rpms/openssh/devel openssh-5.5p1-authorized-keys-command.patch, NONE, 1.1 openssh-5.5p1-ldap.patch, 1.2, 1.3 openssh-5.5p1-kuserok.patch, 1.1, 1.2 openssh.spec, 1.220, 1.221 openssh-5.5p1-pka-ldap.patch, 1.7, NONE
Jan F. Chadima
jfch2222 at fedoraproject.org
Wed Jul 7 13:48:36 UTC 2010
Author: jfch2222
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv2602
Modified Files:
openssh-5.5p1-kuserok.patch openssh.spec
Added Files:
openssh-5.5p1-authorized-keys-command.patch
openssh-5.5p1-ldap.patch
Removed Files:
openssh-5.5p1-pka-ldap.patch
Log Message:
* Wed Jul 7 2010 Jan F. Chadima <jchadima at redhat.com> - 5.5p1-18 + 0.9.2-26
- merged with newer bugzilla's version of authorized keys command patch
openssh-5.5p1-authorized-keys-command.patch:
auth2-pubkey.c | 197 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
configure.ac | 13 +++
servconf.c | 28 ++++++++
servconf.h | 2
sshd_config | 2
sshd_config.0 | 20 +++++
sshd_config.5 | 17 ++++
7 files changed, 262 insertions(+), 17 deletions(-)
--- NEW FILE openssh-5.5p1-authorized-keys-command.patch ---
diff -ruN openssh-5.5p1.orig/auth2-pubkey.c openssh-5.5p1/auth2-pubkey.c
--- openssh-5.5p1.orig/auth2-pubkey.c 2010-03-21 14:51:21.000000000 -0400
+++ openssh-5.5p1/auth2-pubkey.c 2010-07-03 20:23:43.000000000 -0400
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/wait.h>
#include <fcntl.h>
#include <pwd.h>
@@ -178,27 +178,15 @@
/* return 1 if user allows given key */
static int
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
char line[SSH_MAX_PUBKEY_BYTES];
const char *reason;
int found_key = 0;
- FILE *f;
u_long linenum = 0;
Key *found;
char *fp;
- /* Temporarily use the user's uid. */
- temporarily_use_uid(pw);
-
- debug("trying public key file %s", file);
- f = auth_openkeyfile(file, pw, options.strict_modes);
-
- if (!f) {
- restore_uid();
- return 0;
- }
-
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -273,8 +261,6 @@
break;
}
}
- restore_uid();
- fclose(f);
key_free(found);
if (!found_key)
debug2("key not found");
@@ -321,13 +307,191 @@
return ret;
}
-/* check whether given key is in .ssh/authorized_keys* */
+/* return 1 if user allows given key */
+static int
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
+{
+ FILE *f;
+ int found_key = 0;
+
+ /* Temporarily use the user's uid. */
+ temporarily_use_uid(pw);
+
+ debug("trying public key file %s", file);
+ f = auth_openkeyfile(file, pw, options.strict_modes);
+
+ if (f) {
+ found_key = user_search_key_in_file (f, file, key, pw);
+ fclose(f);
+ }
+
+ restore_uid();
+ return found_key;
+}
+
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+
+#define WHITESPACE " \t\r\n"
+
+/* return 1 if user allows given key */
+static int
+user_key_via_command_allowed2(struct passwd *pw, Key *key)
+{
+ FILE *f;
+ int found_key = 0;
+ char *progname = NULL;
+ char *cp;
+ struct passwd *runas_pw;
+ struct stat st;
+ int childdescriptors[2], i;
+ pid_t pstat, pid, child;
+
+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/')
+ return -1;
+
+ /* get the run as identity from config */
+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw
+ : getpwnam (options.authorized_keys_command_runas);
+ if (!runas_pw) {
+ error("%s: getpwnam(\"%s\"): %s", __func__,
+ options.authorized_keys_command_runas, strerror(errno));
+ return 0;
+ }
+
+ /* Temporarily use the specified uid. */
+ if (runas_pw->pw_uid != 0)
+ temporarily_use_uid(runas_pw);
+
+ progname = xstrdup(options.authorized_keys_command);
+
+ debug3("%s: checking program '%s'", __func__, progname);
+
+ if (stat (progname, &st) < 0) {
+ error("%s: stat(\"%s\"): %s", __func__,
+ progname, strerror(errno));
+ goto go_away;
+ }
+
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
+ error("bad ownership or modes for AuthorizedKeysCommand \"%s\"",
+ progname);
+ goto go_away;
+ }
+
+ if (!S_ISREG(st.st_mode)) {
+ error("AuthorizedKeysCommand \"%s\" is not a regular file",
+ progname);
+ goto go_away;
+ }
+
+ /*
+ * Descend the path, checking that each component is a
+ * root-owned directory with strict permissions.
