Hello!
I'm working on openssh and nsswitch integration in FreeBSD. I am lucky
to participate in Googles' Summer of Code and openssh+nsswitch
integration is the part of my project. I've almost completed the patch.
I'd like to describe some details here. I'll be glad to correct or
change some things if you wish.
The idea is to replace system-wide known-hosts file with nsswitch source.
After examining openssh port, I've found 2 basic functions, which handle
the known-hosts files (hostfile.h):
HostStatus check_host_in_hostfile(const char *, const char *, const Key
*, Key *, int *);
int lookup_key_in_hostfile_by_type(const char *, const char *, int,
Key *, int *);
As far as I know, all other routines, that deal with these files are
seem to be built on top of these 2 functions. So I'd like to implement
another 2 functions:
HostStatus nsswitch_check_host(const char *, const Key *, Key *);
int nsswitch_lookup_key_by_type(const char *, int, Key *);
They will be used instead of previous 2 in all places, where system-wide
known-hosts file was accessed. But it will dispatch the calls to the
nsswitch subsystem. Nsswitch 'files' module will have the same
functionality as the previous 2 functions, but users will be able to
store their public keys in LDAP, for example. Besides any other source
can be implemented as the pluggable nsswitch module.
In ssh client the files module will take the system files path from the
Options structure. And in the sshd (in case of hostbased
authentication), it will use the default values.
So this is the way I want to integrate nsswitch and openssh in FreeBSD.
Is this approach applicable?
With best regards,
Michael Bushkov
Rostov State University
