# # Port from ldappubkey-ossh3.8.1p1-v201.patch (www.b0l.org) # Tested on OpenSSH 4.1 (OpenBSD version) OpenBSD 3.7 (default install) OpenLDAP 2.2.23 (from ports) # Added: lpkUserFilter, lpkGroupFilter (default values are hardcoded) # Removed: ldap_ssl, ldap_tls (if needed, SSL can be done with other software) # Auth: Maxim Bourmistrov, maximATchl.chalmers.se # # Requirements: OpenLDAP # diff -X CVS -ruN ssh.orig/Makefile.inc ssh/Makefile.inc --- ssh.orig/Makefile.inc Mon Jul 11 21:06:26 2005 +++ ssh/Makefile.inc Mon Jul 11 22:12:33 2005 @@ -18,6 +18,9 @@ #CFLAGS+= -DSMARTCARD #LDADD+= -lsectok +CFLAGS+= -I/usr/local/include -DWITH_LDAP_PUBKEY +LDADD+= -L/usr/local/lib -llber -lldap + .include .if exists(${.CURDIR}/../lib/${__objdir}) diff -X CVS -ruN ssh.orig/auth-rsa.c ssh/auth-rsa.c --- ssh.orig/auth-rsa.c Mon Jul 11 21:06:25 2005 +++ ssh/auth-rsa.c Mon Jul 11 22:12:33 2005 @@ -161,8 +161,106 @@ struct stat st; Key *key; +#ifdef WITH_LDAP_PUBKEY + lh_t host; + pkdata **data = NULL; + int i = 0; +#endif + /* Temporarily use the user's uid. */ temporarily_use_uid(pw); + +#ifdef WITH_LDAP_PUBKEY + + /* JUST HERE HACK HACK */ + key = key_new(KEY_RSA1); + + debug("[LDAP] trying to get RSA1 key"); + + /* lets get the identity.pub from the ldap server */ + /* i must fill Key *key with the read key struct */ + host.lpkuurl = options.lpk_opt.lpk_user_server; + host.lpkufltr = options.lpk_opt.lpk_user_filter; + host.lpkgurl = options.lpk_opt.lpk_group_server; + host.lpkgfltr = options.lpk_opt.lpk_group_filter; + host.lpkbd = options.lpk_opt.lpk_binddn; + host.lpkbp = options.lpk_opt.lpk_bindpw; + host.lpksg = options.lpk_opt.lpk_srvgrp; + + /* if(options.myldap_opt.pubkey_from_ldap && key_ldap_read(key, pw->pw_name, &host) != 1) { */ + if(options.lpk_opt.lpk_on && (data = get_ldap_data(&host, pw)) ) { + debug("LDAP pubkey failed!!\n"); + debug("User URL: %s !!", options.lpk_opt.lpk_user_server); + } + + if (data) + while(data[i] != NULL) { + char *cp, *options; + + for (cp = (char *)data[i++]->bv_val; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + /* + * Check if there are options for this key, and if so, + * save their starting address and skip the option part + * for now. If there are no options, set the starting + * address to NULL. + */ + if (*cp < '0' || *cp > '9') { + int quoted = 0; + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + } else + options = NULL; + + /* Parse the key from the line. */ + if (hostfile_read_key(&cp, &bits, key) == 0) { + debug("[LDAP] line %d: non ssh1 key syntax", i); + continue; + } + /* cp now points to the comment part. */ + + /* Check if the we have found the desired key (identified by its modulus). */ + if (BN_cmp(key->rsa->n, client_n) != 0) + continue; + + /* check the real bits */ + if (bits != BN_num_bits(key->rsa->n)) + logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: " + "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); + + /* We have found the desired key. */ + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i)) + continue; + + /* break out, this key is allowed */ + allowed = 1; + + /* add the return stuff etc... */ + /* Restore the privileged uid. */ + restore_uid(); + + /* return key if allowed */ + if (allowed && rkey != NULL) + *rkey = key; + else + key_free(key); + + ldap_value_free_len(data); + return (allowed); + } +#endif /* The authorized keys. */ file = authorized_keys_file(pw); diff -X CVS -ruN ssh.orig/auth2-pubkey.c ssh/auth2-pubkey.c --- ssh.orig/auth2-pubkey.c Mon Jul 11 21:06:25 2005 +++ ssh/auth2-pubkey.c Mon Jul 11 22:12:33 2005 @@ -173,9 +173,88 @@ Key *found; char *fp; +#ifdef WITH_LDAP_PUBKEY + int i = 0; + lh_t host; + pkdata **data = NULL; +#endif + /* Temporarily use the user's uid. */ temporarily_use_uid(pw); +#ifdef WITH_LDAP_PUBKEY + found_key = 0; + /* allocate a new key type */ + found = key_new(key->type); + + /* first check if the options is enabled, then try.. */ + debug("trying LDAP first uid=%s",pw->pw_name); + + /* lets add it */ + host.lpkuurl = options.lpk_opt.lpk_user_server; + host.lpkufltr = options.lpk_opt.lpk_user_filter; + host.lpkgurl = options.lpk_opt.lpk_group_server; + host.lpkgfltr = options.lpk_opt.lpk_group_filter; + host.lpkbd = options.lpk_opt.lpk_binddn; + host.lpkbp = options.lpk_opt.lpk_bindpw; + host.lpksg = options.lpk_opt.lpk_srvgrp; + + /* lets fill what we request */ + + if(options.lpk_opt.lpk_on && ( data = get_ldap_data(&host,pw) ) ) { + debug2("[LDAP] get_ldap_data() pubkey failed!!!"); + debug2("URL: %s !!",options.lpk_opt.lpk_user_server); + } + + if (data) + while (data[i] != NULL) { + char *cp, *options = NULL; + /* Skip leading whitespace, empty and comment lines. */ + for (cp = (char *)data[i++]->bv_val; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + if (key_read(found, &cp) != 1) { + /* no key? check if there are options for this key */ + int quoted = 0; + debug2("[LDAP] user_key_allowed: check options: '%s'", cp); + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (key_read(found, &cp) != 1) { + debug2("[LDAP] user_key_allowed: advance: '%s'", cp); + /* still no key? advance to next line*/ + continue; + } + } + + if (key_equal(found, key) && + auth_parse_options(pw, options, file, linenum) == 1) { + found_key = 1; + debug("[LDAP] matching key found"); + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + verbose("[LDAP] Found matching %s key: %s", + key_type(found), fp); + + /* restoring memory */ + ldap_value_free_len(data); + xfree(fp); + restore_uid(); + key_free(found); + return found_key; + break; + } + } + +#endif debug("trying public key file %s", file); /* Fail quietly if file does not exist */ diff -X CVS -ruN ssh.orig/key.c ssh/key.c --- ssh.orig/key.c Mon Jul 11 21:06:25 2005 +++ ssh/key.c Mon Jul 11 22:12:32 2005 @@ -36,6 +36,32 @@ #include +#ifdef WITH_LDAP_PUBKEY +/* + * defined in core.schema, this is a temporary objectclass which can be + * used since i m waiting for pkix schema and pubKey attribute (binary as well + * so minor changes for this patch), there will be an update about this ;) + * the following defs were for test purposes only + * i'm still keeping objectclass=strongAuthenticationuser because of the purpose + * this patch, and wrongly using cn for each user to store group includes + * refere to the README for a better understanding of this. + */ + +#include +#include + +#define PORT LDAP_PORT +#define LINEMAX 1024 + +/* just filter building stuff */ +#define REQUEST_GROUP(buffer,pwname,grp) \ +snprintf(buffer,LINEMAX,host->lpkgfltr,grp,pwname) + +#define REQUEST_USER(buffer,pwname) \ +snprintf(buffer,LINEMAX,host->lpkufltr,pwname); + +#endif + #include "xmalloc.h" #include "key.h" #include "rsa.h" @@ -376,6 +402,135 @@ OPENSSL_free(buf); return 1; } + +#ifdef WITH_LDAP_PUBKEY + +/* get data needed for certificate and group management */ +pkdata ** get_ldap_data(lh_t *host, struct passwd *pw) { + LDAP *ld; + LDAPMessage *res, *e; + LDAPURLDesc *usr_urlstruct, *grp_urlstruct; + BerElement *ptr; + struct berval **vals; + int version, rc, i; + char *a,objbuf[LINEMAX]; + + /* version to 3 */ + version = LDAP_VERSION3; + + debug2("[LDAP] get_ldap_data()"); + + /* url based ldap://hostport/dn[?attrs[?scope[?filter[?exts]]]] */ + rc = ldap_is_ldap_url(host->lpkuurl); + if (rc < 0) { + error("get_ldap_data: ldap_is_ldap_url(UserUrl) -> ldap is not a url"); + return NULL; + } + /* parse the User URL format */ + rc = ldap_url_parse(host->lpkuurl,&usr_urlstruct); + if (rc) { + error("get_ldap_data: ldap_url_parse(UserUrl) -> ldap couldn't be parsed"); + return NULL; + } + + debug3("[LDAP] ldap url parsed"); + + /* open ldap connection */ + ld = ldap_init(usr_urlstruct->lud_host,usr_urlstruct->lud_port); + if(!ld) { + error("get_ldap_data: ldap_init()"); + /* free what has been allocated */ + ldap_free_urldesc(usr_urlstruct); + return NULL; + } + + /* setting V3 proto */ + if (ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,&version) != LDAP_OPT_SUCCESS) { + error("get_ldap_data: ldap couldn't set version "); + /* free what has been allocated */ + ldap_free_urldesc(usr_urlstruct); + return NULL; + } + + /* anonymous bind pubkey can be retrieved by anybody */ + if (ldap_simple_bind_s(ld,host->lpkbd,host->lpkbp) != LDAP_SUCCESS) { + error("get_ldap_data: ldap_simple_bind_s()"); + /* free what has been allocated */ + ldap_free_urldesc(usr_urlstruct); + return NULL; + } + + /* New filter group inclusive depend on the configuration */ + /* (&(objectclass=posixGroup)(&(cn=unix)(memberUid=eau))) */ + debug("[LDAP] group y/n?"); + if (host->lpksg && host->lpkgurl) { + debug2("[LDAP-group] '%s' part of group '%s'",pw->pw_name ,host->lpksg); + + /* url based ldap://hostport/dn[?attrs[?scope[?filter[?exts]]]] */ + rc = ldap_is_ldap_url(host->lpkgurl); + if (rc < 0) { + error("get_ldap_data: ldap_is_ldap_url(GroupUrl) -> ldap is not a url"); + ldap_free_urldesc(usr_urlstruct); + return NULL; + } + /* parse the Group URL format */ + rc = ldap_url_parse(host->lpkgurl,&grp_urlstruct); + if (rc) { + error("get_ldap_data: ldap_url_parse(GroupUrl) -> ldap couldn't be parsed"); + ldap_free_urldesc(usr_urlstruct); + return NULL; + } + /*snprintf(objbuf,LINEMAX,"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",request->pk_group,request->pk_pw->pw_name);*/ + + REQUEST_GROUP(objbuf,pw->pw_name,host->lpksg); + + ldap_search_s(ld,grp_urlstruct->lud_dn,LDAP_SCOPE_SUBTREE,objbuf,NULL,0,&res); + i = ldap_count_entries(ld,res); + debug2("[LDAP-group] results: %d",i); + if (i <= 0) { + debug2("[LDAP-group] uid: %s not in '%s'",pw->pw_name, host->lpksg); + error("get_ldap_data: '%s' is not in '%s'", pw->pw_name, host->lpksg); + ldap_free_urldesc(usr_urlstruct); + ldap_free_urldesc(grp_urlstruct); + return NULL; + } + ldap_free_urldesc(grp_urlstruct); + } + + /* cleaning memory slots */ + memset(objbuf,0,LINEMAX); + + /* user request */ + /* (&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*groupname*)(uid=eau))) */ + /* snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s))",request->pk_pw->pw_name); + * */ + + debug2("[LDAP] searching '%s''s keys", pw->pw_name); + REQUEST_USER(objbuf,pw->pw_name); + + ldap_search_s(ld,usr_urlstruct->lud_dn,LDAP_SCOPE_SUBTREE,objbuf,NULL,0,&res); + i = ldap_count_entries(ld,res); + + if (i > 0) + for(e=ldap_first_entry(ld,res); e != NULL; e=ldap_next_entry(ld,e)) { + ldap_get_dn(ld,e); + for(a=ldap_first_attribute(ld,e,&ptr);a!