+ */
+ do {
+ if ((cp = strrchr(progname, '/')) == NULL)
+ break;
+ else
+ *cp = '\0';
+
+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
+
+ if (stat((*progname == '\0' ? "/" : progname), &st) != 0) {
+ error("%s: stat(\"%s\"): %s", __func__,
+ progname, strerror(errno));
+ goto go_away;
+ }
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
+ error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"",
+ progname);
+ goto go_away;
+ }
+ if (!S_ISDIR(st.st_mode)) {
+ error("AuthorizedKeysCommand path component \"%s\" is not a directory",
+ progname);
+ goto go_away;
+ }
+ } while (1);
+
+ /* open the pipe and read the keys */
+ if (pipe(childdescriptors)) {
+ error("failed to pipe(2) for AuthorizedKeysCommand: %s",
+ strerror(errno));
+ goto go_away;
+ }
+
+ child = fork();
+ if (child == -1) {
+ error("failed to fork(2) for AuthorizedKeysCommand: %s",
+ strerror(errno));
+ goto go_away;
+ } else if (child == 0) {
+ /* we're in the child process here -- we should never return from this block. */
+ /* permanently drop privs in child process */
+ if (runas_pw->pw_uid != 0) {
+ restore_uid();
+ permanently_set_uid(runas_pw);
+ }
+
+ close(childdescriptors[0]);
+ /* put the write end of the pipe on stdout (FD 1) */
+ if (dup2(childdescriptors[1], 1) == -1) {
+ error("failed to dup2(2) from AuthorizedKeysCommand: %s",
+ strerror(errno));
+ _exit(127);
+ }
+
+ debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name);
+ /* see session.c:child_close_fds() */
+ for (i = 3; i < 64; ++i) {
+ close(i);
+ }
+
+ execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
+
+ /* if we got here, it didn't work */
+ error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */
+ _exit(127);
+ }
+
+ close(childdescriptors[1]);
+ f = fdopen(childdescriptors[0], "r");
+ if (!f) {
+ error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__,
+ options.authorized_keys_command, strerror (errno));
+ goto go_away;
+ }
+
+ found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw);
+ fclose (f);
+ do {
+ pid = waitpid(child, &pstat, 0);
+ } while (pid == -1 && errno == EINTR);
+
+ /* what about the return value from the child process? */
+go_away:
+ if (progname)
+ xfree (progname);
+
+ if (runas_pw->pw_uid != 0)
+ restore_uid();
+ return found_key;
+}
+#endif
+
+/* check whether given key is in <AuthorizedKeysCommand or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
int success;
char *file;
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ success = user_key_via_command_allowed2(pw, key);
+ if (success > 0)
+ return success;
+#endif
+
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -ruN openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
--- openssh-5.5p1.orig/configure.ac 2010-04-10 08:58:01.000000000 -0400
+++ openssh-5.5p1/configure.ac 2010-07-03 19:57:42.000000000 -0400
@@ -1346,6 +1346,18 @@
esac ]
)
+# Check whether user wants AuthorizedKeysCommand support
+AKC_MSG="no"
+AC_ARG_WITH(authorized-keys-command,
+ [ --with-authorized-keys-command Enable AuthorizedKeysCommand support],
+ [
+ if test "x$withval" != "xno" ; then
+ AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support])
+ AKC_MSG="yes"
+ fi
+ ]
+)
+
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
arc4random \
@@ -4181,6 +4193,7 @@
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
+echo " AuthorizedKeysCommand support: $AKC_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -ruN openssh-5.5p1.orig/servconf.c openssh-5.5p1/servconf.c
