1 diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
2 --- openssh-6.2p1/configure.ac.ldap 2013-03-20 02:55:15.000000000 +0100
3 +++ openssh-6.2p1/configure.ac 2013-03-25 21:27:15.888248071 +0100
4 @@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
8 +# Check whether user wants LDAP support
10 +INSTALL_SSH_LDAP_HELPER=""
12 + [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
14 + if test "x$withval" != "xno" ; then
16 + INSTALL_SSH_LDAP_HELPER="yes"
17 + CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
19 + if test "x$withval" != "xyes" ; then
20 + CPPFLAGS="$CPPFLAGS -I${withval}/include"
21 + LDFLAGS="$LDFLAGS -L${withval}/lib"
24 + AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
27 + AC_CHECK_HEADERS(lber.h)
28 + AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
29 + AC_CHECK_HEADERS(ldap_ssl.h)
31 + AC_ARG_WITH(ldap-lib,
32 + [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
34 + if test -z "$with_ldap_lib"; then
38 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
39 + AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
40 + AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
43 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
44 + AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
47 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
48 + AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
49 + if test -z "$found_ldap_lib"; then
50 + AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
52 + if test -z "$found_ldap_lib"; then
53 + AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
55 + if test -z "$found_ldap_lib"; then
56 + AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
60 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
61 + AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
64 + if test -z "$found_ldap_lib"; then
65 + AC_MSG_ERROR(could not locate a valid LDAP library)
68 + AC_MSG_CHECKING([for working LDAP support])
70 + [#include <sys/types.h>
72 + [(void)ldap_init(0, 0);],
73 + [AC_MSG_RESULT(yes)],
76 + AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
84 + ldap_controls_free \
89 + ldap_pvt_tls_set_option \
92 + AC_CHECK_FUNCS(ldap_set_rebind_proc,
93 + AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
97 + [ldap_set_rebind_proc(0, 0, 0);],
98 + [ac_cv_ldap_set_rebind_proc=3],
99 + [ac_cv_ldap_set_rebind_proc=2])
100 + AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
101 + AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
106 +AC_SUBST(INSTALL_SSH_LDAP_HELPER)
108 dnl Checks for library functions. Please keep in alphabetical order
111 diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
112 --- openssh-6.2p1/HOWTO.ldap-keys.ldap 2013-03-25 21:27:15.889248078 +0100
113 +++ openssh-6.2p1/HOWTO.ldap-keys 2013-03-25 21:27:15.889248078 +0100
118 +1) configure LDAP server
119 + * Use LDAP server documentation
120 +2) add appropriate LDAP schema
121 + * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
124 + - attached to the 'ldapPublicKey' objectclass
125 + - attached to the 'posixAccount' objectclass
126 + - with a filled 'sshPublicKey' attribute
127 +3) insert users into LDAP
128 + * Use LDAP Tree management tool as useful
129 + * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
131 + dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
133 + objectclass: person
134 + objectclass: organizationalPerson
135 + objectclass: posixAccount
136 + objectclass: ldapPublicKey
137 + description: Jonathan Archer
138 + userPassword: Porthos
144 + homeDirectory: /home/captain
145 + sshPublicKey: ssh-rss AAAAB3.... =captain@universe
146 + sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
147 +4) on the ssh side set in sshd_config
148 + * Set up the backend
149 + AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
150 + AuthorizedKeysCommandUser <appropriate user to run LDAP>
151 + * Do not forget to set
152 + PubkeyAuthentication yes
153 + * Swith off unnecessary auth methods
154 +5) confugure ldap.conf
155 + * Default ldap.conf is placed in /etc/ssh
156 + * The configuration style is the same as other ldap based aplications
157 +6) if necessary edit ssh-ldap-wrapper
158 + * There is a possibility to change ldap.conf location
159 + * There are some debug options
161 + /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
163 +HOW TO MIGRATE FROM LPK
165 +1) goto HOW TO START 4) .... the ldap schema is the same
167 +2) convert the group requests to the appropriate LDAP requests
169 +HOW TO SOLVE PROBLEMS
171 +1) use debug in sshd
172 + * /usr/sbin/sshd -d -d -d -d
173 +2) use debug in ssh-ldap-helper
174 + * ssh-ldap-helper -d -d -d -d -s <username>
175 +3) use tcpdump ... other ldap client etc.
179 +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
183 +1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
184 + allows write to users dn, somebody could replace some user's public key by his own and impersonate some
185 + of your users in all your server farm -- be VERY CAREFUL.
186 +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
187 + as the impersonated user.
188 +3) If LDAP server is down there may be no fallback on passwd auth.
193 + * Possibility to reuse the ssh-ldap-helper.
194 + * Tune the LDAP part to accept all possible LDAP configurations.
196 +2) differences from original lpk
197 + * No LDAP code in sshd.
198 + * Support for various LDAP platforms and configurations.
199 + * LDAP is configured in separate ldap.conf file.
202 + * http://pacsec.jp/core05/psj05-barisani-en.pdf
203 + * http://fritz.potsdam.edu/projects/openssh-lpk/
204 + * http://fritz.potsdam.edu/projects/sshgate/
205 + * http://dev.inversepath.com/trac/openssh-lpk
206 + * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
208 +4) contributors/ideas/greets
209 + - Eric AUGE <eau@phear.org>
210 + - Andrea Barisani <andrea@inversepath.com>
211 + - Falk Siemonsmeier.
213 + - Michael Durchgraf.
217 + - Robin H. Johnson.
221 + Jan F. Chadima <jchadima@redhat.com>
223 diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
224 --- openssh-6.2p1/ldapbody.c.ldap 2013-03-25 21:27:15.889248078 +0100
225 +++ openssh-6.2p1/ldapbody.c 2013-03-25 21:27:15.889248078 +0100
227 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
229 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
231 + * Redistribution and use in source and binary forms, with or without
232 + * modification, are permitted provided that the following conditions
234 + * 1. Redistributions of source code must retain the above copyright
235 + * notice, this list of conditions and the following disclaimer.
236 + * 2. Redistributions in binary form must reproduce the above copyright
237 + * notice, this list of conditions and the following disclaimer in the
238 + * documentation and/or other materials provided with the distribution.
