openssh bugs - Oct 2009 - [Bug 1663] New: Allow to use agent for distribution of public keys.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

           Summary: Allow to use agent for distribution of public keys.
           Product: Portable OpenSSH
           Version: 5.3p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: jchadima at redhat.com


For management of larger sites is useful to use distributed authorized
private keys. This patch allows use the agent to obtaining the keys. 
There are possibility of use popen (agent) instead  of open
(authorized_keys). The feature is triggered a new configure option.
The two sshd_config options configure the agent run string and the user
account used for running the agent. It's accepted that the agent output
is the same as the file format of authorized_keys2 file. Local
authorized_key files are skipped in the case of the active agent. Only
the protocol 2 is supported actually.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #1 from jchadima at redhat.com 2009-10-23 01:43:24 EST ---
Created an attachment (id=1703)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1703)
Patch solving the problem

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #3 from Damien Miller <djm at mindrot.org> 2010-02-10 10:30:29
EST ---
This is an interesting idea. My concerns are:

1) you lose the ability to specify key restrictions. I.e. you can't
force commands on a per-key basis, disable port-forwarding, etc.

2) I think it would be better if you don't run the agent from sshd.
Instead, you add a single directive to sshd_config to inform it of an
agent socket path and use ssh-agent's "-a" option to make it
listen on
a single location.

3) ssh-agent has not be written with robustness against deliberately
malformed input in mind and will fatal() at the first encoding error.
This is good behaviour for a per-user agent, but could lead to
system-level DoS when used to manage public keys for a host.

We should probably discuss this on the mailing list.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jchadima at redhat.com

--- Comment #4 from jchadima at redhat.com 2010-03-01 19:49:19 EST ---
(In reply to comment #3)
> This is an interesting idea. My concerns are:
> 
this is not necessary limited to LPK compatibility, even the transport
protocol, may be different.

> 1) you lose the ability to specify key restrictions. I.e. you can't
> force commands on a per-key basis, disable port-forwarding, etc.
> 
the keys are transported as is with all the prefixes (forced commands
&tc..)

> 2) I think it would be better if you don't run the agent from sshd.
> Instead, you add a single directive to sshd_config to inform it of an
> agent socket path and use ssh-agent's "-a" option to make it
listen on
> a single location.
> 
a) The per session fork may be useful, when the executed process should
be run under the authorized user privileges.

b) The fork-execute at each autentization have some advantages and some
disadvantages. 
The advantages are: better stability - killing the process does not
cause the DoS. Less vulnerability for memory leaks. The process
finishes with all non freed memory after each authentization.
The disadvantages: more process and more sockets used.
> 3) ssh-agent has not be written with robustness against deliberately
> malformed input in mind and will fatal() at the first encoding error.
> This is good behaviour for a per-user agent, but could lead to
> system-level DoS when used to manage public keys for a host.
> 
> We should probably discuss this on the mailing list.
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #5 from jchadima at redhat.com 2010-03-02 20:52:22 EST ---
Created an attachment (id=1804)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1804)
patch against openssh5.4p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1804|0                           |1
        is obsolete|                            |

--- Comment #6 from jchadima at redhat.com 2010-03-17 19:32:09 EST ---
Created an attachment (id=1811)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1811)
pattch against openssh-5.4p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Don Hoover <dxh at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dxh at yahoo.com

--- Comment #7 from Don Hoover <dxh at yahoo.com>  ---
This seems like an excellent way to provide the same functionality as
the LPK patch.  

It is also more generic and allows people to write their own
implementations for storing public keys in ldap, oracle, or whatever.

This seems like the best way to get people to stop asking for lpk to be
added to sshd.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #8 from jchadima at redhat.com  ---
(In reply to comment #7)
> This seems like an excellent way to provide the same functionality as
> the LPK patch.  
> 
The LDAP backend is prepared and now is in the testing stage.
I hope to post it here in a week or less.
> It is also more generic and allows people to write their own
> implementations for storing public keys in ldap, oracle, or whatever.
> 
> This seems like the best way to get people to stop asking for lpk to be
> added to sshd.
Yes, yes, yes.

It still needs some minor improvements, but from the security point of
view it's ready.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #9 from jchadima at redhat.com  ---
Created attachment 1850
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1850
Full patch containing LDAP part

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #10 from jchadima at redhat.com  ---
Can anybody test the patch in other than linux environment? All
comments are welcomed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|5.3p1                       |5.5p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Tomas Mraz <t8m at centrum.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dkg at fifthhorseman.net

--- Comment #11 from Tomas Mraz <t8m at centrum.cz>  ---
*** Bug 1778 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Tomas Mraz <t8m at centrum.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |t8m at centrum.cz

--- Comment #12 from Tomas Mraz <t8m at centrum.cz>  ---
I've tested the patch on Fedora Linux - so not a different system
environment unfortunately - but I can confirm it works well there.