--- openssh-5.5p1.orig/servconf.c 2010-03-25 19:40:04.000000000 -0400
+++ openssh-5.5p1/servconf.c 2010-07-03 19:59:07.000000000 -0400
@@ -128,6 +128,8 @@
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
+ options->authorized_keys_command = NULL;
+ options->authorized_keys_command_runas = NULL;
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
@@ -311,6 +313,7 @@
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -432,6 +435,13 @@
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
+#else
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
+#endif
{ NULL, sBadOption, 0 }
};
@@ -1345,6 +1355,20 @@
charptr = &options->revoked_keys_file;
goto parse_filename;
+ case sAuthorizedKeysCommand:
+ len = strspn(cp, WHITESPACE);
+ if (*activep && options->authorized_keys_command == NULL)
+ options->authorized_keys_command = xstrdup(cp + len);
+ return 0;
+
+ case sAuthorizedKeysCommandRunAs:
+ charptr = &options->authorized_keys_command_runas;
+
+ arg = strdelim(&cp);
+ if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1438,6 +1462,8 @@
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
+ M_CP_STROPT(authorized_keys_command);
+ M_CP_STROPT(authorized_keys_command_runas);
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication);
@@ -1682,6 +1708,8 @@
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -ruN openssh-5.5p1.orig/servconf.h openssh-5.5p1/servconf.h
--- openssh-5.5p1.orig/servconf.h 2010-03-04 05:53:35.000000000 -0500
+++ openssh-5.5p1/servconf.h 2010-07-03 19:57:42.000000000 -0400
@@ -156,6 +156,8 @@
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
+ char *authorized_keys_command;
+ char *authorized_keys_command_runas;
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -ruN openssh-5.5p1.orig/sshd_config openssh-5.5p1/sshd_config
--- openssh-5.5p1.orig/sshd_config 2009-10-11 06:51:09.000000000 -0400
+++ openssh-5.5p1/sshd_config 2010-07-03 19:57:42.000000000 -0400
@@ -44,6 +44,8 @@
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
diff -ruN openssh-5.5p1.orig/sshd_config.0 openssh-5.5p1/sshd_config.0
--- openssh-5.5p1.orig/sshd_config.0 2010-04-15 20:17:12.000000000 -0400
+++ openssh-5.5p1/sshd_config.0 2010-07-03 19:57:42.000000000 -0400
@@ -352,7 +352,8 @@
KbdInteractiveAuthentication, KerberosAuthentication,
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin,
- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
+ PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs,
+ RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
MaxAuthTries
@@ -467,6 +468,23 @@
this file is not readable, then public key authentication will be
refused for all users.
+ AuthorizedKeysCommand
+
+ Specifies a program to be used for lookup of the user's
+ public keys. The program will be invoked with its first
+ argument the name of the user being authorized, and should produce
+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
+ in sshd(8)). By default (or when set to the empty string) there is no
+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
+ authorize the user, authorization falls through to the
+ AuthorizedKeysFile. Note that this option has an effect
+ only with PubkeyAuthentication turned on.
+
+ AuthorizedKeysCommandRunAs
+ Specifies the user under whose account the AuthorizedKeysCommand is run.
+ Empty string (the default value) means the user being authorized
+ is used.
