ buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname),
sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return FAILURE; \
++ } \
++
snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname)
++ */
++
++/*
++XXX stock upstream version without extra filter support
++#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64)
++#define REQUEST_USER(buffer, pwname) \
++ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return NULL; \
++ } \
++
snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname)
++ */
++
++#define REQUEST_USER_SIZE(uid, filter) (size_t)
(strlen(uid)+64+(filter != NULL ? strlen(filter) : 0))
++#define REQUEST_USER(buffer, pwname, customfilter) \
++ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname, customfilter),
sizeof(char)); \
++ if (!buffer) { \
++ perror("calloc()"); \
++ return NULL; \
++ } \
++ snprintf(buffer, REQUEST_USER_SIZE(pwname, customfilter), \
++
"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)", \
++ pwname, (customfilter != NULL ? customfilter : ""))
++
++/* some portable and working tokenizer, lame though */
++static int tokenize(char ** o, size_t size, char * input) {
++ unsigned int i = 0, num;
++ const char * charset = " \t";
++ char * ptr = input;
++
++ /* leading white spaces are ignored */
++ num = strspn(ptr, charset);
++ ptr += num;
++
++ while ((num = strcspn(ptr, charset))) {
++ if (i < size-1) {
++ o[i++] = ptr;
++ ptr += num;
++ if (*ptr)
++ *ptr++ = '\0';
++ }
++ }
++ o[i] = NULL;
++ return SUCCESS;
++}
++
++void ldap_close(ldap_opt_t * ldap) {
++
++ if (!ldap)
++ return;
++
++ if ( ldap_unbind_ext(ldap->ld, NULL, NULL) < 0)
++ ldap_perror(ldap->ld, "ldap_unbind()");
++
++ ldap->ld = NULL;
++ FLAG_SET_DISCONNECTED(ldap->flags);
++
++ return;
++}
++
++/* init && bind */
++int ldap_connect(ldap_opt_t * ldap) {
++ int version = LDAP_VERSION3;
++
++ if (!ldap->servers)
++ return FAILURE;
++
++ /* Connection Init and setup */
++ ldap->ld = ldap_init(ldap->servers, LDAP_PORT);
++ if (!ldap->ld) {
++ ldap_perror(ldap->ld, "ldap_init()");
++ return FAILURE;
++ }
++
++ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION,
&version) != LDAP_OPT_SUCCESS) {
++
ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION)");
++ return FAILURE;
++ }
++
++ /* Timeouts setup */
++ if (ldap_set_option(ldap->ld, LDAP_OPT_NETWORK_TIMEOUT,
&ldap->b_timeout) != LDAP_SUCCESS) {
++
ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT)");
++ }
++ if (ldap_set_option(ldap->ld, LDAP_OPT_TIMEOUT, &ldap->s_timeout) !=
LDAP_SUCCESS) {
++ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_TIMEOUT)");
++ }
++
++ /* TLS support */
++ if ( (ldap->tls == -1) || (ldap->tls == 1) ) {
++ if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) {
++ /* failed then reinit the initial connect */
++ ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()");
++ if (ldap->tls == 1)
++ return FAILURE;
++
++ ldap->ld = ldap_init(ldap->servers, LDAP_PORT);
++ if (!ldap->ld) {
++ ldap_perror(ldap->ld, "ldap_init()");
++ return FAILURE;
++ }
++
++ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION,
&version) != LDAP_OPT_SUCCESS) {
++ ldap_perror(ldap->ld, "ldap_set_option()");
++ return FAILURE;
++ }
++ }
++ }
++
++
++ if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) !=
LDAP_SUCCESS) {
++ ldap_perror(ldap->ld, "ldap_simple_bind_s()");
++ return FAILURE;
++ }
++
++ /* says it is connected */
++ FLAG_SET_CONNECTED(ldap->flags);
++
++ return SUCCESS;
++}
++
