[openssh] improove ssh-ldap (documentation)
Jan F. Chadima
jfch2222 at fedoraproject.org
Thu Mar 10 20:48:31 UTC 2011
commit 9992a8e919e0c081d5553100cd73f09b41287d89
Author: Jan F <jfch at kerberos.example.com>
Date: Thu Mar 10 21:48:09 2011 +0100
improove ssh-ldap (documentation)
openssh-5.8p1-ldap2.patch | 36 ++++++++++++++++++------------------
openssh.spec | 36 ++++++++++++++++++------------------
2 files changed, 36 insertions(+), 36 deletions(-)
---
diff --git a/openssh-5.8p1-ldap2.patch b/openssh-5.8p1-ldap2.patch
index 425b623..9520582 100644
--- a/openssh-5.8p1-ldap2.patch
+++ b/openssh-5.8p1-ldap2.patch
@@ -1,6 +1,6 @@
diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
---- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-03-10 18:22:10.469855868 +0100
-+++ openssh-5.8p1/HOWTO.ldap-keys 2011-03-10 18:22:11.018980430 +0100
+--- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-03-10 21:45:52.706855323 +0100
++++ openssh-5.8p1/HOWTO.ldap-keys 2011-03-10 19:35:50.000000000 +0100
@@ -1,14 +1,108 @@
+HOW TO START
@@ -67,26 +67,26 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
+ * /usr/sbin/sshd -d -d -d -d
+2) use debug in ssh-ldap-helper
+ * ssh-ldap-helper -d -d -d -d -s <username>
-+3) use tcpdump ... other ldap client &tc..
++3) use tcpdump ... other ldap client etc.
+
-+ADWANTAGES
++ADVANTAGES
+
-+1) Blocking a user account can be done directly from the LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
++1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
+
+DISADVANTAGES
+
+1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
-+ allow write to users dn, somebody could replace someuser's public key by its own and impersonate some
-+ of your users in all your server farm be VERY CAREFUL.
++ allows write to users dn, somebody could replace some user's public key by his own and impersonate some
++ of your users in all your server farm -- be VERY CAREFUL.
+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
-+ as the impersonnated user.
-+3 If LDAP server is down then ma be no fallback on passwd auth.
++ as the impersonated user.
++3) If LDAP server is down there may be no fallback on passwd auth.
+
+MISC.
+
+1) todo
+ * Possibility to reuse the ssh-ldap-helper.
-+ * Tune the LDAP part to all possible LDAP configurations.
++ * Tune the LDAP part to accept all possible LDAP configurations.
+
+2) differences from original lpk
+ * No LDAP code in sshd.
@@ -118,8 +118,8 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
+ Jan F. Chadima <jchadima at redhat.com>
diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
---- openssh-5.8p1/ldap-helper.c.ldap2 2011-03-10 18:22:48.870980079 +0100
-+++ openssh-5.8p1/ldap-helper.c 2011-03-10 18:07:41.000000000 +0100
+--- openssh-5.8p1/ldap-helper.c.ldap2 2011-03-10 21:45:52.872854838 +0100
++++ openssh-5.8p1/ldap-helper.c 2011-03-10 21:45:53.342855061 +0100
@@ -138,6 +138,7 @@ main(int ac, char **av)
if (config_single_user) {
process_user (config_single_user, outfile);
@@ -129,8 +129,8 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
/* TODO
* open unix socket a run the loop on it
diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example.txt
---- openssh-5.8p1/lpk-user-example.txt.ldap2 2011-03-10 18:22:10.745854874 +0100
-+++ openssh-5.8p1/lpk-user-example.txt 2011-03-10 18:22:11.053980912 +0100
+--- openssh-5.8p1/lpk-user-example.txt.ldap2 2011-03-10 21:45:52.986980339 +0100
++++ openssh-5.8p1/lpk-user-example.txt 2011-03-10 21:45:53.379854929 +0100
@@ -1,117 +0,0 @@
-
-Post to ML -> User Made Quick Install Doc.
@@ -250,8 +250,8 @@ diff -up openssh-5.8p1/lpk-user-example.txt.ldap2 openssh-5.8p1/lpk-user-example
-
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk
---- openssh-5.8p1/README.lpk.ldap2 2011-03-10 18:22:10.872981060 +0100
-+++ openssh-5.8p1/README.lpk 2011-03-10 18:22:11.089980853 +0100
+--- openssh-5.8p1/README.lpk.ldap2 2011-03-10 21:45:53.112979980 +0100
++++ openssh-5.8p1/README.lpk 2011-03-10 21:45:53.416856007 +0100
@@ -1,274 +0,0 @@
-OpenSSH LDAP PUBLIC KEY PATCH
-Copyright (c) 2003 Eric AUGE (eau at phear.org)
@@ -528,8 +528,8 @@ diff -up openssh-5.8p1/README.lpk.ldap2 openssh-5.8p1/README.lpk
- Jan F. Chadima <jchadima at redhat.com>
-
diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap2 openssh-5.8p1/ssh-ldap-helper.8
---- openssh-5.8p1/ssh-ldap-helper.8.ldap2 2011-03-10 18:22:10.921854948 +0100
-+++ openssh-5.8p1/ssh-ldap-helper.8 2011-03-10 18:20:17.000000000 +0100
+--- openssh-5.8p1/ssh-ldap-helper.8.ldap2 2011-03-10 21:45:53.170854817 +0100
++++ openssh-5.8p1/ssh-ldap-helper.8 2011-03-10 21:45:53.454980272 +0100
@@ -37,11 +37,12 @@ sshd configuration file
by setting
.Cm AuthorizedKeysCommand
diff --git a/openssh.spec b/openssh.spec
index 1331976..99e44fc 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -341,25 +341,25 @@ popd
%if %{WITH_SELINUX}
#SELinux
%patch22 -p1 -b .selinux
-%patch23 -p1 -b .role
-%patch24 -p1 -b .mls
+###%patch23 -p1 -b .role
+###%patch24 -p1 -b .mls
%endif
-%patch30 -p1 -b .keygen
-%patch31 -p1 -b .ip-opts
-%patch32 -p1 -b .randclean
-%patch34 -p1 -b .kuserok
-%patch35 -p1 -b .glob
-%patch50 -p1 -b .fips
-%patch51 -p1 -b .x11
-%patch52 -p1 -b .exit-deadlock
-%patch53 -p1 -b .progress
-%patch54 -p1 -b .grab-info
-%patch56 -p1 -b .edns
-%patch57 -p1 -b .manpage
-%patch58 -p1 -b .keycat
-%patch158 -p1 -b .keycat2
-%patch60 -p1 -b .gsskex
-%patch61 -p1 -b .canohost
+###%patch30 -p1 -b .keygen
+###%patch31 -p1 -b .ip-opts
+###%patch32 -p1 -b .randclean
+###%patch34 -p1 -b .kuserok
+###%patch35 -p1 -b .glob
+###%patch50 -p1 -b .fips
+###%patch51 -p1 -b .x11
+###%patch52 -p1 -b .exit-deadlock
+###%patch53 -p1 -b .progress
+###%patch54 -p1 -b .grab-info
+###%patch56 -p1 -b .edns
+###%patch57 -p1 -b .manpage
+###%patch58 -p1 -b .keycat
+###%patch158 -p1 -b .keycat2
+###%patch60 -p1 -b .gsskex
+###%patch61 -p1 -b .canohost
autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
More information about the scm-commits
mailing list