+
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful RSA host authentication is allowed. The
diff -ruN openssh-5.5p1.orig/sshd_config.5 openssh-5.5p1/sshd_config.5
--- openssh-5.5p1.orig/sshd_config.5 2010-03-04 18:41:45.000000000 -0500
+++ openssh-5.5p1/sshd_config.5 2010-07-03 19:57:42.000000000 -0400
@@ -618,6 +618,9 @@
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
+.Cm PubkeyAuthentication ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
@@ -819,6 +822,20 @@
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
+.It Cm AuthorizedKeysCommand
+Specifies a program to be used for lookup of the user's
+public keys. The program will be invoked with its first
+argument the name of the user being authorized, and should produce
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
+in sshd(8)). By default (or when set to the empty string) there is no
+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
+authorize the user, authorization falls through to the
+AuthorizedKeysFile. Note that this option has an effect
+only with PubkeyAuthentication turned on.
+.It Cm AuthorizedKeysCommandRunAs
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
+string (the default value) means the user being authorized is used.
+.Dq
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
openssh-5.5p1-ldap.patch:
Makefile.in | 32 +-
README.lpk | 274 +++++++++++++++++
configure.ac | 100 ++++++
ldap-helper.c | 154 +++++++++
ldap-helper.h | 32 ++
ldap.conf | 88 +++++
ldapbody.c | 494 +++++++++++++++++++++++++++++++
ldapbody.h | 37 ++
ldapconf.c | 682 ++++++++++++++++++++++++++++++++++++++++++++
ldapconf.h | 71 ++++
ldapincludes.h | 41 ++
ldapmisc.c | 79 +++++
ldapmisc.h | 35 ++
lpk-user-example.txt | 117 +++++++
openssh-lpk-openldap.schema | 21 +
openssh-lpk-sun.schema | 23 +
ssh-ldap-helper.8 | 78 +++++
ssh-ldap.conf.5 | 373 ++++++++++++++++++++++++
18 files changed, 2725 insertions(+), 6 deletions(-)
View full diff with command:
/usr/bin/cvs -n -f diff -kk -u -p -N -r 1.2 -r 1.3 openssh-5.5p1-ldap.patchIndex: openssh-5.5p1-ldap.patch
===================================================================
RCS file: openssh-5.5p1-ldap.patch
diff -N openssh-5.5p1-ldap.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openssh-5.5p1-ldap.patch 7 Jul 2010 13:48:36 -0000 1.3
@@ -0,0 +1,2876 @@
+diff -up openssh-5.5p1/configure.ac.ldap openssh-5.5p1/configure.ac
+--- openssh-5.5p1/configure.ac.ldap 2010-07-07 14:36:34.000000000 +0200
++++ openssh-5.5p1/configure.ac 2010-07-07 14:36:34.000000000 +0200
+@@ -1358,6 +1358,106 @@ AC_ARG_WITH(authorized-keys-command,
+ ]
+ )
+
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++INSTALL_SSH_LDAP_HELPER=""
++AC_ARG_WITH(ldap,
++ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++
++ INSTALL_SSH_LDAP_HELPER="yes"
++ CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
++
++ if test "x$withval" != "xyes" ; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ LDFLAGS="$LDFLAGS -L${withval}/lib"
++ fi
++
++ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
++ LDAP_MSG="yes"
++
++ AC_CHECK_HEADERS(lber.h)
++ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
++ AC_CHECK_HEADERS(ldap_ssl.h)
++
++ AC_ARG_WITH(ldap-lib,
++ [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
++
++ if test -z "$with_ldap_lib"; then
++ with_ldap_lib=auto
++ fi
++
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
++ AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
++ AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
++ fi
++
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
++ AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
++ fi
++
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
++ AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
++ if test -z "$found_ldap_lib"; then
++ AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
++ fi
++ if test -z "$found_ldap_lib"; then
++ AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