240 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
241 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
242 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
243 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
244 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
245 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
246 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
247 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
248 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
249 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
252 +#include "ldapincludes.h"
254 +#include "xmalloc.h"
255 +#include "ldapconf.h"
256 +#include "ldapmisc.h"
257 +#include "ldapbody.h"
261 +#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
262 +#define PUBKEYATTR "sshPublicKey"
263 +#define LDAP_LOGFILE "%s/ldap.%d"
265 +static FILE *logfile = NULL;
268 +static char *attrs[] = {
274 +ldap_checkconfig (void)
276 +#ifdef HAVE_LDAP_INITIALIZE
277 + if (options.host == NULL && options.uri == NULL)
279 + if (options.host == NULL)
281 + fatal ("missing \"host\" in config file");
284 +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
286 +_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
288 + struct timeval timeout;
290 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
291 + LDAPMessage *result;
292 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
294 + debug2 ("Doing LDAP rebind to %s", options.binddn);
295 + if (options.ssl == SSL_START_TLS) {
296 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
297 + error ("ldap_starttls_s: %s", ldap_err2string (rc));
298 + return LDAP_OPERATIONS_ERROR;
302 +#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
303 + return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
305 + if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
306 + fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
308 + timeout.tv_sec = options.bind_timelimit;
309 + timeout.tv_usec = 0;
311 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
312 + error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
313 + ldap_msgfree (result);
314 + return LDAP_OPERATIONS_ERROR;
316 + debug3 ("LDAP rebind to %s succesfull", options.binddn);
323 +_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
326 + return LDAP_SUCCESS;
328 + *whop = strdup (options.binddn);
329 + *credp = strdup (options.bindpw);
330 + *methodp = LDAP_AUTH_SIMPLE;
331 + debug2 ("Doing LDAP rebind for %s", *whop);
332 + return LDAP_SUCCESS;
337 +ldap_do_connect(void)
339 + int rc, msgid, ld_errno = 0;
340 + struct timeval timeout;
341 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
343 + LDAPMessage *result;
344 + LDAPControl **controls;
346 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
348 + debug ("LDAP do connect");
352 + debug3 ("Reconnecting with ld_errno %d", ld_errno);
353 + if (options.bind_policy == 0 ||
354 + (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
356 + fatal ("Cannot connect to LDAP server");
359 + sleep (reconnect - 1);
365 + logit("reconnecting to LDAP server...");
372 +#ifdef HAVE_LDAP_SET_OPTION
373 + if (options.debug > 0) {
374 +#ifdef LBER_OPT_LOG_PRINT_FILE
375 + if (options.logdir) {
377 + int logfilenamelen;
379 + logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
380 + logfilename = xmalloc (logfilenamelen);
381 + snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
382 + logfilename[logfilenamelen - 1] = 0;
383 + if ((logfile = fopen (logfilename, "a")) == NULL)
384 + fatal ("cannot append to %s: %s", logfilename, strerror (errno));
385 + debug3 ("LDAP debug into %s", logfilename);
386 + free (logfilename);
387 + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
390 + if (options.debug) {
391 +#ifdef LBER_OPT_DEBUG_LEVEL
392 + ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
393 +#endif /* LBER_OPT_DEBUG_LEVEL */
394 +#ifdef LDAP_OPT_DEBUG_LEVEL
395 + (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
396 +#endif /* LDAP_OPT_DEBUG_LEVEL */
397 + debug3 ("Set LDAP debug to %d", options.debug);
400 +#endif /* HAVE_LDAP_SET_OPTION */
403 +#ifdef HAVE_LDAPSSL_INIT
404 + if (options.host != NULL) {
405 + if (options.ssl_on == SSL_LDAPS) {
406 + if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
407 + fatal ("ldapssl_client_init %s", ldap_err2string (rc));
408 + debug3 ("LDAPssl client init");
411 + if (options.ssl_on != SSL_OFF) {
412 + if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
413 + fatal ("ldapssl_init failed");
414 + debug3 ("LDAPssl init");
417 +#endif /* HAVE_LDAPSSL_INIT */
419 + /* continue with opening */
421 +#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
422 + /* Some global TLS-specific options need to be set before we create our
423 + * session context, so we set them here. */
425 +#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
427 + if (options.tls_randfile != NULL) {
428 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
429 + options.tls_randfile)) != LDAP_SUCCESS)
430 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
431 + ldap_err2string (rc));
432 + debug3 ("Set TLS random file %s", options.tls_randfile);
434 +#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
437 + if (options.tls_cacertfile != NULL) {
438 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
439 + options.tls_cacertfile)) != LDAP_SUCCESS)
440 + error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
441 + ldap_err2string (rc));
442 + debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
445 + /* ca cert directory */
446 + if (options.tls_cacertdir != NULL) {
447 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
448 + options.tls_cacertdir)) != LDAP_SUCCESS)
449 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
450 + ldap_err2string (rc));
451 + debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
454 + /* require cert? */
455 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
456 + &options.tls_checkpeer)) != LDAP_SUCCESS)
457 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
458 + ldap_err2string (rc));
459 + debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
461 + /* set cipher suite, certificate and private key: */
462 + if (options.tls_ciphers != NULL) {
463 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
464 + options.tls_ciphers)) != LDAP_SUCCESS)
465 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
466 + ldap_err2string (rc));
467 + debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
471 + if (options.tls_cert != NULL) {
472 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
473 + options.tls_cert)) != LDAP_SUCCESS)
474 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
475 + ldap_err2string (rc));
476 + debug3 ("Set TLS cert file %s ", options.tls_cert);
480 + if (options.tls_key != NULL) {
481 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
482 + options.tls_key)) != LDAP_SUCCESS)
483 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
484 + ldap_err2string (rc));
485 + debug3 ("Set TLS key file %s ", options.tls_key);
488 +#ifdef HAVE_LDAP_INITIALIZE
489 + if (options.uri != NULL) {
490 + if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
491 + fatal ("ldap_initialize %s", ldap_err2string (rc));
492 + debug3 ("LDAP initialize %s", options.uri);
495 +#endif /* HAVE_LDAP_INTITIALIZE */
497 + /* continue with opening */
498 + if ((ld == NULL) && (options.host != NULL)) {
499 +#ifdef HAVE_LDAP_INIT
500 + if ((ld = ldap_init (options.host, options.port)) == NULL)
501 + fatal ("ldap_init failed");
502 + debug3 ("LDAP init %s:%d", options.host, options.port);
504 + if ((ld = ldap_open (options.host, options.port)) == NULL)
505 + fatal ("ldap_open failed");
506 + debug3 ("LDAP open %s:%d", options.host, options.port);
507 +#endif /* HAVE_LDAP_INIT */
511 + fatal ("no way to open ldap");
513 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
514 + if (options.ssl == SSL_LDAPS) {
515 + if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
516 + fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
517 + debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
519 +#endif /* LDAP_OPT_X_TLS */
521 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
522 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
523 + &options.ldap_version);
525 + ld->ld_version = options.ldap_version;
527 + debug3 ("LDAP set version to %d", options.ldap_version);
529 +#if LDAP_SET_REBIND_PROC_ARGS == 3
530 + ldap_set_rebind_proc (ld, _rebind_proc, NULL);
531 +#elif LDAP_SET_REBIND_PROC_ARGS == 2
532 + ldap_set_rebind_proc (ld, _rebind_proc);
534 +#warning unknown LDAP_SET_REBIND_PROC_ARGS
536 + debug3 ("LDAP set rebind proc");
538 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
539 + (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
541 + ld->ld_deref = options.deref;
543 + debug3 ("LDAP set deref to %d", options.deref);
545 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
546 + (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
547 + &options.timelimit);
549 + ld->ld_timelimit = options.timelimit;
551 + debug3 ("LDAP set timelimit to %d", options.timelimit);
553 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
555 + * This is a new option in the Netscape SDK which sets
556 + * the TCP connect timeout. For want of a better value,
557 + * we use the bind_timelimit to control this.