=NULL;a=ldap_next_attribute(ld,e,ptr)) { + if(strncmp(a,"userCertificate",15) == 0) { + debug2("[LDAP] found some keys returning"); + vals=ldap_get_values_len(ld,e,a); + ldap_free_urldesc(usr_urlstruct); + ldap_unbind_s(ld); + return vals; + } /* end of if(strncmp) */ + } /* end of for */ + } /* end of for */ + + ldap_free_urldesc(usr_urlstruct); + ldap_unbind_s(ld); + + return NULL; +} +#endif /* returns 1 ok, -1 error */ int diff -X CVS -ruN ssh.orig/key.h ssh/key.h --- ssh.orig/key.h Mon Jul 11 21:06:26 2005 +++ ssh/key.h Mon Jul 11 22:12:32 2005 @@ -29,6 +29,11 @@ #include #include +#ifdef WITH_LDAP_PUBKEY +#include +#include +#endif + typedef struct Key Key; enum types { KEY_RSA1, @@ -65,6 +70,28 @@ const char *key_type(const Key *); int key_write(const Key *, FILE *); int key_read(Key *, char **); +#ifdef WITH_LDAP_PUBKEY + +#define KEY_ATTR "userCertificate" +#define GRP_ATTR "notknownyet" + +/* just nicer to look at */ +typedef struct berval pkdata; + +/* next step is to handle fallback on ldap servers */ +typedef struct ldaphost { + char *lpkuurl; /* LDAP users infos in URL format */ + char *lpkufltr; /* UserUrl filter */ + char *lpkgurl; /* LDAP groups infos in URL format */ + char *lpkgfltr; /* GroupUrl filter */ + char *lpkbd; /* bind DN */ + char *lpkbp; /* bind PW :> */ + char *lpksg; /* server group name */ + struct ldaphost *next; +} lh_t; + +pkdata **get_ldap_data(lh_t *, struct passwd *); +#endif u_int key_size(const Key *); Key *key_generate(int, u_int); diff -X CVS -ruN ssh.orig/servconf.c ssh/servconf.c --- ssh.orig/servconf.c Mon Jul 11 21:06:26 2005 +++ ssh/servconf.c Mon Jul 11 22:12:32 2005 @@ -95,6 +95,17 @@ options->client_alive_count_max = -1; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; +#ifdef WITH_LDAP_PUBKEY + options->lpk_opt.lpk_on = -1; + options->lpk_opt.lpk_user_server = NULL; + options->lpk_opt.lpk_user_filter = NULL; + options->lpk_opt.lpk_group_server = NULL; + options->lpk_opt.lpk_group_filter = NULL; + options->lpk_opt.lpk_binddn = NULL; + options->lpk_opt.lpk_bindpw = NULL; + options->lpk_opt.lpk_srvgrp = NULL; + options->lpk_opt.lpk_x509 = -1; +#endif options->num_accept_env = 0; /* Needs to be accessable in many places */ @@ -219,7 +230,26 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; - +#ifdef WITH_LDAP_PUBKEY + if (options->lpk_opt.lpk_on == -1) + options->lpk_opt.lpk_on = _DEFAULT_LPK_ON; + if (options->lpk_opt.lpk_user_server == NULL) + options->lpk_opt.lpk_user_server = _DEFAULT_LPK_USRURL; + if (options->lpk_opt.lpk_user_filter == NULL) + options->lpk_opt.lpk_user_filter = _DEFAULT_LPK_USRFLTR; + if (options->lpk_opt.lpk_group_server == NULL) + options->lpk_opt.lpk_group_server = _DEFAULT_LPK_GRPURL; + if (options->lpk_opt.lpk_group_filter == NULL) + options->lpk_opt.lpk_group_filter = _DEFAULT_LPK_GRPFLTR; + if (options->lpk_opt.lpk_binddn == NULL) + options->lpk_opt.lpk_binddn = _DEFAULT_LPK_BINDDN; + if (options->lpk_opt.lpk_bindpw == NULL) + options->lpk_opt.lpk_bindpw = _DEFAULT_LPK_BINDPW; + if (options->lpk_opt.lpk_srvgrp == NULL) + options->lpk_opt.lpk_srvgrp = _DEFAULT_LPK_SGROUP; + if (options->lpk_opt.lpk_x509 == -1) + options->lpk_opt.lpk_x509 = _DEFAULT_LPK_X509; +#endif /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@ -250,6 +280,9 @@ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sUsePrivilegeSeparation, sDeprecated, sUnsupported +#ifdef WITH_LDAP_PUBKEY + ,sPubkey_from_ldap, sLdap_userver, sLdap_ufilter, sLdap_gserver, sLdap_gfilter, sBinddn, sBindpw, sMgroup +#endif } ServerOpCodes; /* Textual representation of the tokens. */ @@ -336,6 +369,29 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, +#ifdef WITH_LDAP_PUBKEY + /* old tokens */ + /* + { "pubkeyfromldap", sPubkey_from_ldap }, + { "ldapserver", sLdap_server }, + { "binddn", sBinddn }, + { "bindpw", sBindpw }, + { "mygroup", sMgroup }, + */ + + /* new one */ + { "lpkOn", sPubkey_from_ldap }, + { "lpkUserUrl", sLdap_userver }, + { "lpkUserFilter", sLdap_ufilter }, + { "lpkGroupUrl", sLdap_gserver }, + { "lpkGroupFilter", sLdap_gfilter }, + { "lpkBindDn", sBinddn }, + { "lpkBindPw", sBindpw }, + { "lpkServerGroup", sMgroup }, + /* later use + { "lpkUseX509", sUseX509 }, + */ +#endif { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, { NULL, sBadOption } @@ -908,6 +964,88 @@ while (arg) arg = strdelim(&cp); break; + +#ifdef WITH_LDAP_PUBKEY + case sPubkey_from_ldap: + intptr = &options->lpk_opt.lpk_on; + goto parse_flag; + case sLdap_userver: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_user_server=xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sLdap_ufilter: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing UserUrl filter",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_user_filter=xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sLdap_gserver: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_group_server=xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sLdap_gfilter: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing GroupUrl filter",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_group_filter=xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sBinddn: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing binddn",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_binddn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sBindpw: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing bindpw",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_bindpw=xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sMgroup: + p = line; + while (*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing groupname",filename, linenum); + arg[strlen(arg)] = '\0'; + options->lpk_opt.lpk_srvgrp = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; +#endif default: fatal("%s line %d: Missing handler for opcode %s (%d)", diff -X CVS -ruN ssh.orig/servconf.h ssh/servconf.h --- ssh.orig/servconf.h Mon Jul 11 21:06:26 2005 +++ ssh/servconf.h Mon Jul 11 22:12:32 2005 @@ -35,6 +35,35 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +#ifdef WITH_LDAP_PUBKEY +#define _DEFAULT_LDAP_PUBKEY_SERVER NULL +#define _DEFAULT_BASEDN NULL + +#define _DEFAULT_LPK_ON 0 +#define _DEFAULT_LPK_X509 0 +#define _DEFAULT_LPK_USRURL