1 diff -ru openssh-3.6.1p1/auth2-pubkey.c openssh-3.6.1p1-ldappubkey/auth2-pubkey.c
2 --- openssh-3.6.1p1/auth2-pubkey.c Thu Jun 6 22:27:56 2002
3 +++ openssh-3.6.1p1-ldappubkey/auth2-pubkey.c Thu Apr 17 11:53:03 2003
8 +#ifdef WITH_LDAP_PUBKEY
15 /* Temporarily use the user's uid. */
16 temporarily_use_uid(pw);
17 +#ifdef WITH_LDAP_PUBKEY
19 + /* allocate a new key type */
20 + found = key_new(key->type);
22 + /* first check if the options is enabled, then try.. */
23 + debug("trying LDAP first uid=%s",pw->pw_name);
26 + host.url = options.myldap_opt.ldap_server;
27 + host.binddn = options.myldap_opt.binddn;
28 + host.bindpw = options.myldap_opt.bindpw;
29 + host.mgroup = options.myldap_opt.mgroup;
31 + if(options.myldap_opt.pubkey_from_ldap
32 + &&(key_ldap_read(found,pw->pw_name,&host) != 1)) {
33 + debug2("LDAP pubkey failed!!!");
34 + debug2("URL: %s !!",options.myldap_opt.ldap_server);
37 + if (key_equal(found,key)) {
39 + debug("matching key found on LDAP, line %lu",linenum);
40 + fp = key_fingerprint(found,SSH_FP_MD5, SSH_FP_HEX);
41 + verbose("Found matching %s key: %s",key_type(found),fp);
49 debug("trying public key file %s", file);
56 /* Open the file containing the authorized keys. */
64 if (options.strict_modes &&
65 secure_filename(f, file, pw, line, sizeof(line)) != 0) {
73 found = key_new(key->type);
74 + old place of found_key = 0;
77 while (fgets(line, sizeof(line), f)) {
78 char *cp, *options = NULL;
79 diff -ru openssh-3.6.1p1/key.c openssh-3.6.1p1-ldappubkey/key.c
80 --- openssh-3.6.1p1/key.c Mon Feb 24 02:01:41 2003
81 +++ openssh-3.6.1p1-ldappubkey/key.c Thu Apr 17 11:48:00 2003
84 #include <openssl/evp.h>
86 +#ifdef WITH_LDAP_PUBKEY
90 +#define PORT LDAP_PORT
93 + * defined in core.schema, this is a temporary objectclass which can be
94 + * used since i m waiting for pkix schema and pubKey attribute (binary as well
95 + * so minor changes for this patch), there will be an update about this ;)
96 + * the following defs were for test purposes only
97 + * i'm still keeping objectclass=strongAuthenticationuser because of the purpose
98 + * this patch, and wrongly using cn for each user to store group includes
99 + * refere to the README for a better understanding of this.