I agree this is proper way how to replace the lpk patch. I don't even
think that the LDAP backend part has to be included in the openssh
upstream sources, this can be very well distributed separately along
with other possible backends.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1811|0                           |1
        is obsolete|                            |

--- Comment #13 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>  ---
Created attachment 1895
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1895
updated pubkey-agent patch against 5.5p1 (with security fixes)

The Monkeysphere development team is interested in seeing this modular
key-based authorization functionality included in OpenSSH.  We believe
the LDAP-specific code should be distributed separately.  We reviewed
the pubkey-agent patch today, and found a handful of problems that
appear to need fixing.  The attached patch applies against 5.5p1, and
resolves the immediate problems.

The concerns we found were:

 0) not all components of the path to the command were checked for
proper ownership and permissions.

 1) using popen() while under temporarily_use_uid() meant that a child
process could re-elevate its privileges to root with seteuid().

 2) the combination of strtok, percent expansion, and the implicit sh
-c invocation (via popen()) leave open a number of possibilities to
violate the principle of least surprise for an unfortunate sysadmin.

Our revised patch resolves (1) by explicitly fork()ing and exec()ing,
permanently dropping privileges in the child process before the exec().

Our revised patch resolves (2) by requiring the command be a single
explicit path to an executable, which will receive a single
command-line argument (the name of the user to authorize).

We also felt that the earlier patch was mistaken by invalidating the
AuthorizedKeysFile option if PubkeyAgent is present.  The admin is
already able to disable AuthorizedKeysFile (e.g. by pointing it to
/dev/null).  Also, having a (new, relatively-unknown) option have
potentially surprising interactions with another (well-known,
widely-understood) option seems like a bad idea.  Our approach was to
provide fall-through behavior.  If the PubkeyAgent does not authorize
the connecting key, sshd will consult AuthorizedKeysFile as in current
versions of OpenSSH.

Note that we also feel the choice of option names leaves something to
be desired.  PubkeyAgent and PubkeyAgentRunAs are misleading, since
there is no required agent at all.  The term AuthorizedKeysCommand (see
#1778) seems more appropriate by analogy with existing config options
LocalCommand, ProxyCommand and AuthorizedKeysFile.  I'll offer a
revised patch with the updated names shortly.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #14 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>  ---
Created attachment 1896
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1896
patch using AuthorizedKeysCommand terminology

Here is the patch using the sshd_config options AuthorizedKeysCommand
and AuthorizedKeysCommandRunAs.  The ./configure option is
--with-authorized-keys-command.

This seems preferable to the PubkeyAgent terminology.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Jameson Rollins <ssh-bugzilla at finestructure.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ssh-bugzilla at finestructure.
                   |                            |net

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Greg Lyle <greg at stealthisemail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |greg at stealthisemail.com

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Anthony DeRobertis <aderobertis at metrics.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aderobertis at metrics.net

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Andres Pereira <andresp at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andresp at gmail.com

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #15 from jchadima at redhat.com  ---
Created attachment 1915
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1915
Patch suitable for openssh-5.6p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1915|0                           |1
        is obsolete|                            |

--- Comment #16 from jchadima at redhat.com  ---
Created attachment 1920
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1920
Patch suitable for openssh-5.6p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Don Hoover <dxh at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P2                          |P1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #17 from Don Hoover <dxh at yahoo.com> 2011-02-05 13:46:39 EST
---
It's been year now how can we get someone from the team to evaluate
this for mainline development or just close down the idea.  

This is a significant feature with a flexible solution to the needs of
many and it's hard to believe that it has not seemed worthy for
inclusion in the main openssh dev.  


Maybe redhat could start including this in their package builds since
one of the devs is keeping a patch with this.  

As a fortune50 user of RHEL it would greatly increase my security if I
could turn off password login across my environment except for a few
bastille hosts and keep user public keys in LDAP.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #18 from jchadima at redhat.com 2011-02-07 18:42:05 EST ---
This feature is included in last releases of Fedora and RHEL6 products.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Allow to use agent for      |sshd_config:
                   |distribution of public      |AuthorizedKeysCommand
                   |keys.                       |
              Alias|                            |AuthorizedKeysComman

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Petr Cerny [:hrosik] <pcerny at suse.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pcerny at suse.cz

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #19 from Pier Fumagalli <pier at betaversion.org> 2011-07-27
02:18:46 EST ---
Created attachment 2067
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2067
Patch suitable for OpenSSH 5.8p2