559 + timeout = options.bind_timelimit * 1000;
560 + (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
561 + debug3 ("LDAP set opt connect timeout to %d", timeout);
564 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
565 + tv.tv_sec = options.bind_timelimit;
567 + (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
568 + debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
571 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
572 + (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
573 + options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
574 + debug3 ("LDAP set referrals to %d", options.referrals);
577 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
578 + (void) ldap_set_option (ld, LDAP_OPT_RESTART,
579 + options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
580 + debug3 ("LDAP set restart to %d", options.restart);
583 +#ifdef HAVE_LDAP_START_TLS_S
584 + if (options.ssl == SSL_START_TLS) {
587 + if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
589 + if (version < LDAP_VERSION3) {
590 + version = LDAP_VERSION3;
591 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
593 + debug3 ("LDAP set version to %d", version);
597 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
598 + fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
599 + debug3 ("LDAP start TLS");
601 +#endif /* HAVE_LDAP_START_TLS_S */
604 + if ((msgid = ldap_simple_bind (ld, options.binddn,
605 + options.bindpw)) == -1) {
606 + ld_errno = ldap_get_lderrno (ld, 0, 0);
608 + error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
612 + debug3 ("LDAP simple bind (%s)", options.binddn);
614 + timeout.tv_sec = options.bind_timelimit;
615 + timeout.tv_usec = 0;
616 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
617 + ld_errno = ldap_get_lderrno (ld, 0, 0);
619 + error ("ldap_result %s", ldap_err2string (ld_errno));
623 + debug3 ("LDAP result in time");
625 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
627 + if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
628 + fatal ("ldap_parse_result %s", ldap_err2string (parserc));
629 + debug3 ("LDAP parse result OK");
631 + if (controls != NULL) {
632 + ldap_controls_free (controls);
635 + rc = ldap_result2error (session->ld, result, TRUE);
637 + if (rc != LDAP_SUCCESS)
638 + fatal ("error trying to bind as user \"%s\" (%s)",
639 + options.binddn, ldap_err2string (rc));
641 + debug2 ("LDAP do connect OK");
645 +process_user (const char *user, FILE *output)
647 + LDAPMessage *res, *e;
649 + int bufflen, rc, i;
650 + struct timeval timeout;
652 + debug ("LDAP process user");
654 + /* quick check for attempts to be evil */
655 + if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
656 + (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
657 + logit ("illegal user name %s not processed", user);
661 + /* build filter for LDAP request */
662 + bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
663 + if (options.ssh_filter != NULL)
664 + bufflen += strlen (options.ssh_filter);
665 + buffer = xmalloc (bufflen);
666 + snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
667 + buffer[bufflen - 1] = 0;
669 + debug3 ("LDAP search scope = %d %s", options.scope, buffer);
671 + timeout.tv_sec = options.timelimit;
672 + timeout.tv_usec = 0;
673 + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
674 + error ("ldap_search_st(): %s", ldap_err2string (rc));
682 + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
684 + struct berval **keys;
686 + keys = ldap_get_values_len(ld, e, PUBKEYATTR);
687 + num = ldap_count_values_len(keys);
688 + for (i = 0 ; i < num ; i++) {
689 + char *cp; //, *options = NULL;
691 + for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
692 + if (!*cp || *cp == '\n' || *cp == '#')
695 + /* We have found the desired key. */
696 + fprintf (output, "%s\n", keys[i]->bv_val);
699 + ldap_value_free_len(keys);
703 + debug2 ("LDAP process user finished");
711 + debug ("LDAP do close");
712 + if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
713 + fatal ("ldap_unbind_ext: %s",
714 + ldap_err2string (rc));
717 + debug2 ("LDAP do close OK");
721 diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
722 --- openssh-6.2p1/ldapbody.h.ldap 2013-03-25 21:27:15.889248078 +0100
723 +++ openssh-6.2p1/ldapbody.h 2013-03-25 21:27:15.889248078 +0100
725 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
727 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
729 + * Redistribution and use in source and binary forms, with or without
730 + * modification, are permitted provided that the following conditions
732 + * 1. Redistributions of source code must retain the above copyright
733 + * notice, this list of conditions and the following disclaimer.
734 + * 2. Redistributions in binary form must reproduce the above copyright
735 + * notice, this list of conditions and the following disclaimer in the
736 + * documentation and/or other materials provided with the distribution.
738 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
739 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
740 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
741 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
742 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
743 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
744 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
745 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
746 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
747 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
755 +void ldap_checkconfig(void);
756 +void ldap_do_connect(void);
757 +void process_user(const char *, FILE *);
758 +void ldap_do_close(void);
760 +#endif /* LDAPBODY_H */
762 diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
763 --- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
764 +++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
766 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
768 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
770 + * Redistribution and use in source and binary forms, with or without
771 + * modification, are permitted provided that the following conditions
773 + * 1. Redistributions of source code must retain the above copyright
774 + * notice, this list of conditions and the following disclaimer.
775 + * 2. Redistributions in binary form must reproduce the above copyright
776 + * notice, this list of conditions and the following disclaimer in the
777 + * documentation and/or other materials provided with the distribution.