101 +#define OBJCLASS "objectclass=strongAuthenticationUser"
102 +#define BASE_REQ "ou=users,dc=foobar,dc=net"
108 @@ -372,6 +391,217 @@
113 +#ifdef WITH_LDAP_PUBKEY
114 +/* returns 1 ok, -1 error */
116 +/* key_ldap_read(Key *ret, char *uid, char *url, char *binddn, char *bindpw) */
117 +key_ldap_read(Key *ret, char *uid, lh *host)
121 + LDAPMessage *res,*e;
122 + LDAPURLDesc *urlstruct;
123 + char *a,*urlssl,objbuf[LINEMAX];
124 + struct berval **vals;
126 + int version, rc, j, i, success = -1, ssl_size = 0;
129 + version = LDAP_VERSION3;
131 + /* url based ldap://hostport/dn[?attrs[?scope[?filter[?exts]]]] */
132 + rc = ldap_is_ldap_url(host->url);
134 + error("key_ldap_read: ldap_is_ldap_url() -> ldap is not an url");
140 + rc = ldap_url_parse(host->url,&urlstruct);
142 + error("key_ldap_read: ldap_url_parse() -> ldap couldn't be parsed");
148 + ssl_size = strlen(urlstruct->lud_scheme)+strlen(urlstruct->lud_host)+10;
150 + urlssl = (char *) malloc( ssl_size * sizeof(char) );
152 + error("key_ldap_read: malloc()");
154 + /* free what has been allocated */
155 + ldap_free_urldesc(urlstruct);
160 + memset(urlssl,0,ssl_size);
161 + snprintf(urlssl,ssl_size,"%s://%s:%d",urlstruct->lud_scheme,urlstruct->lud_host,urlstruct->lud_port);
163 + /* open ldap connection */
164 + ld = ldap_init(urlstruct->lud_host,urlstruct->lud_port);
166 + error("key_ldap_read: ldap_init()");
168 + /* free what has been allocated */
170 + ldap_free_urldesc(urlstruct);
176 + /* setting V3 proto otherwise TLS impossible */
177 + if (ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,&version) != LDAP_OPT_SUCCESS) {
178 + error("key_ldap_read: ldap couldn't set version for TLS/SSL");
180 + /* free what has been allocated */
182 + ldap_free_urldesc(urlstruct);
187 + /* HERE CHOOSE SSL/TLS use the scheme and look for the magic 's' ;) */
188 + if (urlstruct->lud_scheme[strlen(urlstruct->lud_scheme)-1] == 's') {
189 + if (ldap_initialize(&ld, urlssl) != LDAP_SUCCESS) {
190 + error("key_ldap_read: ldap_initialize()");
192 + /* free what has been allocated */
194 + ldap_free_urldesc(urlstruct);
200 + if ( (ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS)) {
201 + ldap_perror( ld, "key_ldap_read: (TLS) ldap_start_tls" );
202 + /* recover to normal connection */
203 + ld = ldap_init(urlstruct->lud_host,urlstruct->lud_port);
205 + error("key_ldap_read: ldap_init()");
207 + /* free what has been allocated */
209 + ldap_free_urldesc(urlstruct);
218 + /* anonymous bind pubkey can be retrieved by anybody */
219 + if (ldap_simple_bind_s(ld,host->binddn,host->bindpw) != LDAP_SUCCESS) {
220 + error("key_ldap_read: ldap_simple_bind_s()");
222 + /* free what has been allocated */
224 + ldap_free_urldesc(urlstruct);
230 + /* start ldap search */
236 + * The user need to have posixAccount & strongAuthenticationuser attributes
237 + * to accept the challenge.
238 + * posixAccount & strongAuthenticationuser + uid is member of configured group.
239 + * ldap user entries MUST respect our standard description.
240 + * objectclass still hardcoded, hope to change this soon .
244 + snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*%s*)(uid=%s)))",host->mgroup,uid);
246 + snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s))",uid);
248 + /* New filter group inclusive depend on the configuration */