Added patch suitable for OpenSSH 5.8p2

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Pier Fumagalli <pier at betaversion.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2067|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #2067|0                           |1
           is patch|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #20 from jchadima at redhat.com 2011-09-06 15:24:41 EST ---
What is the reason that this patch is not yet included in the release?
And it is not yet scheduled for 6.0?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #21 from jchadima at redhat.com 2011-09-13 09:21:24 EST ---
Created attachment 2083
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2083
patch for openssh-5.9p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Jan F. Chadima <jfch at jagda.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jfch at jagda.eu

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Fr33z3m4n <Fr33z3m4n at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Fr33z3m4n at gmx.net

--- Comment #22 from Fr33z3m4n <Fr33z3m4n at gmx.net> 2012-01-30 23:16:46
EST ---
> Created attachment 1850 [details]
> Full patch containing LDAP part
Thx for that Patch, but it won?t build.

gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wno-pointer-sign -Wformat-security -fno-strict-aliasing
-fno-builtin-memset -fstack-protector-all  -I. -I.  -DWITH_LDAP_PUBKEY
-DSSHDIR=\"/etc/ssh\"
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\"
-DHAVE_CONFIG_H -c ldapconf.c
ldapconf.c: In function ?process_config_line?:
ldapconf.c:204: error: ?LDAP_SCOPE_SUBTREE? undeclared (first use in
this function)
ldapconf.c:204: error: (Each undeclared identifier is reported only
once
ldapconf.c:204: error: for each function it appears in.)
ldapconf.c:206: error: ?LDAP_SCOPE_ONELEVEL? undeclared (first use in
this function)
ldapconf.c:208: error: ?LDAP_SCOPE_BASE? undeclared (first use in this
function)
ldapconf.c:222: error: ?LDAP_DEREF_NEVER? undeclared (first use in this
function)
ldapconf.c:224: error: ?LDAP_DEREF_SEARCHING? undeclared (first use in
this function)
ldapconf.c:226: error: ?LDAP_DEREF_FINDING? undeclared (first use in
this function)
ldapconf.c:228: error: ?LDAP_DEREF_ALWAYS? undeclared (first use in
this function)
ldapconf.c:339: error: ?LDAP_OPT_X_TLS_NEVER? undeclared (first use in
this function)
ldapconf.c:341: error: ?LDAP_OPT_X_TLS_HARD? undeclared (first use in
this function)
ldapconf.c:343: error: ?LDAP_OPT_X_TLS_DEMAND? undeclared (first use in
this function)
ldapconf.c:345: error: ?LDAP_OPT_X_TLS_ALLOW? undeclared (first use in
this function)
ldapconf.c:347: error: ?LDAP_OPT_X_TLS_TRY? undeclared (first use in
this function)
ldapconf.c: In function ?fill_default_options?:
ldapconf.c:503: error: ?LDAPURLDesc? undeclared (first use in this
function)
ldapconf.c:503: error: ?ludp? undeclared (first use in this function)
ldapconf.c:505: warning: implicit declaration of function
?ldap_url_parse?
ldapconf.c:505: error: ?LDAP_SUCCESS? undeclared (first use in this
function)
ldapconf.c:507: warning: left-hand operand of comma expression has no
effect
ldapconf.c:507: warning: value computed is not used
ldapconf.c:507: warning: left-hand operand of comma expression has no
effect
ldapconf.c:509: warning: left-hand operand of comma expression has no
effect
ldapconf.c:509: warning: value computed is not used
ldapconf.c:509: warning: left-hand operand of comma expression has no
effect
ldapconf.c:511: warning: left-hand operand of comma expression has no
effect
ldapconf.c:511: warning: value computed is not used
ldapconf.c:511: warning: left-hand operand of comma expression has no
effect
ldapconf.c:519: warning: implicit declaration of function
?ldap_free_urldesc?
ldapconf.c:541: error: ?LDAP_SCOPE_SUBTREE? undeclared (first use in
this function)
ldapconf.c:543: error: ?LDAP_DEREF_NEVER? undeclared (first use in this
function)
ldapconf.c:557: error: ?LDAP_OPT_X_TLS_HARD? undeclared (first use in
this function)
ldapconf.c: At top level:
ldapconf.c:622: error: ?LDAP_SCOPE_BASE? undeclared here (not in a
function)
ldapconf.c:623: error: ?LDAP_SCOPE_ONELEVEL? undeclared here (not in a
function)
ldapconf.c:624: error: ?LDAP_SCOPE_SUBTREE? undeclared here (not in a
function)
ldapconf.c:628: error: ?LDAP_DEREF_NEVER? undeclared here (not in a
function)
ldapconf.c:628: error: initializer element is not constant
ldapconf.c:628: error: (near initialization for ?_deref[0].value?)
ldapconf.c:629: error: ?LDAP_DEREF_SEARCHING? undeclared here (not in a
function)
ldapconf.c:629: error: initializer element is not constant
ldapconf.c:629: error: (near initialization for ?_deref[1].value?)
ldapconf.c:630: error: ?LDAP_DEREF_FINDING? undeclared here (not in a
function)
ldapconf.c:630: error: initializer element is not constant
ldapconf.c:630: error: (near initialization for ?_deref[2].value?)
ldapconf.c:631: error: ?LDAP_DEREF_ALWAYS? undeclared here (not in a
function)
ldapconf.c:631: error: initializer element is not constant
ldapconf.c:631: error: (near initialization for ?_deref[3].value?)
ldapconf.c:645: error: ?LDAP_OPT_X_TLS_NEVER? undeclared here (not in a
function)
ldapconf.c:645: error: initializer element is not constant
ldapconf.c:645: error: (near initialization for ?_checkpeer[0].value?)
ldapconf.c:646: error: ?LDAP_OPT_X_TLS_HARD? undeclared here (not in a
function)
ldapconf.c:646: error: initializer element is not constant
ldapconf.c:646: error: (near initialization for ?_checkpeer[1].value?)
ldapconf.c:647: error: ?LDAP_OPT_X_TLS_DEMAND? undeclared here (not in
a function)
ldapconf.c:647: error: initializer element is not constant
ldapconf.c:647: error: (near initialization for ?_checkpeer[2].value?)
ldapconf.c:648: error: ?LDAP_OPT_X_TLS_ALLOW? undeclared here (not in a
function)
ldapconf.c:648: error: initializer element is not constant
ldapconf.c:648: error: (near initialization for ?_checkpeer[3].value?)
ldapconf.c:649: error: ?LDAP_OPT_X_TLS_TRY? undeclared here (not in a
function)
ldapconf.c:649: error: initializer element is not constant
ldapconf.c:649: error: (near initialization for ?_checkpeer[4].value?)
make: *** [ldapconf.o] Error 1

