bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-22 14:42 UTC
[Bug 1663] New: Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Summary: Allow to use agent for distribution of public keys. Product: Portable OpenSSH Version: 5.3p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: jchadima at redhat.com For management of larger sites is useful to use distributed authorized private keys. This patch allows use the agent to obtaining the keys. There are possibility of use popen (agent) instead of open (authorized_keys). The feature is triggered a new configure option. The two sshd_config options configure the agent run string and the user account used for running the agent. It's accepted that the agent output is the same as the file format of authorized_keys2 file. Local authorized_key files are skipped in the case of the active agent. Only the protocol 2 is supported actually. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-22 14:43 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #1 from jchadima at redhat.com 2009-10-23 01:43:24 EST --- Created an attachment (id=1703) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1703) Patch solving the problem -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Feb-09 23:30 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #3 from Damien Miller <djm at mindrot.org> 2010-02-10 10:30:29 EST --- This is an interesting idea. My concerns are: 1) you lose the ability to specify key restrictions. I.e. you can't force commands on a per-key basis, disable port-forwarding, etc. 2) I think it would be better if you don't run the agent from sshd. Instead, you add a single directive to sshd_config to inform it of an agent socket path and use ssh-agent's "-a" option to make it listen on a single location. 3) ssh-agent has not be written with robustness against deliberately malformed input in mind and will fatal() at the first encoding error. This is good behaviour for a per-user agent, but could lead to system-level DoS when used to manage public keys for a host. We should probably discuss this on the mailing list. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-01 08:49 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 jchadima at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jchadima at redhat.com --- Comment #4 from jchadima at redhat.com 2010-03-01 19:49:19 EST --- (In reply to comment #3)> This is an interesting idea. My concerns are: >this is not necessary limited to LPK compatibility, even the transport protocol, may be different.> 1) you lose the ability to specify key restrictions. I.e. you can't > force commands on a per-key basis, disable port-forwarding, etc. >the keys are transported as is with all the prefixes (forced commands &tc..)> 2) I think it would be better if you don't run the agent from sshd. > Instead, you add a single directive to sshd_config to inform it of an > agent socket path and use ssh-agent's "-a" option to make it listen on > a single location. >a) The per session fork may be useful, when the executed process should be run under the authorized user privileges. b) The fork-execute at each autentization have some advantages and some disadvantages. The advantages are: better stability - killing the process does not cause the DoS. Less vulnerability for memory leaks. The process finishes with all non freed memory after each authentization. The disadvantages: more process and more sockets used.> 3) ssh-agent has not be written with robustness against deliberately > malformed input in mind and will fatal() at the first encoding error. > This is good behaviour for a per-user agent, but could lead to > system-level DoS when used to manage public keys for a host. > > We should probably discuss this on the mailing list.-- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-02 09:52 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #5 from jchadima at redhat.com 2010-03-02 20:52:22 EST --- Created an attachment (id=1804) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1804) patch against openssh5.4p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-17 08:32 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 jchadima at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1804|0 |1 is obsolete| | --- Comment #6 from jchadima at redhat.com 2010-03-17 19:32:09 EST --- Created an attachment (id=1811) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1811) pattch against openssh-5.4p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-May-12 17:46 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Don Hoover <dxh at yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dxh at yahoo.com --- Comment #7 from Don Hoover <dxh at yahoo.com> --- This seems like an excellent way to provide the same functionality as the LPK patch. It is also more generic and allows people to write their own implementations for storing public keys in ldap, oracle, or whatever. This seems like the best way to get people to stop asking for lpk to be added to sshd. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-May-13 07:00 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #8 from jchadima at redhat.com --- (In reply to comment #7)> This seems like an excellent way to provide the same functionality as > the LPK patch. >The LDAP backend is prepared and now is in the testing stage. I hope to post it here in a week or less.> It is also more generic and allows people to write their own > implementations for storing public keys in ldap, oracle, or whatever. > > This seems like the best way to get people to stop asking for lpk to be > added to sshd.Yes, yes, yes. It still needs some minor improvements, but from the security point of view it's ready. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-May-20 09:58 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #9 from jchadima at redhat.com --- Created attachment 1850 --> https://bugzilla.mindrot.org/attachment.cgi?id=1850 Full patch containing LDAP part -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-May-20 10:00 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #10 from jchadima at redhat.com --- Can anybody test the patch in other than linux environment? All comments are welcomed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-May-20 21:53 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 jchadima at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Version|5.3p1 |5.5p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-10 07:31 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Tomas Mraz <t8m at centrum.