779 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
780 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
781 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
782 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
783 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
784 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
785 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
786 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
787 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
788 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
791 +#include "ldapincludes.h"
792 +#include "ldap-helper.h"
795 +#include "xmalloc.h"
796 +#include "ldapconf.h"
800 +/* Keyword tokens. */
804 + lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
805 + lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
806 + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
807 + lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
808 + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
809 + lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
810 + lAccountClass, lDeprecated, lUnsupported
813 +/* Textual representations of the tokens. */
821 + { "BindDN", lBindDN },
822 + { "BindPW", lBindPW },
823 + { "RootBindDN", lRootBindDN },
826 + { "Scope", lScope },
827 + { "Deref", lDeref },
828 + { "TimeLimit", lTimeLimit },
829 + { "TimeOut", lTimeLimit },
830 + { "Bind_Timelimit", lBind_TimeLimit },
831 + { "Network_TimeOut", lBind_TimeLimit },
836 + { "Ldap_Version", lLdap_Version },
837 + { "Version", lLdap_Version },
838 + { "Bind_Policy", lBind_Policy },
839 + { "SSLPath", lSSLPath },
841 + { "Referrals", lReferrals },
842 + { "Restart", lRestart },
843 + { "TLS_CheckPeer", lTLS_CheckPeer },
844 + { "TLS_ReqCert", lTLS_CheckPeer },
845 + { "TLS_CaCertFile", lTLS_CaCertFile },
846 + { "TLS_CaCert", lTLS_CaCertFile },
847 + { "TLS_CaCertDir", lTLS_CaCertDir },
848 + { "TLS_Ciphers", lTLS_Ciphers },
849 + { "TLS_Cipher_Suite", lTLS_Ciphers },
850 + { "TLS_Cert", lTLS_Cert },
851 + { "TLS_Certificate", lTLS_Cert },
852 + { "TLS_Key", lTLS_Key },
853 + { "TLS_RandFile", lTLS_RandFile },
859 + { "LogDir", lLogDir },
860 + { "Debug", lDebug },
861 + { "SSH_Filter", lSSH_Filter },
862 + { "AccountClass", lAccountClass },
863 + { NULL, lBadOption }
866 +/* Configuration ptions. */
871 + * Returns the number of the token pointed to by cp or oBadOption.
875 +parse_token(const char *cp, const char *filename, int linenum)
879 + for (i = 0; keywords[i].name; i++)
880 + if (strcasecmp(cp, keywords[i].name) == 0)
881 + return keywords[i].opcode;
883 + if (config_warning_config_file)
884 + logit("%s: line %d: Bad configuration option: %s",
885 + filename, linenum, cp);
890 + * Processes a single option line as used in the configuration files. This
891 + * only sets those values that have not already been set.
893 +#define WHITESPACE " \t\r\n"
896 +process_config_line(char *line, const char *filename, int linenum)
898 + char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
899 + char *rootbinddn = NULL;
900 + int opcode, *intptr, value;
903 + /* Strip trailing whitespace */
904 + for (len = strlen(line) - 1; len > 0; len--) {
905 + if (strchr(WHITESPACE, line[len]) == NULL)
911 + /* Get the keyword. (Each line is supposed to begin with a keyword). */
912 + if ((keyword = strdelim(&s)) == NULL)
914 + /* Ignore leading whitespace. */
915 + if (*keyword == '\0')
916 + keyword = strdelim(&s);
917 + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
920 + opcode = parse_token(keyword, filename, linenum);
924 + /* don't panic, but count bad options */
929 + xstringptr = &options.host;
931 + if (!s || *s == '\0')
932 + fatal("%s line %d: missing dn",filename,linenum);
933 + if (*xstringptr == NULL)
934 + *xstringptr = xstrdup(s);
938 + xstringptr = &options.uri;
939 + goto parse_xstring;
942 + xstringptr = &options.base;
943 + goto parse_xstring;
946 + xstringptr = &options.binddn;
947 + goto parse_xstring;
950 + charptr = &options.bindpw;
952 + arg = strdelim(&s);
953 + if (!arg || *arg == '\0')
954 + fatal("%.200s line %d: Missing argument.", filename, linenum);
955 + if (*charptr == NULL)
956 + *charptr = xstrdup(arg);
960 + xstringptr = &rootbinddn;
961 + goto parse_xstring;
964 + intptr = &options.scope;
965 + arg = strdelim(&s);
966 + if (!arg || *arg == '\0')
967 + fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
968 + value = 0; /* To avoid compiler warning... */
969 + if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
970 + value = LDAP_SCOPE_SUBTREE;
971 + else if (strcasecmp (arg, "one") == 0)
972 + value = LDAP_SCOPE_ONELEVEL;
973 + else if (strcasecmp (arg, "base") == 0)
974 + value = LDAP_SCOPE_BASE;
976 + fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
982 + intptr = &options.scope;
983 + arg = strdelim(&s);
984 + if (!arg || *arg == '\0')
985 + fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
986 + value = 0; /* To avoid compiler warning... */
987 + if (!strcasecmp (arg, "never"))
988 + value = LDAP_DEREF_NEVER;
989 + else if (!strcasecmp (arg, "searching"))
990 + value = LDAP_DEREF_SEARCHING;
991 + else if (!strcasecmp (arg, "finding"))
992 + value = LDAP_DEREF_FINDING;
993 + else if (!strcasecmp (arg, "always"))
994 + value = LDAP_DEREF_ALWAYS;
996 + fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
1002 + intptr = &options.port;
1004 + arg = strdelim(&s);
1005 + if (!arg || *arg == '\0')
1006 + fatal("%.200s line %d: Missing argument.", filename, linenum);
1007 + if (arg[0] < '0' || arg[0] > '9')
1008 + fatal("%.200s line %d: Bad number.", filename, linenum);
1010 + /* Octal, decimal, or hex format? */
1011 + value = strtol(arg, &endofnumber, 0);
1012 + if (arg == endofnumber)
1013 + fatal("%.200s line %d: Bad number.", filename, linenum);
1014 + if (*intptr == -1)
1019 + intptr = &options.timelimit;
1021 + arg = strdelim(&s);
1022 + if (!arg || *arg == '\0')
1023 + fatal("%s line %d: missing time value.",
1024 + filename, linenum);
1025 + if ((value = convtime(arg)) == -1)
1026 + fatal("%s line %d: invalid time value.",
1027 + filename, linenum);
1028 + if (*intptr == -1)