249 + /* (&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*groupname*)(uid=eau))) */
251 + ldap_search_s(ld,urlstruct->lud_dn,LDAP_SCOPE_SUBTREE,objbuf,NULL,0,&res);
252 + i = ldap_count_entries(ld,res);
254 + for(e=ldap_first_entry(ld,res); e != NULL; e=ldap_next_entry(ld,e)) {
256 + for(a=ldap_first_attribute(ld,e,&ptr);a!=NULL;a=ldap_next_attribute(ld,e,ptr))
258 + if(strncmp(a,"userCertificate",15) == 0) {
259 + vals=ldap_get_values_len(ld,e,a);
260 + for(j = 0; vals[j] != NULL; j++) {
261 + /* value is here :) vals[j] */
262 + k = key_from_blob((unsigned char *)vals[j]->bv_val,(int)vals[j]->bv_len);
265 + error("key_read: key_from_blob LDAP failed");
267 + ldap_value_free_len(vals);
268 + ldap_free_urldesc(urlstruct);
274 + /* i dont have type ?!?!?! */
275 + if (k->type != KEY_DSA) {
276 + error("key_read: type mismatch: encoding error");
278 + ldap_value_free_len(vals);
279 + ldap_free_urldesc(urlstruct);
286 + if (ret->type == KEY_RSA) {
287 + error("LDAP doesnt handle RSA keys yet");
289 + /* freeing everything */
290 + ldap_value_free_len(vals);
291 + ldap_free_urldesc(urlstruct);
297 + if (ret->dsa != NULL)
298 + DSA_free(ret->dsa);
301 + DSA_print_fp(stderr,ret->dsa,8);
303 + /* freeing everything */
304 + ldap_value_free_len(vals);
305 + ldap_free_urldesc(urlstruct);
313 + ldap_value_free_len(vals);
318 + ldap_free_urldesc(urlstruct);
324 /* returns 1 ok, -1 error */
326 diff -ru openssh-3.6.1p1/key.h openssh-3.6.1p1-ldappubkey/key.h
327 --- openssh-3.6.1p1/key.h Mon Feb 24 02:01:41 2003
328 +++ openssh-3.6.1p1-ldappubkey/key.h Thu Apr 17 11:48:05 2003
330 char *key_type(Key *);
331 int key_write(Key *, FILE *);
332 int key_read(Key *, char **);
333 +#ifdef WITH_LDAP_PUBKEY
334 +/* next step is to handle fallback on ldap servers */
335 +typedef struct ldaphost {
336 + char *url; /* LDAP infos in URL format */
337 + char *binddn; /* bind DN */
338 + char *bindpw; /* obvious :> */
339 + char *mgroup; /* server group name */
340 + struct ldaphost *next;
343 +int key_ldap_read(Key *, char *, lh *);
345 u_int key_size(Key *);
347 Key *key_generate(int, u_int);
348 diff -ru openssh-3.6.1p1/servconf.c openssh-3.6.1p1-ldappubkey/servconf.c
349 --- openssh-3.6.1p1/servconf.c Mon Feb 24 02:04:34 2003
350 +++ openssh-3.6.1p1-ldappubkey/servconf.c Thu Apr 17 12:04:42 2003
352 options->client_alive_count_max = -1;
353 options->authorized_keys_file = NULL;
354 options->authorized_keys_file2 = NULL;
355 +#ifdef WITH_LDAP_PUBKEY
356 + options->myldap_opt.pubkey_from_ldap = -1;
357 + options->myldap_opt.ldap_server = NULL;
358 + options->myldap_opt.binddn = NULL;
359 + options->myldap_opt.bindpw = NULL;
360 + options->myldap_opt.mgroup = NULL;
363 /* Needs to be accessable in many places */
367 if (options->authorized_keys_file == NULL)
368 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
369 +#ifdef WITH_LDAP_PUBKEY
370 + if (options->myldap_opt.pubkey_from_ldap == -1)
371 + options->myldap_opt.pubkey_from_ldap = 0;
372 + if (options->myldap_opt.ldap_server == NULL)
373 + options->myldap_opt.ldap_server = _DEFAULT_LDAP_PUBKEY_SERVER;
374 + if (options->myldap_opt.binddn == NULL)
375 + options->myldap_opt.binddn = _DEFAULT_BINDDN;
376 + if (options->myldap_opt.bindpw == NULL)
377 + options->myldap_opt.bindpw = _DEFAULT_BINDPW;
378 + if (options->myldap_opt.mgroup == NULL)
379 + options->myldap_opt.mgroup = _DEFAULT_MGROUP;