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dkg at fifthhorseman.net --- Comment #11 from Tomas Mraz <t8m at centrum.cz> --- *** Bug 1778 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-10 07:41 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Tomas Mraz <t8m at centrum.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t8m at centrum.cz --- Comment #12 from Tomas Mraz <t8m at centrum.cz> --- I've tested the patch on Fedora Linux - so not a different system environment unfortunately - but I can confirm it works well there. I agree this is proper way how to replace the lpk patch. I don't even think that the LDAP backend part has to be included in the openssh upstream sources, this can be very well distributed separately along with other possible backends. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-04 01:00 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1811|0 |1 is obsolete| | --- Comment #13 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> --- Created attachment 1895 --> https://bugzilla.mindrot.org/attachment.cgi?id=1895 updated pubkey-agent patch against 5.5p1 (with security fixes) The Monkeysphere development team is interested in seeing this modular key-based authorization functionality included in OpenSSH. We believe the LDAP-specific code should be distributed separately. We reviewed the pubkey-agent patch today, and found a handful of problems that appear to need fixing. The attached patch applies against 5.5p1, and resolves the immediate problems. The concerns we found were: 0) not all components of the path to the command were checked for proper ownership and permissions. 1) using popen() while under temporarily_use_uid() meant that a child process could re-elevate its privileges to root with seteuid(). 2) the combination of strtok, percent expansion, and the implicit sh -c invocation (via popen()) leave open a number of possibilities to violate the principle of least surprise for an unfortunate sysadmin. Our revised patch resolves (1) by explicitly fork()ing and exec()ing, permanently dropping privileges in the child process before the exec(). Our revised patch resolves (2) by requiring the command be a single explicit path to an executable, which will receive a single command-line argument (the name of the user to authorize). We also felt that the earlier patch was mistaken by invalidating the AuthorizedKeysFile option if PubkeyAgent is present. The admin is already able to disable AuthorizedKeysFile (e.g. by pointing it to /dev/null). Also, having a (new, relatively-unknown) option have potentially surprising interactions with another (well-known, widely-understood) option seems like a bad idea. Our approach was to provide fall-through behavior. If the PubkeyAgent does not authorize the connecting key, sshd will consult AuthorizedKeysFile as in current versions of OpenSSH. Note that we also feel the choice of option names leaves something to be desired. PubkeyAgent and PubkeyAgentRunAs are misleading, since there is no required agent at all. The term AuthorizedKeysCommand (see #1778) seems more appropriate by analogy with existing config options LocalCommand, ProxyCommand and AuthorizedKeysFile. I'll offer a revised patch with the updated names shortly. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-04 03:19 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #14 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> --- Created attachment 1896 --> https://bugzilla.mindrot.org/attachment.cgi?id=1896 patch using AuthorizedKeysCommand terminology Here is the patch using the sshd_config options AuthorizedKeysCommand and AuthorizedKeysCommandRunAs. The ./configure option is --with-authorized-keys-command. This seems preferable to the PubkeyAgent terminology. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-04 03:26 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Jameson Rollins <ssh-bugzilla at finestructure.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ssh-bugzilla at finestructure. | |net -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-06 17:15 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Greg Lyle <greg at stealthisemail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |greg at stealthisemail.com -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-15 17:40 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Anthony DeRobertis <aderobertis at metrics.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aderobertis at metrics.net -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-29 04:30 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Andres Pereira <andresp at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andresp at gmail.com -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Sep-03 13:05 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #15 from jchadima at redhat.com --- Created attachment 1915 --> https://bugzilla.mindrot.org/attachment.cgi?id=1915 Patch suitable for openssh-5.6p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Sep-08 07:43 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 jchadima at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1915|0 |1 is obsolete| | --- Comment #16 from jchadima at redhat.com --- Created attachment 1920 --> https://bugzilla.mindrot.org/attachment.cgi?id=1920 Patch suitable for openssh-5.6p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-05 02:41 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Don Hoover <dxh at yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 |P1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-05 02:46 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #17 from Don Hoover <dxh at yahoo.com> 2011-02-05 13:46:39 EST --- It's been year now how can we get someone from the team to evaluate this for mainline development or just close down the idea. This is a significant feature with a flexible solution to the needs of many and it's hard to believe that it has not seemed worthy for inclusion in the main openssh dev. Maybe redhat could start including this in their package builds since one of the devs is keeping a patch with this. As a fortune50 user of RHEL it would greatly increase my security if I could turn off password login across my environment except for a few bastille hosts and keep user public keys in LDAP. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-07 07:42 UTC
[Bug 1663] Allow to use agent for distribution of public keys.