++ fi
++ if test -z "$found_ldap_lib"; then
++ AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
++ fi
++ fi
++
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
++ AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
++ fi
++
++ if test -z "$found_ldap_lib"; then
++ AC_MSG_ERROR(could not locate a valid LDAP library)
++ fi
++
++ AC_MSG_CHECKING([for working LDAP support])
++ AC_TRY_COMPILE(
++ [#include <sys/types.h>
++ #include <ldap.h>],
++ [(void)ldap_init(0, 0);],
++ [AC_MSG_RESULT(yes)],
++ [
++ AC_MSG_RESULT(no)
++ AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
++ ])
++ AC_CHECK_FUNCS( \
++ ldap_init \
++ ldap_get_lderrno \
++ ldap_set_lderrno \
++ ldap_parse_result \
++ ldap_memfree \
++ ldap_controls_free \
++ ldap_set_option \
++ ldap_get_option \
++ ldapssl_init \
++ ldap_start_tls_s \
++ ldap_pvt_tls_set_option \
++ ldap_initialize \
++ )
++ AC_CHECK_FUNCS(ldap_set_rebind_proc,
++ AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
++ AC_TRY_COMPILE(
++ [#include <lber.h>
++ #include <ldap.h>],
++ [ldap_set_rebind_proc(0, 0, 0);],
++ [ac_cv_ldap_set_rebind_proc=3],
++ [ac_cv_ldap_set_rebind_proc=2])
++ AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
++ AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
++ )
++ fi
++ ]
++)
++AC_SUBST(INSTALL_SSH_LDAP_HELPER)
++
+ dnl Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS( \
+ arc4random \
+diff -up openssh-5.5p1/ldapbody.c.ldap openssh-5.5p1/ldapbody.c
+--- openssh-5.5p1/ldapbody.c.ldap 2010-07-07 14:36:34.000000000 +0200
++++ openssh-5.5p1/ldapbody.c 2010-07-07 14:36:34.000000000 +0200
+@@ -0,0 +1,494 @@
++/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++/*
++ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "ldapincludes.h"
++#include "log.h"
++#include "xmalloc.h"
++#include "ldapconf.h"
++#include "ldapmisc.h"
++#include "ldapbody.h"
++#include <stdio.h>
++#include <unistd.h>
++
++#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
++#define PUBKEYATTR "sshPublicKey"
++#define LDAP_LOGFILE "%s/ldap.%d"
++
++static FILE *logfile = NULL;
++static LDAP *ld;
++
++static char *attrs[] = {
++ PUBKEYATTR,
++ NULL
++};
++
++void
++ldap_checkconfig (void)
++{
++#ifdef HAVE_LDAP_INITIALIZE
++ if (options.host == NULL && options.uri == NULL)
++#else
++ if (options.host == NULL)
++#endif
++ fatal ("missing \"host\" in config file");
++}
++
++#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
++static int
++_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
++{
++ struct timeval timeout;
++ int rc;
++#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
++ LDAPMessage *result;
++#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
++
++ debug2 ("Doing LDAP rebind to %s", options.binddn);
++ if (options.ssl == SSL_START_TLS) {
++ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
++ error ("ldap_starttls_s: %s", ldap_err2string (rc));
++ return LDAP_OPERATIONS_ERROR;
++ }
++ }
++
++#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
++ return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
++#else
++ if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
[...2483 lines suppressed...]
++The default is yes.
++.It Cm TLS_CheckPeer
++Specifies what checks to perform on server certificates in a TLS session,
++if any. The value
++can be specified as one of the following keywords:
++.Dq never ,
++.Dq hard ,
++.Dq demand ,
++.Dq allow
++and
++.Dq try .
++.Dq true ,
++.Dq on
++and
++.Dq yes
++are aliases for
++.Dq hard .
++.Dq false ,
++.Dq off
++and
++.Dq no
++are the aliases for
++.Dq never .
++The value
++.Dq never
++means that the client will not request or check any server certificate.
++The value
++.Dq allow
++means that the server certificate is requested. If no certificate is provided,
++the session proceeds normally. If a bad certificate is provided, it will
++be ignored and the session proceeds normally.