382 /* Turn privilege separation on by default */
383 if (use_privsep == -1)
385 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
386 sUsePrivilegeSeparation,
388 +#ifdef WITH_LDAP_PUBKEY
389 + ,sPubkey_from_ldap, sLdap_server, sBinddn, sBindpw, sMgroup
393 /* Textual representation of the tokens. */
395 { "clientalivecountmax", sClientAliveCountMax },
396 { "authorizedkeysfile", sAuthorizedKeysFile },
397 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
398 +#ifdef WITH_LDAP_PUBKEY
399 + { "pubkeyfromldap", sPubkey_from_ldap },
400 + { "ldapserver", sLdap_server },
401 + { "binddn", sBinddn },
402 + { "bindpw", sBindpw },
403 + { "mygroup", sMgroup },
405 { "useprivilegeseparation", sUsePrivilegeSeparation},
412 +#ifdef WITH_LDAP_PUBKEY
413 + case sPubkey_from_ldap:
414 + intptr = &options->myldap_opt.pubkey_from_ldap;
417 + /* arg = strdelim(&cp); */
421 + if (!arg || *arg == '\0')
422 + fatal("%s line %d: missing ldap server",filename,linenum);
423 + arg[strlen(arg)-1] = '\0';
424 + options->myldap_opt.ldap_server=xstrdup(arg);
425 + memset(arg,0,strlen(arg));
428 + /* arg = strdelim(&cp); */
432 + if (!arg || *arg == '\0')
433 + fatal("%s line %d: missing binddn",filename,linenum);
434 + arg[strlen(arg)-1] = '\0';
435 + options->myldap_opt.binddn = xstrdup(arg);
436 + memset(arg,0,strlen(arg));
439 + /* arg = strdelim(&cp); */
443 + if (!arg || *arg == '\0')
444 + fatal("%s line %d: missing bindpw",filename,linenum);
445 + arg[strlen(arg)-1] = '\0';
446 + options->myldap_opt.bindpw=xstrdup(arg);
447 + memset(arg,0,strlen(arg));
453 + if (!arg || *arg == '\0')
454 + fatal("%s line %d: missing groupname",filename, linenum);
455 + arg[strlen(arg) - 1] = '\0';
456 + options->myldap_opt.mgroup = xstrdup(arg);
457 + memset(arg,0,strlen(arg));
462 fatal("%s line %d: Missing handler for opcode %s (%d)",
463 diff -ru openssh-3.6.1p1/servconf.h openssh-3.6.1p1-ldappubkey/servconf.h
464 --- openssh-3.6.1p1/servconf.h Thu Aug 1 03:28:39 2002
465 +++ openssh-3.6.1p1-ldappubkey/servconf.h Thu Apr 17 11:57:48 2003
467 #define PERMIT_NO_PASSWD 2
470 +#ifdef WITH_LDAP_PUBKEY
471 +#define _DEFAULT_LDAP_PUBKEY_SERVER "localhost"
472 +#define _DEFAULT_BASEDN "ou=People,dc=company,dc=net"
473 +#define _DEFAULT_BINDDN NULL
474 +#define _DEFAULT_BINDPW NULL
475 +#define _DEFAULT_MGROUP NULL
478 + int pubkey_from_ldap;
479 + char *ldap_server; /* ldap URL format where pubkeys are */
480 + char *binddn; /* ldap base dn where users resides */
481 + char *bindpw; /* ldap bind passwd */
482 + char *mgroup; /* ldap server group name, NULL if deactivated */
490 char *authorized_keys_file; /* File containing public keys */
491 char *authorized_keys_file2;
492 int pam_authentication_via_kbd_int;
493 +#ifdef WITH_LDAP_PUBKEY
494 + ldap_opt myldap_opt;
498 void initialize_server_options(ServerOptions *);
499 diff -ru openssh-3.6.1p1/sshd_config openssh-3.6.1p1-ldappubkey/sshd_config
500 --- openssh-3.6.1p1/sshd_config Fri Sep 27 05:21:58 2002
501 +++ openssh-3.6.1p1-ldappubkey/sshd_config Thu Apr 17 12:21:43 2003
504 #VerifyReverseMapping no
506 +# here is the new patched ldap related tokens
507 +# entries in your LDAP must be posixAccount & strongAuthenticationUser
509 +ldapserver ldap://localhost/ou=users,dc=cuckoos,dc=net
510 +binddn cn=Manager,dc=cuckoos,dc=net
514 # override default of no subsystems
515 Subsystem sftp /usr/libexec/sftp-server