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #18 from jchadima at redhat.com 2011-02-07 18:42:05 EST --- This feature is included in last releases of Fedora and RHEL6 products. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-09 04:48 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Allow to use agent for |sshd_config: |distribution of public |AuthorizedKeysCommand |keys. | Alias| |AuthorizedKeysComman -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Mar-30 11:45 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Petr Cerny [:hrosik] <pcerny at suse.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pcerny at suse.cz -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jul-26 16:18 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #19 from Pier Fumagalli <pier at betaversion.org> 2011-07-27 02:18:46 EST --- Created attachment 2067 --> https://bugzilla.mindrot.org/attachment.cgi?id=2067 Patch suitable for OpenSSH 5.8p2 Added patch suitable for OpenSSH 5.8p2 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jul-26 16:20 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Pier Fumagalli <pier at betaversion.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2067|application/octet-stream |text/plain mime type| | Attachment #2067|0 |1 is patch| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:24 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #20 from jchadima at redhat.com 2011-09-06 15:24:41 EST --- What is the reason that this patch is not yet included in the release? And it is not yet scheduled for 6.0? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-12 23:21 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #21 from jchadima at redhat.com 2011-09-13 09:21:24 EST --- Created attachment 2083 --> https://bugzilla.mindrot.org/attachment.cgi?id=2083 patch for openssh-5.9p1 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-25 05:28 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Jan F. Chadima <jfch at jagda.eu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfch at jagda.eu -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-30 12:16 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Fr33z3m4n <Fr33z3m4n at gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Fr33z3m4n at gmx.net --- Comment #22 from Fr33z3m4n <Fr33z3m4n at gmx.net> 2012-01-30 23:16:46 EST ---> Created attachment 1850 [details] > Full patch containing LDAP partThx for that Patch, but it won?t build. gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -I. -I. -DWITH_LDAP_PUBKEY -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ldapconf.c ldapconf.c: In function ?process_config_line?: ldapconf.c:204: error: ?LDAP_SCOPE_SUBTREE? undeclared (first use in this function) ldapconf.c:204: error: (Each undeclared identifier is reported only once ldapconf.c:204: error: for each function it appears in.) ldapconf.c:206: error: ?LDAP_SCOPE_ONELEVEL? undeclared (first use in this function) ldapconf.c:208: error: ?LDAP_SCOPE_BASE? undeclared (first use in this function) ldapconf.c:222: error: ?LDAP_DEREF_NEVER? undeclared (first use in this function) ldapconf.c:224: error: ?LDAP_DEREF_SEARCHING? undeclared (first use in this function) ldapconf.c:226: error: ?LDAP_DEREF_FINDING? undeclared (first use in this function) ldapconf.c:228: error: ?LDAP_DEREF_ALWAYS? undeclared (first use in this function) ldapconf.c:339: error: ?LDAP_OPT_X_TLS_NEVER? undeclared (first use in this function) ldapconf.c:341: error: ?LDAP_OPT_X_TLS_HARD? undeclared (first use in this function) ldapconf.c:343: error: ?LDAP_OPT_X_TLS_DEMAND? undeclared (first use in this function) ldapconf.c:345: error: ?LDAP_OPT_X_TLS_ALLOW? undeclared (first use in this function) ldapconf.c:347: error: ?LDAP_OPT_X_TLS_TRY? undeclared (first use in this function) ldapconf.c: In function ?fill_default_options?: ldapconf.c:503: error: ?LDAPURLDesc? undeclared (first use in this function) ldapconf.c:503: error: ?ludp? undeclared (first use in this function) ldapconf.c:505: warning: implicit declaration of function ?ldap_url_parse? ldapconf.c:505: error: ?LDAP_SUCCESS? undeclared (first use in this function) ldapconf.c:507: warning: left-hand operand of comma expression has no effect ldapconf.c:507: warning: value computed is not used ldapconf.c:507: warning: left-hand operand of comma expression has no effect ldapconf.c:509: warning: left-hand operand of comma expression has no effect ldapconf.c:509: warning: value computed is not used ldapconf.c:509: warning: left-hand operand of comma expression has no effect ldapconf.c:511: warning: left-hand operand of comma expression has no effect ldapconf.c:511: warning: value computed is not used ldapconf.c:511: warning: left-hand operand of comma expression has no effect ldapconf.c:519: warning: implicit declaration of function ?ldap_free_urldesc? ldapconf.c:541: error: ?LDAP_SCOPE_SUBTREE? undeclared (first use in this function) ldapconf.c:543: error: ?LDAP_DEREF_NEVER? undeclared (first use in this function) ldapconf.c:557: error: ?LDAP_OPT_X_TLS_HARD? undeclared (first use in this function) ldapconf.c: At top level: ldapconf.c:622: error: ?LDAP_SCOPE_BASE? undeclared here (not in a function) ldapconf.c:623: error: ?LDAP_SCOPE_ONELEVEL? undeclared here (not in a function) ldapconf.c:624: error: ?LDAP_SCOPE_SUBTREE? undeclared here (not in a function) ldapconf.c:628: error: ?LDAP_DEREF_NEVER? undeclared here (not in a function) ldapconf.c:628: error: initializer element is not constant ldapconf.c:628: error: (near initialization for ?