1032 + case lBind_TimeLimit:
1033 + intptr = &options.bind_timelimit;
1036 + case lLdap_Version:
1037 + intptr = &options.ldap_version;
1040 + case lBind_Policy:
1041 + intptr = &options.bind_policy;
1042 + arg = strdelim(&s);
1043 + if (!arg || *arg == '\0')
1044 + fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
1045 + value = 0; /* To avoid compiler warning... */
1046 + if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
1048 + else if (strcasecmp(arg, "soft") == 0)
1051 + fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
1052 + if (*intptr == -1)
1056 + charptr = &options.sslpath;
1057 + goto parse_string;
1060 + intptr = &options.ssl;
1061 + arg = strdelim(&s);
1062 + if (!arg || *arg == '\0')
1063 + fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
1064 + value = 0; /* To avoid compiler warning... */
1065 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1066 + value = SSL_LDAPS;
1067 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1069 + else if (!strcasecmp (arg, "start_tls"))
1070 + value = SSL_START_TLS;
1072 + fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
1073 + if (*intptr == -1)
1078 + intptr = &options.referrals;
1080 + arg = strdelim(&s);
1081 + if (!arg || *arg == '\0')
1082 + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
1083 + value = 0; /* To avoid compiler warning... */
1084 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1086 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1089 + fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
1090 + if (*intptr == -1)
1095 + intptr = &options.restart;
1098 + case lTLS_CheckPeer:
1099 + intptr = &options.tls_checkpeer;
1100 + arg = strdelim(&s);
1101 + if (!arg || *arg == '\0')
1102 + fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
1103 + value = 0; /* To avoid compiler warning... */
1104 + if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1105 + value = LDAP_OPT_X_TLS_NEVER;
1106 + else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1107 + value = LDAP_OPT_X_TLS_HARD;
1108 + else if (strcasecmp(arg, "demand") == 0)
1109 + value = LDAP_OPT_X_TLS_DEMAND;
1110 + else if (strcasecmp(arg, "allow") == 0)
1111 + value = LDAP_OPT_X_TLS_ALLOW;
1112 + else if (strcasecmp(arg, "try") == 0)
1113 + value = LDAP_OPT_X_TLS_TRY;
1115 + fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
1116 + if (*intptr == -1)
1119 + case lTLS_CaCertFile:
1120 + charptr = &options.tls_cacertfile;
1121 + goto parse_string;
1123 + case lTLS_CaCertDir:
1124 + charptr = &options.tls_cacertdir;
1125 + goto parse_string;
1127 + case lTLS_Ciphers:
1128 + xstringptr = &options.tls_ciphers;
1129 + goto parse_xstring;
1132 + charptr = &options.tls_cert;
1133 + goto parse_string;
1136 + charptr = &options.tls_key;
1137 + goto parse_string;
1139 + case lTLS_RandFile:
1140 + charptr = &options.tls_randfile;
1141 + goto parse_string;
1144 + charptr = &options.logdir;
1145 + goto parse_string;
1148 + intptr = &options.debug;
1152 + xstringptr = &options.ssh_filter;
1153 + goto parse_xstring;
1155 + case lAccountClass:
1156 + charptr = &options.account_class;
1157 + goto parse_string;
1160 + debug("%s line %d: Deprecated option \"%s\"",
1161 + filename, linenum, keyword);
1164 + case lUnsupported:
1165 + error("%s line %d: Unsupported option \"%s\"",
1166 + filename, linenum, keyword);
1170 + fatal("process_config_line: Unimplemented opcode %d", opcode);
1173 + /* Check that there is no garbage at end of line. */
1174 + if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1175 + fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1176 + filename, linenum, arg);
1182 + * Reads the config file and modifies the options accordingly. Options
1183 + * should already be initialized before this call. This never returns if
1184 + * there is an error. If the file does not exist, this returns 0.
1188 +read_config_file(const char *filename)
1192 + int active, linenum;
1193 + int bad_options = 0;
1196 + if ((f = fopen(filename, "r")) == NULL)
1197 + fatal("fopen %s: %s", filename, strerror(errno));
1199 + if (fstat(fileno(f), &sb) == -1)
1200 + fatal("fstat %s: %s", filename, strerror(errno));
1201 + if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1202 + (sb.st_mode & 022) != 0))
1203 + fatal("Bad owner or permissions on %s", filename);
1205 + debug("Reading configuration data %.200s", filename);
1208 + * Mark that we are now processing the options. This flag is turned
1209 + * on/off by Host specifications.
1213 + while (fgets(line, sizeof(line), f)) {
1214 + /* Update line number counter. */
1216 + if (process_config_line(line, filename, linenum) != 0)
1220 + if ((bad_options > 0) && config_exclusive_config_file)
1221 + fatal("%s: terminating, %d bad configuration options",
1222 + filename, bad_options);
1226 + * Initializes options to special values that indicate that they have not yet
1227 + * been set. Read_config_file will only set options with this value. Options
1228 + * are processed in the following order: command line, user config file,
1229 + * system config file. Last, fill_default_options is called.
1233 +initialize_options(void)
1235 + memset(&options, 'X', sizeof(options));
1236 + options.host = NULL;
1237 + options.uri = NULL;
1238 + options.base = NULL;
1239 + options.binddn = NULL;
1240 + options.bindpw = NULL;
1241 + options.scope = -1;
1242 + options.deref = -1;
1243 + options.port = -1;
1244 + options.timelimit = -1;
1245 + options.bind_timelimit = -1;
1246 + options.ldap_version = -1;
1247 + options.bind_policy = -1;
1248 + options.sslpath = NULL;
1250 + options.referrals = -1;
1251 + options.restart = -1;
1252 + options.tls_checkpeer = -1;
1253 + options.tls_cacertfile = NULL;
1254 + options.tls_cacertdir = NULL;
1255 + options.tls_ciphers = NULL;
1256 + options.tls_cert = NULL;
1257 + options.tls_key = NULL;
1258 + options.tls_randfile = NULL;
1259 + options.logdir = NULL;
1260 + options.debug = -1;
1261 + options.ssh_filter = NULL;
1262 + options.account_class = NULL;
1266 + * Called after processing other sources of option data, this fills those
1267 + * options for which no value has been specified with their default values.