++/* must free allocated ressource */
++static char * ldap_build_host(char *host, int port) {
++ unsigned int size = strlen(host)+11;
++ char * h = (char *) calloc (size, sizeof(char));
++ int rc;
++ if (!h)
++ return NULL;
++
++ rc = snprintf(h, size, "%s:%d ", host, port);
++ if (rc == -1)
++ return NULL;
++ return h;
++}
++
++static int ldap_count_group(const char * input) {
++ const char * charset = " \t";
++ const char * ptr = input;
++ unsigned int count = 0;
++ unsigned int num;
++
++ num = strspn(ptr, charset);
++ ptr += num;
++
++ while ((num = strcspn(ptr, charset))) {
++ count++;
++ ptr += num;
++ ptr++;
++ }
++
++ return count;
++}
++
++/* format filter */
++char * ldap_parse_groups(const char * groups) {
++ unsigned int buffer_size = FILTER_GROUP_SIZE(groups);
++ char * buffer = (char *) calloc(buffer_size, sizeof(char));
++ char * g = NULL;
++ char * garray[32];
++ unsigned int i = 0;
++
++ if ((!groups)||(!buffer))
++ return NULL;
++
++ g = strdup(groups);
++ if (!g) {
++ free(buffer);
++ return NULL;
++ }
++
++ /* first separate into n tokens */
++ if ( tokenize(garray, sizeof(garray)/sizeof(*garray), g) < 0) {
++ free(g);
++ free(buffer);
++ return NULL;
++ }
++
++ /* build the final filter format */
++ strlcat(buffer, FILTER_GROUP_PREFIX, buffer_size);
++ strlcat(buffer, FILTER_OR_PREFIX, buffer_size);
++ i = 0;
++ while (garray[i]) {
++ strlcat(buffer, FILTER_CN_PREFIX, buffer_size);
++ strlcat(buffer, garray[i], buffer_size);
++ strlcat(buffer, FILTER_CN_SUFFIX, buffer_size);
++ i++;
++ }
++ strlcat(buffer, FILTER_OR_SUFFIX, buffer_size);
++ strlcat(buffer, FILTER_UID_FORMAT, buffer_size);
++ strlcat(buffer, FILTER_GROUP_SUFFIX, buffer_size);
++
++ free(g);
++ return buffer;
++}
++
++/* a bit dirty but leak free */
++char * ldap_parse_servers(const char * servers) {
++ char * s = NULL;
++ char * tmp = NULL, *urls[32];
++ unsigned int num = 0 , i = 0 , asize = 0;
++ LDAPURLDesc *urld[32];
++
++ if (!servers)
++ return NULL;
++
++ /* local copy of the arg */
++ s = strdup(servers);
++ if (!s)
++ return NULL;
++
++ /* first separate into URL tokens */
++ if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0)
++ return NULL;
++
++ i = 0;
++ while (urls[i]) {
++ if (! ldap_is_ldap_url(urls[i]) ||
++ (ldap_url_parse(urls[i], &urld[i]) != 0)) {
++ return NULL;
++ }
++ i++;
++ }
++
++ /* now free(s) */
++ free (s);
++
++ /* how much memory do we need */
++ num = i;
++ for (i = 0 ; i < num ; i++)
++ asize += strlen(urld[i]->lud_host)+11;
++
++ /* alloc */
++ s = (char *) calloc( asize+1 , sizeof(char));
++ if (!s) {
++ for (i = 0 ; i < num ; i++)
++ ldap_free_urldesc(urld[i]);
++ return NULL;
++ }
++
++ /* then build the final host string */
++ for (i = 0 ; i < num ; i++) {
++ /* built host part */
++ tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port);
++ strncat(s, tmp, strlen(tmp));
++ ldap_free_urldesc(urld[i]);
++ free(tmp);
++ }
++
++ return s;
++}
++
++void ldap_options_print(ldap_opt_t * ldap) {
++ debug("ldap options:");
++ debug("servers: %s", ldap->servers);
++ if (ldap->u_basedn)
++ debug("user basedn: %s", ldap->u_basedn);
++ if (ldap->g_basedn)
++ debug("group basedn: %s", ldap->g_basedn);
++ if (ldap->binddn)
++ debug("binddn: %s", ldap->binddn);
++ if (ldap->bindpw)
++ debug("bindpw: %s", ldap->bindpw);
++ if (ldap->sgroup)
++ debug("group: %s", ldap->sgroup);
++ if (ldap->filter)
***The diff for this file has been truncated for email.***
Reply all
Reply to author
Forward
0 new messages