What can i do ?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #23 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>
2012-01-31 02:58:00 EST ---
(In reply to comment #22)
> > Created attachment 1850 [details]
> > Full patch containing LDAP part
> 
> Thx for that Patch, but it won?t build.
You don't mention which version of OpenSSH you tried to compile the
LDAP patch against.
> What can i do ?
You could try using the AuthorizedKeysCommand variant, which is simpler
and more up-to-date with the current version of OpenSSH.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #24 from Fr33z3m4n <Fr33z3m4n at gmx.net> 2012-01-31 03:40:57
EST ---
(In reply to comment #23)
> You don't mention which version of OpenSSH you tried to compile the
> LDAP patch against.
Hi,

sorry, i used openssh5.5p1 for this patch.
> You could try using the AuthorizedKeysCommand variant, which is simpler
> and more up-to-date with the current version of OpenSSH.
Can you me explain, how it works with ldap, and which settings to use ?

BR

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #25 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>
2012-01-31 03:46:50 EST ---
(In reply to comment #24)
> Can you me explain, how it works with ldap, and which settings to use ?
perhaps jchadima at redhat.com can suggest something?  I don't do much
work with LDAP here.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #26 from Fr33z3m4n <Fr33z3m4n at gmx.net> 2012-01-31 04:36:02
EST ---
(In reply to comment #25)
> perhaps jchadima at redhat.com can suggest something?  I don't do much
> work with LDAP here.
<jchadima at redhat.com>: host xxxx[xxxx] said: 550 5.2.1
    <jchadima at redhat.com>... Mailbox disabled for this recipient (in
reply to
    RCPT TO command)

;( 

I hope he will read here.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #27 from Tomas Mraz <t8m at centrum.cz> 2012-01-31 05:26:02
EST ---
In the Fedora openssh rpm package you should find some documentation on
the AuthorizedKeysCommand helper for the keys in LDAP.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

--- Comment #28 from Jan F. Chadima <jfch at jagda.eu> 2012-02-01 06:09:21
EST ---
The LDAP backend is now done as the patch to openssh build in Fedora.
This is not the best way how this should be done. If you are brave
enough, you could change it in a standalone project. Everything is
ready in the patch, only the Makefile and configure or cmake should be
prepared. If you are able to do it, do it please.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Mike Kelly <mike at pair.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mike at pair.com

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1663

Cheer Xiao <xiaqqaix at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |xiaqqaix at gmail.com

--- Comment #29 from Cheer Xiao <xiaqqaix at gmail.com> 2012-03-12
20:10:34 EST ---
(I'm sorry I have to do this) A bump for the bug. It has been 2.4 years
since the original patch... and please, close or accept this.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.