1271 +fill_default_options(void)
1273 + if (options.uri != NULL) {
1274 + LDAPURLDesc *ludp;
1276 + if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
1277 + if (options.ssl == -1) {
1278 + if (strcmp (ludp->lud_scheme, "ldap") == 0)
1280 + if (strcmp (ludp->lud_scheme, "ldapi") == 0)
1282 + else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
1285 + if (options.host == NULL)
1286 + options.host = xstrdup (ludp->lud_host);
1287 + if (options.port == -1)
1288 + options.port = ludp->lud_port;
1290 + ldap_free_urldesc (ludp);
1293 + if (options.ssl == -1)
1294 + options.ssl = SSL_START_TLS;
1295 + if (options.port == -1)
1296 + options.port = (options.ssl == 0) ? 389 : 636;
1297 + if (options.uri == NULL) {
1299 +#define MAXURILEN 4096
1301 + options.uri = xmalloc (MAXURILEN);
1302 + len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
1303 + (options.ssl == 0) ? "" : "s", options.host, options.port);
1304 + options.uri[MAXURILEN - 1] = 0;
1305 + options.uri = xreallocarray (options.uri, len + 1, 1);
1307 + if (options.binddn == NULL)
1308 + options.binddn = "";
1309 + if (options.bindpw == NULL)
1310 + options.bindpw = "";
1311 + if (options.scope == -1)
1312 + options.scope = LDAP_SCOPE_SUBTREE;
1313 + if (options.deref == -1)
1314 + options.deref = LDAP_DEREF_NEVER;
1315 + if (options.timelimit == -1)
1316 + options.timelimit = 10;
1317 + if (options.bind_timelimit == -1)
1318 + options.bind_timelimit = 10;
1319 + if (options.ldap_version == -1)
1320 + options.ldap_version = 3;
1321 + if (options.bind_policy == -1)
1322 + options.bind_policy = 1;
1323 + if (options.referrals == -1)
1324 + options.referrals = 1;
1325 + if (options.restart == -1)
1326 + options.restart = 1;
1327 + if (options.tls_checkpeer == -1)
1328 + options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
1329 + if (options.debug == -1)
1330 + options.debug = 0;
1331 + if (options.ssh_filter == NULL)
1332 + options.ssh_filter = "";
1333 + if (options.account_class == NULL)
1334 + options.account_class = "posixAccount";
1337 +static const char *
1338 +lookup_opcode_name(OpCodes code)
1342 + for (i = 0; keywords[i].name != NULL; i++)
1343 + if (keywords[i].opcode == code)
1344 + return(keywords[i].name);
1349 +dump_cfg_string(OpCodes code, const char *val)
1352 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1354 + debug3("%s %s", lookup_opcode_name(code), val);
1358 +dump_cfg_int(OpCodes code, int val)
1361 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1363 + debug3("%s %d", lookup_opcode_name(code), val);
1372 +dump_cfg_namedint(OpCodes code, int val, struct names *names)
1377 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1379 + for (i = 0; names[i].value != -1; i++)
1380 + if (names[i].value == val) {
1381 + debug3("%s %s", lookup_opcode_name(code), names[i].name);
1384 + debug3("%s unknown: %d", lookup_opcode_name(code), val);
1388 +static struct names _yesnotls[] = {
1391 + { 2, "Start_TLS" },
1394 +static struct names _scope[] = {
1395 + { LDAP_SCOPE_BASE, "Base" },
1396 + { LDAP_SCOPE_ONELEVEL, "One" },
1397 + { LDAP_SCOPE_SUBTREE, "Sub"},
1400 +static struct names _deref[] = {
1401 + { LDAP_DEREF_NEVER, "Never" },
1402 + { LDAP_DEREF_SEARCHING, "Searching" },
1403 + { LDAP_DEREF_FINDING, "Finding" },
1404 + { LDAP_DEREF_ALWAYS, "Always" },
1407 +static struct names _yesno[] = {
1412 +static struct names _bindpolicy[] = {
1417 +static struct names _checkpeer[] = {
1418 + { LDAP_OPT_X_TLS_NEVER, "Never" },
1419 + { LDAP_OPT_X_TLS_HARD, "Hard" },
1420 + { LDAP_OPT_X_TLS_DEMAND, "Demand" },
1421 + { LDAP_OPT_X_TLS_ALLOW, "Allow" },
1422 + { LDAP_OPT_X_TLS_TRY, "TRY" },
1428 + dump_cfg_string(lURI, options.uri);
1429 + dump_cfg_string(lHost, options.host);
1430 + dump_cfg_int(lPort, options.port);
1431 + dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
1432 + dump_cfg_int(lLdap_Version, options.ldap_version);
1433 + dump_cfg_int(lTimeLimit, options.timelimit);
1434 + dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
1435 + dump_cfg_string(lBase, options.base);
1436 + dump_cfg_string(lBindDN, options.binddn);
1437 + dump_cfg_string(lBindPW, options.bindpw);
1438 + dump_cfg_namedint(lScope, options.scope, _scope);
1439 + dump_cfg_namedint(lDeref, options.deref, _deref);
1440 + dump_cfg_namedint(lReferrals, options.referrals, _yesno);
1441 + dump_cfg_namedint(lRestart, options.restart, _yesno);
1442 + dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
1443 + dump_cfg_string(lSSLPath, options.sslpath);
1444 + dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
1445 + dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
1446 + dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
1447 + dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
1448 + dump_cfg_string(lTLS_Cert, options.tls_cert);
1449 + dump_cfg_string(lTLS_Key, options.tls_key);
1450 + dump_cfg_string(lTLS_RandFile, options.tls_randfile);
1451 + dump_cfg_string(lLogDir, options.logdir);
1452 + dump_cfg_int(lDebug, options.debug);
1453 + dump_cfg_string(lSSH_Filter, options.ssh_filter);
1454 + dump_cfg_string(lAccountClass, options.logdir);
1457 diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
1458 --- openssh-6.2p2/ldapconf.h.ldap 2013-06-07 15:10:05.602942689 +0200
1459 +++ openssh-6.2p2/ldapconf.h 2013-06-07 15:10:24.928857566 +0200
1461 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1463 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1465 + * Redistribution and use in source and binary forms, with or without
1466 + * modification, are permitted provided that the following conditions
1468 + * 1. Redistributions of source code must retain the above copyright
1469 + * notice, this list of conditions and the following disclaimer.