++The value
++.Dq try
++means that the server certificate is requested. If no certificate is provided,
++the session proceeds normally. If a bad certificate is provided,
++the session is immediately terminated.
++The value
++.Dq demand
++means that the server certificate is requested. If no
++certificate is provided, or a bad certificate is provided, the session
++is immediately terminated.
++The value
++.Dq hard
++is the same as
++.Dq demand .
++It requires an SSL connection. In the case of the plain conection the
++session is immediately terminated.
++The default is
++.Dq hard .
++.It Cm TLS_ReqCert
++Is an alias for
++.Cm TLS_CheckPeer .
++.It Cm TLS_CACertFile
++Specifies the file that contains certificates for all of the Certificate
++Authorities the client will recognize.
++There is no default.
++.It Cm TLS_CACert
++Is an alias for
++.Cm TLS_CACertFile .
++.It Cm TLS_CACertDIR
++Specifies the path of a directory that contains Certificate Authority
++certificates in separate individual files. The
++.Cm TLS_CACert
++is always used before
++.Cm TLS_CACertDir .
++The specified directory must be managed with the OpenSSL c_rehash utility.
++There is no default.
++.It Cm TLS_Ciphers
++Specifies acceptable cipher suite and preference order.
++The value should be a cipher specification for OpenSSL,
++e.g.,
++.Dq HIGH:MEDIUM:+SSLv2 .
++The default is
++.Dq ALL .
++.It Cm TLS_Cipher_Suite
++Is an alias for
++.Cm TLS_Ciphers .
++.It Cm TLS_Cert
++Specifies the file that contains the client certificate.
++There is no default.
++.It Cm TLS_Certificate
++Is an alias for
++.Cm TLS_Cert .
++.It Cm TLS_Key
++Specifies the file that contains the private key that matches the certificate
++stored in the
++.Cm TLS_Cert
++file. Currently, the private key must not be protected with a password, so
++it is of critical importance that the key file is protected carefully.
++There is no default.
++.It Cm TLS_RandFile
++Specifies the file to obtain random bits from when /dev/[u]random is
++not available. Generally set to the name of the EGD/PRNGD socket.
++The environment variable RANDFILE can also be used to specify the filename.
++There is no default.
++.It Cm LogDir
++Specifies the directory used for logging by the LDAP client library.
++There is no default.
++.It Cm Debug
++Specifies the debug level used for logging by the LDAP client library.
++There is no default.
++.It Cm SSH_Filter
++Specifies the user filter applied on the LDAP serch.
++The default is no filter.
++.Sh FILES
++.Bl -tag -width Ds
++.It Pa /etc/ssh/ldap.conf
++Ldap configuration file for
++.Xr ssh-ldap-helper 8 .
++.Sh "SEE ALSO"
++.Xr ldap.conf 5 ,
++.Xr ssh-ldap-helper 8
++.Sh HISTORY
++.Nm
++first appeared in
++OpenSSH 5.5 + PKA-LDAP .
++.Sh AUTHORS
++.An Jan F. Chadima Aq jchadima at redhat.com
+diff -up openssh-5.5p1/ssh-ldap-helper.8.ldap openssh-5.5p1/ssh-ldap-helper.8
+--- openssh-5.5p1/ssh-ldap-helper.8.ldap 2010-07-07 14:36:35.000000000 +0200
++++ openssh-5.5p1/ssh-ldap-helper.8 2010-07-07 14:36:35.000000000 +0200
+@@ -0,0 +1,78 @@
++.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
++.\"
++.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
++.\"
++.\" Permission to use, copy, modify, and distribute this software for any
++.\" purpose with or without fee is hereby granted, provided that the above
++.\" copyright notice and this permission notice appear in all copies.