NULL +#define _DEFAULT_LPK_USRFLTR "(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s))" +#define _DEFAULT_LPK_GRPURL NULL +#define _DEFAULT_LPK_GRPFLTR "(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))" +#define _DEFAULT_LPK_BINDDN NULL +#define _DEFAULT_LPK_BINDPW NULL +#define _DEFAULT_LPK_SGROUP NULL + +/* later we will change lpk_on and lpk_x509 and other binary flags using a short + * flag register-like with AND/OR operations */ +typedef struct { + int lpk_on; /* enable Ldap PubKey */ + char *lpk_user_server; /* ldap URL format where pubkeys are */ + char *lpk_user_filter; /* User filter */ + char *lpk_group_server; /* ldap URL format where pubkeys are */ + char *lpk_group_filter; /* Group filter */ + char *lpk_binddn; /* ldap base dn where users resides */ + char *lpk_bindpw; /* ldap bind passwd */ + char *lpk_srvgrp; /* ldap server group name, NULL if deactivated */ + int lpk_x509; +} ldap_opt; +#endif + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ typedef struct { @@ -133,6 +162,9 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; +#ifdef WITH_LDAP_PUBKEY + ldap_opt lpk_opt; +#endif } ServerOptions; void initialize_server_options(ServerOptions *); diff -X CVS -ruN ssh.orig/sshd_config ssh/sshd_config --- ssh.orig/sshd_config Mon Jul 11 21:06:26 2005 +++ ssh/sshd_config Mon Jul 11 22:12:32 2005 @@ -67,6 +67,18 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +# LDAP PubKeys options +# entries in your LDAP must be posixAccount & strongAuthenticationUser +lpkOn no +#lpkUserUrl ldap://127.0.0.1/ou=users,dc=mydomain,dc=net +#lpkUserFilter (&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s)) #default value +#lpkGroupUrl ldap://127.0.0.1/ou=groups,dc=mydomain,dc=net +#lpkGroupFilter (&(objectclass=posixGroup)(cn=%s)(memberUid=%s)) #default value +#lpkBindDn cn=Manager,dc=mydomain,dc=net +#lpkBindPw secret +#lpkServerGroup unix +#lpkUseX509 no #NOT implemented yet + #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no diff -X CVS -ruN ssh.orig/sshd_config.5 ssh/sshd_config.5 --- ssh.orig/sshd_config.5 Mon Jul 11 21:06:26 2005 +++ ssh/sshd_config.5 Mon Jul 11 22:12:32 2005 @@ -739,6 +739,54 @@ program. The default is .Pa /usr/X11R6/bin/xauth . +.It Cm lpkOn +Enable LDAP public key resolution. The argument must be +.Dq yes +or +.Dq no . +.It Cm lpkGroupUrl/lpkUserUrl +Specifies LDAP User/Group in URL format. the following form may be used: +.Pp +.Bl -item -offset indent -compact +.It +.Cm lpkUserUrl +.Sm off +.Ar ldap://127.0.0.1/ou=users,dc=mydomain,dc=net +.Sm on +.It +.Cm lpkGroupUrl +.Sm off +.Ar ldap://127.0.0.1/ou=groups,dc=mydomain,dc=net +.Sm on +.El +.Pp +.It Cm lpkUserFilter/lpkGroupFilter +Specifies a filter to apply on searches +.Pp +.Bl -item -offset indent -compact +.It +.Cm lpkUserFilter +.Sm off +.Ar (&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s)) +.Sm on +.It +.Cm lpkGroupFilter +.Sm off +.Ar (&(objectclass=posixGroup)(cn=%s)(memberUid=%s)) +.Sm on +.El +.Pp +.It Cm lpkBindDn +Specifies a LDAP bind DN to use when doing ldap lookups. +.It Cm lpkBindPw +Specifies a LDAP bind Password associated to the previous token. +.It Cm lpkServerGroup +Specifies the group is the host is part of. +.It Cm lpkUseX509 +Enable X509 public key support The argument must be +.Dq yes +or +.Dq no . .El .Ss Time Formats .Nm sshd