]>
Commit | Line | Data |
---|---|---|
48dfc510 | 1 | diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/Makefile.in openssh-4.3p1-lpk/Makefile.in |
2 | --- openssh-4.3p1/Makefile.in 2006-01-01 09:47:05.000000000 +0100 | |
3 | +++ openssh-4.3p1-lpk/Makefile.in 2006-04-18 15:46:59.000000000 +0200 | |
4 | @@ -86,7 +86,7 @@ | |
5 | auth-krb5.o \ | |
6 | auth2-gss.o gss-serv.o gss-serv-krb5.o \ | |
7 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | |
8 | - audit.o audit-bsm.o | |
9 | + audit.o audit-bsm.o ldapauth.o | |
10 | ||
11 | MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out | |
12 | MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 | |
13 | diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/README.lpk openssh-4.3p1-lpk/README.lpk | |
14 | --- openssh-4.3p1/README.lpk 1970-01-01 01:00:00.000000000 +0100 | |
15 | +++ openssh-4.3p1-lpk/README.lpk 2006-04-18 15:46:59.000000000 +0200 | |
16 | @@ -0,0 +1,265 @@ | |
17 | +OpenSSH LDAP PUBLIC KEY PATCH | |
18 | +Copyright (c) 2003 Eric AUGE (eau@phear.org) | |
19 | +All rights reserved. | |
20 | + | |
21 | +Redistribution and use in source and binary forms, with or without | |
22 | +modification, are permitted provided that the following conditions | |
23 | +are met: | |
24 | +1. Redistributions of source code must retain the above copyright | |
25 | + notice, this list of conditions and the following disclaimer. | |
26 | +2. Redistributions in binary form must reproduce the above copyright | |
27 | + notice, this list of conditions and the following disclaimer in the | |
28 | + documentation and/or other materials provided with the distribution. | |
29 | +3. The name of the author may not be used to endorse or promote products | |
30 | + derived from this software without specific prior written permission. | |
31 | + | |
32 | +THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
33 | +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
34 | +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
35 | +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
36 | +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
37 | +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
38 | +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
39 | +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
40 | +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
41 | +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
42 | + | |
43 | +purposes of this patch: | |
44 | + | |
45 | +This patch would help to have authentication centralization policy | |
46 | +using ssh public key authentication. | |
47 | +This patch could be an alternative to other "secure" authentication system | |
48 | +working in a similar way (Kerberos, SecurID, etc...), except the fact | |
49 | +that it's based on OpenSSH and its public key abilities. | |
50 | + | |
51 | +>> FYI: << | |
52 | +'uid': means unix accounts existing on the current server | |
53 | +'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config) | |
54 | + | |
55 | +example schema: | |
56 | + | |
57 | + | |
58 | + server1 (uid: eau,rival,toto) (lpkServerGroup: unix) | |
59 | + ___________ / | |
60 | + / \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix) | |
61 | + | LDAP Server | \ | |
62 | + | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup: unix) | |
63 | + | titi ,toto | | |
64 | + | userx,.... | server5 (uid: eau) (lpkServerGroup: mail) | |
65 | + \___________/ \ / | |
66 | + ----- - server4 (uid: eau, rival) (no group configured) | |
67 | + \ | |
68 | + etc... | |
69 | + | |
70 | +- WHAT WE NEED : | |
71 | + | |
72 | + * configured LDAP server somewhere on the network (i.e. OpenLDAP) | |
73 | + * patched sshd (with this patch ;) | |
74 | + * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): | |
75 | + User entry: | |
76 | + - attached to the 'ldapPublicKey' objectclass | |
77 | + - attached to the 'posixAccount' objectclass | |
78 | + - with a filled 'sshPublicKey' attribute | |
79 | + Example: | |
80 | + dn: uid=eau,ou=users,dc=cuckoos,dc=net | |
81 | + objectclass: top | |
82 | + objectclass: person | |
83 | + objectclass: organizationalPerson | |
84 | + objectclass: posixAccount | |
85 | + objectclass: ldapPublicKey | |
86 | + description: Eric AUGE Account | |
87 | + userPassword: blah | |
88 | + cn: Eric AUGE | |
89 | + sn: Eric AUGE | |
90 | + uid: eau | |
91 | + uidNumber: 1034 | |
92 | + gidNumber: 1 | |
93 | + homeDirectory: /export/home/eau | |
94 | + sshPublicKey: ssh-dss AAAAB3... | |
95 | + sshPublicKey: ssh-dss AAAAM5... | |
96 | + | |
97 | + Group entry: | |
98 | + - attached to the 'posixGroup' objectclass | |
99 | + - with a 'cn' groupname attribute | |
100 | + - with multiple 'memberUid' attributes filled with usernames allowed in this group | |
101 | + Example: | |
102 | + # few members | |
103 | + dn: cn=unix,ou=groups,dc=cuckoos,dc=net | |
104 | + objectclass: top | |
105 | + objectclass: posixGroup | |
106 | + description: Unix based servers group | |
107 | + cn: unix | |
108 | + gidNumber: 1002 | |
109 | + memberUid: eau | |
110 | + memberUid: user1 | |
111 | + memberUid: user2 | |
112 | + | |
113 | + | |
114 | +- HOW IT WORKS : | |
115 | + | |
116 | + * without patch | |
117 | + If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) | |
118 | + and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). | |
119 | + | |
120 | + * with the patch | |
121 | + If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. | |
122 | + It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. | |
123 | + (usually in $HOME/.ssh/authorized_keys) | |
124 | + | |
125 | + If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into. | |
126 | + If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled). | |
127 | + | |
128 | + 7 tokens are added to sshd_config : | |
129 | + # here is the new patched ldap related tokens | |
130 | + # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup | |
131 | + UseLPK yes # look the pub key into LDAP | |
132 | + LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 # which LDAP server for users ? (URL format) | |
133 | + LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ? | |
134 | + LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ? | |
135 | + LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ? | |
136 | + LpkBindPw asecret # bind DN credidentials | |
137 | + LpkServerGroup agroupname # the group the server is part of | |
138 | + | |
139 | Content-type: text/html ]>