++.\"
++.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++.\"
++.Dd $Mdocdate: April 29 2010 $
++.Dt SSH-LDAP-HELPER 8
++.Os
++.Sh NAME
++.Nm ssh-ldap-helper
++.Nd sshd helper program for ldap support
++.Sh SYNOPSIS
++.Nm ssh-ldap-helper
++.Op Fl devw
++.Op Fl f Ar file
++.Op Fl s Ar user
++.Sh DESCRIPTION
++.Nm
++is used by
++.Xr sshd 1
++to access keys provided by an LDAP.
++.Nm
++is disabled by default and can only be enabled in the
++sshd configuration file
++.Pa /etc/ssh/sshd_config
++by setting
++.Cm AuthorizedKeysCommand
++to
++.Dq /usr/libexec/ssh-ldap-helper -s %u .
++.Pp
++.Nm
++is not intended to be invoked by the user, but from
++.Xr sshd 8 .
++.Pp
++The options are as follows:
++.Bl -tag -width Ds
++.It Fl d
++Set the debug mode;
++.Nm
++prints all logs to stderr instead of syslog.
++.It Fl e
++Implies \-w;
++.Nm
++halts if it encounters an unknown item in the ldap.conf file.
++.It Fl f
++.Nm
++uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
++.It Fl s
++.Nm
++prints out the user's keys to stdout and exits.
++.It Fl v
++Implies \-d;
++increases verbosity.
++.It Fl w
++.Nm
++writes warnings about unknown items in the ldap.conf configuration file.
++
++.Sh SEE ALSO
++.Xr sshd 8 ,
++.Xr sshd_config 5 ,
++.Xr ssh-ldap.conf 5 ,
++.Sh HISTORY
++.Nm
++first appeared in
++OpenSSH 5.5 + PKA-LDAP .
++.Sh AUTHORS
++.An Jan F. Chadima Aq jchadima at redhat.com
openssh-5.5p1-kuserok.patch:
auth-krb5.c | 8 +++++---
servconf.c | 13 ++++++++++++-
servconf.h | 1 +
sshd_config | 1 +
sshd_config.5 | 5 +++++
5 files changed, 24 insertions(+), 4 deletions(-)
Index: openssh-5.5p1-kuserok.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.5p1-kuserok.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- openssh-5.5p1-kuserok.patch 8 Jun 2010 10:06:35 -0000 1.1
+++ openssh-5.5p1-kuserok.patch 7 Jul 2010 13:48:36 -0000 1.2
@@ -1,6 +1,6 @@
diff -up openssh-5.5p1/auth-krb5.c.kuserok openssh-5.5p1/auth-krb5.c
---- openssh-5.5p1/auth-krb5.c.kuserok 2010-06-08 11:40:10.000000000 +0200
-+++ openssh-5.5p1/auth-krb5.c 2010-06-08 11:40:11.000000000 +0200
+--- openssh-5.5p1/auth-krb5.c.kuserok 2010-07-07 13:12:01.000000000 +0200
++++ openssh-5.5p1/auth-krb5.c 2010-07-07 13:12:03.000000000 +0200
@@ -146,9 +146,11 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@@ -17,8 +17,8 @@ diff -up openssh-5.5p1/auth-krb5.c.kuser
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
diff -up openssh-5.5p1/servconf.c.kuserok openssh-5.5p1/servconf.c
---- openssh-5.5p1/servconf.c.kuserok 2010-06-08 11:40:10.000000000 +0200
-+++ openssh-5.5p1/servconf.c 2010-06-08 11:46:20.000000000 +0200
+--- openssh-5.5p1/servconf.c.kuserok 2010-07-07 13:12:02.000000000 +0200
++++ openssh-5.5p1/servconf.c 2010-07-07 13:12:04.000000000 +0200
@@ -137,6 +137,7 @@ initialize_server_options(ServerOptions
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
@@ -87,8 +87,8 @@ diff -up openssh-5.5p1/servconf.c.kusero