1470 + * 2. Redistributions in binary form must reproduce the above copyright
1471 + * notice, this list of conditions and the following disclaimer in the
1472 + * documentation and/or other materials provided with the distribution.
1474 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1475 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1476 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1477 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1478 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1479 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1480 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1481 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1482 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1483 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1490 +#define SSL_LDAPS 1
1491 +#define SSL_START_TLS 2
1493 +/* Data structure for representing option data. */
1505 + int bind_timelimit;
1512 + int tls_checkpeer;
1513 + char *tls_cacertfile;
1514 + char *tls_cacertdir;
1515 + char *tls_ciphers;
1518 + char *tls_randfile;
1522 + char *account_class;
1525 +extern Options options;
1527 +void read_config_file(const char *);
1528 +void initialize_options(void);
1529 +void fill_default_options(void);
1530 +void dump_config(void);
1532 +#endif /* LDAPCONF_H */
1533 diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
1534 --- openssh-6.2p1/ldap.conf.ldap 2013-03-25 21:27:15.891248091 +0100
1535 +++ openssh-6.2p1/ldap.conf 2013-03-25 21:27:15.891248091 +0100
1537 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
1539 +# This is the example configuration file for the OpenSSH
1542 +# see ssh-ldap.conf(5)
1545 +# URI with your LDAP server name. This allows to use
1546 +# Unix Domain Sockets to connect to a local LDAP Server.
1547 +#uri ldap://127.0.0.1/
1548 +#uri ldaps://127.0.0.1/
1549 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
1550 +# Note: %2f encodes the '/' used as directory separator
1552 +# Another way to specify your LDAP server is to provide an
1553 +# host name and the port of our LDAP server. Host name
1554 +# must be resolvable without using LDAP.
1555 +# Multiple hosts may be specified, each separated by a
1556 +# space. How long nss_ldap takes to failover depends on
1557 +# whether your LDAP client library supports configurable
1558 +# network or connect timeouts (see bind_timelimit).
1562 +# Optional: default is 389.
1565 +# The distinguished name to bind to the server with.
1566 +# Optional: default is to bind anonymously.
1567 +#binddn cn=openssh_keys,dc=example,dc=org
1569 +# The credentials to bind with.
1570 +# Optional: default is no credential.
1573 +# The distinguished name of the search base.
1574 +#base dc=example,dc=org
1576 +# The LDAP version to use (defaults to 3
1577 +# if supported by client library)
1580 +# The search scope.
1588 +# Bind/connect timelimit
1591 +# Reconnect policy: hard (default) will retry connecting to
1592 +# the software with exponential backoff, soft will fail
1596 +# SSL setup, may be implied by URI also.
1601 +# OpenLDAP SSL options
1602 +# Require and verify server certificate (yes/no)
1603 +# Default is to use libldap's default behavior, which can be configured in
1604 +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
1605 +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
1606 +#tls_checkpeer hard
1608 +# CA certificates for server certificate verification
1609 +# At least one of these are required if tls_checkpeer is "yes"
1610 +#tls_cacertfile /etc/ssl/ca.cert
1611 +#tls_cacertdir /etc/pki/tls/certs
1613 +# Seed the PRNG if /dev/urandom is not provided
1614 +#tls_randfile /var/run/egd-pool
1617 +# See man ciphers for syntax
1620 +# Client certificate and key
1621 +# Use these, if your server requires client authentication.
1625 diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
1626 --- openssh-6.2p1/ldap-helper.c.ldap 2013-03-25 21:27:15.892248097 +0100
1627 +++ openssh-6.2p1/ldap-helper.c 2013-03-25 21:27:15.892248097 +0100
1629 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1631 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1633 + * Redistribution and use in source and binary forms, with or without
1634 + * modification, are permitted provided that the following conditions
1636 + * 1. Redistributions of source code must retain the above copyright
1637 + * notice, this list of conditions and the following disclaimer.
1638 + * 2. Redistributions in binary form must reproduce the above copyright
1639 + * notice, this list of conditions and the following disclaimer in the
1640 + * documentation and/or other materials provided with the distribution.
1642 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1643 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1644 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1645 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1646 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1647 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1648 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1649 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1650 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1651 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1654 +#include "ldapincludes.h"
1657 +#include "xmalloc.h"
1658 +#include "ldapconf.h"
1659 +#include "ldapbody.h"
1660 +#include <string.h>
1661 +#include <unistd.h>
1663 +static int config_debug = 0;
1664 +int config_exclusive_config_file = 0;
1665 +static char *config_file_name = "/etc/ssh/ldap.conf";
1666 +static char *config_single_user = NULL;
1667 +static int config_verbose = SYSLOG_LEVEL_VERBOSE;
1668 +int config_warning_config_file = 0;
1669 +extern char *__progname;
1674 + fprintf(stderr, "usage: %s [options]\n",
1676 + fprintf(stderr, "Options:\n");
1677 + fprintf(stderr, " -d Output the log messages to stderr.\n");
1678 + fprintf(stderr, " -e Check the config file for unknown commands.\n");
1679 + fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
1680 + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
1681 + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
1682 + fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
1687 + * Main program for the ssh pka ldap agent.
1691 +main(int ac, char **av)
1694 + FILE *outfile = NULL;
1696 + __progname = ssh_get_progname(av[0]);
1698 + log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
1701 + * Initialize option structure to indicate that no values have been
1704 + initialize_options();
1706 + /* Parse command-line arguments. */
1707 + while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
1714 + config_exclusive_config_file = 1;
1715 + config_warning_config_file = 1;
1719 + config_file_name = optarg;
1723 + config_single_user = optarg;
1724 + outfile = fdopen (dup (fileno (stdout)), "w");
1729 + if (config_verbose < SYSLOG_LEVEL_DEBUG3)
1734 + config_warning_config_file = 1;
1744 + /* Initialize loging */
1745 + log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
1748 + fatal ("illegal extra parameter %s", av[1]);
1750 + /* Ensure that fds 0 and 2 are open or directed to /dev/null */
1751 + if (config_debug == 0)
1754 + /* Read config file */
1755 + read_config_file(config_file_name);
1756 + fill_default_options();
1757 + if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
1758 + debug3 ("=== Configuration ===");
1760 + debug3 ("=== *** ===");
1763 + ldap_checkconfig();
1764 + ldap_do_connect();
1766 + if (config_single_user) {
1767 + process_user (config_single_user, outfile);
1770 + fatal ("Not yet implemented");
1772 + * open unix socket a run the loop on it
1781 +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
1782 +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
1784 diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
1785 --- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100
1786 +++ openssh-6.2p1/ldap-helper.h 2013-03-25 21:27:15.892248097 +0100
1788 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1790 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1792 + * Redistribution and use in source and binary forms, with or without
1793 + * modification, are permitted provided that the following conditions
1795 + * 1. Redistributions of source code must retain the above copyright
1796 + * notice, this list of conditions and the following disclaimer.