_deref[0].value?) ldapconf.c:629: error: ?LDAP_DEREF_SEARCHING? undeclared here (not in a function) ldapconf.c:629: error: initializer element is not constant ldapconf.c:629: error: (near initialization for ?_deref[1].value?) ldapconf.c:630: error: ?LDAP_DEREF_FINDING? undeclared here (not in a function) ldapconf.c:630: error: initializer element is not constant ldapconf.c:630: error: (near initialization for ?_deref[2].value?) ldapconf.c:631: error: ?LDAP_DEREF_ALWAYS? undeclared here (not in a function) ldapconf.c:631: error: initializer element is not constant ldapconf.c:631: error: (near initialization for ?_deref[3].value?) ldapconf.c:645: error: ?LDAP_OPT_X_TLS_NEVER? undeclared here (not in a function) ldapconf.c:645: error: initializer element is not constant ldapconf.c:645: error: (near initialization for ?_checkpeer[0].value?) ldapconf.c:646: error: ?LDAP_OPT_X_TLS_HARD? undeclared here (not in a function) ldapconf.c:646: error: initializer element is not constant ldapconf.c:646: error: (near initialization for ?_checkpeer[1].value?) ldapconf.c:647: error: ?LDAP_OPT_X_TLS_DEMAND? undeclared here (not in a function) ldapconf.c:647: error: initializer element is not constant ldapconf.c:647: error: (near initialization for ?_checkpeer[2].value?) ldapconf.c:648: error: ?LDAP_OPT_X_TLS_ALLOW? undeclared here (not in a function) ldapconf.c:648: error: initializer element is not constant ldapconf.c:648: error: (near initialization for ?_checkpeer[3].value?) ldapconf.c:649: error: ?LDAP_OPT_X_TLS_TRY? undeclared here (not in a function) ldapconf.c:649: error: initializer element is not constant ldapconf.c:649: error: (near initialization for ?_checkpeer[4].value?) make: *** [ldapconf.o] Error 1 What can i do ? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-30 15:58 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #23 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 2012-01-31 02:58:00 EST --- (In reply to comment #22)> > Created attachment 1850 [details] > > Full patch containing LDAP part > > Thx for that Patch, but it won?t build.You don't mention which version of OpenSSH you tried to compile the LDAP patch against.> What can i do ?You could try using the AuthorizedKeysCommand variant, which is simpler and more up-to-date with the current version of OpenSSH. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-30 16:40 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #24 from Fr33z3m4n <Fr33z3m4n at gmx.net> 2012-01-31 03:40:57 EST --- (In reply to comment #23)> You don't mention which version of OpenSSH you tried to compile the > LDAP patch against.Hi, sorry, i used openssh5.5p1 for this patch.> You could try using the AuthorizedKeysCommand variant, which is simpler > and more up-to-date with the current version of OpenSSH.Can you me explain, how it works with ldap, and which settings to use ? BR -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-30 16:46 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #25 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 2012-01-31 03:46:50 EST --- (In reply to comment #24)> Can you me explain, how it works with ldap, and which settings to use ?perhaps jchadima at redhat.com can suggest something? I don't do much work with LDAP here. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-30 17:36 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #26 from Fr33z3m4n <Fr33z3m4n at gmx.net> 2012-01-31 04:36:02 EST --- (In reply to comment #25)> perhaps jchadima at redhat.com can suggest something? I don't do much > work with LDAP here.<jchadima at redhat.com>: host xxxx[xxxx] said: 550 5.2.1 <jchadima at redhat.com>... Mailbox disabled for this recipient (in reply to RCPT TO command) ;( I hope he will read here. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-30 18:26 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #27 from Tomas Mraz <t8m at centrum.cz> 2012-01-31 05:26:02 EST --- In the Fedora openssh rpm package you should find some documentation on the AuthorizedKeysCommand helper for the keys in LDAP. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Jan-31 19:09 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- Comment #28 from Jan F. Chadima <jfch at jagda.eu> 2012-02-01 06:09:21 EST --- The LDAP backend is now done as the patch to openssh build in Fedora. This is not the best way how this should be done. If you are brave enough, you could change it in a standalone project. Everything is ready in the patch, only the Makefile and configure or cmake should be prepared. If you are able to do it, do it please. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Feb-22 18:02 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Mike Kelly <mike at pair.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mike at pair.com -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-Mar-12 09:10 UTC
[Bug 1663] sshd_config: AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Cheer Xiao <xiaqqaix at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xiaqqaix at gmail.com --- Comment #29 from Cheer Xiao <xiaqqaix at gmail.com> 2012-03-12 20:10:34 EST --- (I'm sorry I have to do this) A bump for the bug. It has been 2.4 years since the original patch... and please, close or accept this. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.