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-5.5p1/servconf.h.kuserok openssh-5.5p1/servconf.h
---- openssh-5.5p1/servconf.h.kuserok 2010-06-08 11:40:10.000000000 +0200
-+++ openssh-5.5p1/servconf.h 2010-06-08 11:40:11.000000000 +0200
+--- openssh-5.5p1/servconf.h.kuserok 2010-07-07 13:12:02.000000000 +0200
++++ openssh-5.5p1/servconf.h 2010-07-07 13:12:04.000000000 +0200
@@ -157,6 +157,7 @@ typedef struct {
int num_permitted_opens;
@@ -98,8 +98,8 @@ diff -up openssh-5.5p1/servconf.h.kusero
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-5.5p1/sshd_config.5.kuserok openssh-5.5p1/sshd_config.5
---- openssh-5.5p1/sshd_config.5.kuserok 2010-06-08 11:40:10.000000000 +0200
-+++ openssh-5.5p1/sshd_config.5 2010-06-08 11:40:11.000000000 +0200
+--- openssh-5.5p1/sshd_config.5.kuserok 2010-07-07 13:12:03.000000000 +0200
++++ openssh-5.5p1/sshd_config.5 2010-07-07 13:21:02.000000000 +0200
@@ -519,6 +519,10 @@ Specifies whether to automatically destr
file on logout.
The default is
@@ -118,10 +118,10 @@ diff -up openssh-5.5p1/sshd_config.5.kus
+.Cm KerberosUseKuserok ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
- .Cm PasswordAuthentication ,
+ .Cm PubkeyAuthentication ,
diff -up openssh-5.5p1/sshd_config.kuserok openssh-5.5p1/sshd_config
---- openssh-5.5p1/sshd_config.kuserok 2010-06-08 11:40:10.000000000 +0200
-+++ openssh-5.5p1/sshd_config 2010-06-08 11:40:11.000000000 +0200
+--- openssh-5.5p1/sshd_config.kuserok 2010-07-07 13:12:03.000000000 +0200
++++ openssh-5.5p1/sshd_config 2010-07-07 13:12:04.000000000 +0200
@@ -72,6 +72,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.220
retrieving revision 1.221
diff -u -p -r1.220 -r1.221
--- openssh.spec 30 Jun 2010 14:50:51 -0000 1.220
+++ openssh.spec 7 Jul 2010 13:48:36 -0000 1.221
@@ -70,7 +70,7 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_rel 17
+%define openssh_rel 18
%define openssh_ver 5.5p1
%define pam_ssh_agent_rel 26
%define pam_ssh_agent_ver 0.9.2
@@ -106,7 +106,8 @@ Patch13: openssh-5.5p1-mls.patch
Patch16: openssh-5.3p1-audit.patch
Patch18: openssh-5.4p1-pam_selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
-Patch20: openssh-5.5p1-pka-ldap.patch
+Patch20: openssh-5.5p1-authorized-keys-command.patch
+Patch21: openssh-5.5p1-ldap.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668
Patch23: openssh-5.5p1-keygen.patch
Patch24: openssh-4.3p1-fromto-remote.patch
@@ -286,7 +287,8 @@ popd
%patch18 -p1 -b .pam_selinux
%endif
-%patch20 -p1 -b .pka
+%patch20 -p1 -b .akc
+%patch21 -p1 -b .ldap
%patch23 -p1 -b .keygen
%patch24 -p1 -b .fromto-remote
%patch27 -p1 -b .log-chroot
@@ -586,6 +588,9 @@ fi
%endif
%changelog
+* Wed Jul 7 2010 Jan F. Chadima <jchadima at redhat.com> - 5.5p1-18 + 0.9.2-26
+- merged with newer bugzilla's version of authorized keys command patch
+
* Wed Jun 30 2010 Jan F. Chadima <jchadima at redhat.com> - 5.5p1-17 + 0.9.2-26
- improved the x11 patch according to upstream (#598671)
--- openssh-5.5p1-pka-ldap.patch DELETED ---
More information about the scm-commits
mailing list