1797 + * 2. Redistributions in binary form must reproduce the above copyright
1798 + * notice, this list of conditions and the following disclaimer in the
1799 + * documentation and/or other materials provided with the distribution.
1801 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1802 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1803 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1804 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1805 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1806 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1807 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1808 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1809 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1810 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1813 +#ifndef LDAP_HELPER_H
1814 +#define LDAP_HELPER_H
1816 +extern int config_exclusive_config_file;
1817 +extern int config_warning_config_file;
1819 +#endif /* LDAP_HELPER_H */
1820 diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
1821 --- openssh-6.2p1/ldapincludes.h.ldap 2013-03-25 21:27:15.892248097 +0100
1822 +++ openssh-6.2p1/ldapincludes.h 2013-03-25 21:27:15.892248097 +0100
1824 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1826 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1828 + * Redistribution and use in source and binary forms, with or without
1829 + * modification, are permitted provided that the following conditions
1831 + * 1. Redistributions of source code must retain the above copyright
1832 + * notice, this list of conditions and the following disclaimer.
1833 + * 2. Redistributions in binary form must reproduce the above copyright
1834 + * notice, this list of conditions and the following disclaimer in the
1835 + * documentation and/or other materials provided with the distribution.
1837 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1838 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1839 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1840 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1841 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1842 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1843 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1844 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1845 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1846 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1849 +#ifndef LDAPINCLUDES_H
1850 +#define LDAPINCLUDES_H
1852 +#include "includes.h"
1860 +#ifdef HAVE_LDAP_SSL_H
1861 +#include <ldap_ssl.h>
1864 +#endif /* LDAPINCLUDES_H */
1865 diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
1866 --- openssh-6.2p1/ldapmisc.c.ldap 2013-03-25 21:27:15.893248104 +0100
1867 +++ openssh-6.2p1/ldapmisc.c 2013-03-25 21:27:15.893248104 +0100
1870 +#include "ldapincludes.h"
1871 +#include "ldapmisc.h"
1873 +#ifndef HAVE_LDAP_GET_LDERRNO
1875 +ldap_get_lderrno (LDAP * ld, char **m, char **s)
1877 +#ifdef HAVE_LDAP_GET_OPTION
1882 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
1883 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
1886 + lderrno = ld->ld_errno;
1890 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
1891 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
1894 + *s = ld->ld_error;
1899 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
1900 + if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
1903 + *m = ld->ld_matched;
1911 +#ifndef HAVE_LDAP_SET_LDERRNO
1913 +ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
1915 +#ifdef HAVE_LDAP_SET_OPTION
1919 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
1920 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
1923 + ld->ld_errno = lderrno;
1927 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
1928 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
1936 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
1937 + if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
1940 + ld->ld_matched = m;
1944 + return LDAP_SUCCESS;
1948 diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
1949 --- openssh-6.2p1/ldapmisc.h.ldap 2013-03-25 21:27:15.893248104 +0100
1950 +++ openssh-6.2p1/ldapmisc.h 2013-03-25 21:27:15.893248104 +0100
1952 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1954 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1956 + * Redistribution and use in source and binary forms, with or without
1957 + * modification, are permitted provided that the following conditions
1959 + * 1. Redistributions of source code must retain the above copyright
1960 + * notice, this list of conditions and the following disclaimer.
1961 + * 2. Redistributions in binary form must reproduce the above copyright
1962 + * notice, this list of conditions and the following disclaimer in the
1963 + * documentation and/or other materials provided with the distribution.
1965 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1966 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1967 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1968 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1969 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1970 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1971 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1972 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1973 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1974 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1980 +#include "ldapincludes.h"
1982 +int ldap_get_lderrno (LDAP *, char **, char **);
1983 +int ldap_set_lderrno (LDAP *, int, const char *, const char *);
1985 +#endif /* LDAPMISC_H */
1987 --- openssh-7.2p1/Makefile.in.orig 2016-02-26 04:40:04.000000000 +0100
1988 +++ openssh-7.2p1/Makefile.in 2016-03-04 19:44:30.903306337 +0100
1990 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
1991 SFTP_SERVER=$(libexecdir)/sftp-server
1992 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
1993 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
1994 +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
1995 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
1996 PRIVSEP_PATH=@PRIVSEP_PATH@
1997 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
2002 +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
2004 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
2005 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
2010 sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
2013 -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
2014 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
2015 +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
2016 +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
2019 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
2021 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
2022 $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
2024 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
2025 + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
2027 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
2028 $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
2030 @@ -311,6 +317,10 @@
2031 $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
2032 $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
2033 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
2034 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
2035 + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
2036 + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
2038 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
2039 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
2040 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
2041 @@ -327,6 +337,10 @@
2042 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
2043 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
2044 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
2045 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
2046 + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
2047 + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
2051 if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
2052 @@ -352,6 +366,13 @@
2054 echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
2056 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
2057 + if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
2058 + $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
2060 + echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
2064 host-key: ssh-keygen$(EXEEXT)
2065 @if [ -z "$(DESTDIR)" ] ; then \
2067 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
2068 -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
2069 -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
2070 + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
2071 + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
2072 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
2073 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
2074 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
2076 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
2077 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
2078 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
2079 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
2082 [ -d `pwd`/regress ] || mkdir -p `pwd`/regress
2083 diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
2084 --- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100
2085 +++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100
2088 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2089 +# useful with PKA-LDAP also
2091 +# Author: Eric AUGE <eau@phear.org>
2093 +# Based on the proposal of : Mark Ruijter
2097 +# octetString SYNTAX
2098 +attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2099 + DESC 'MANDATORY: OpenSSH Public key'
2100 + EQUALITY octetStringMatch
2101 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2103 +# printableString SYNTAX yes|no
2104 +objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2105 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2106 + MUST ( sshPublicKey $ uid )
2108 diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
2109 --- openssh-6.2p1/openssh-lpk-sun.schema.ldap 2013-03-25 21:27:15.894248110 +0100
2110 +++ openssh-6.2p1/openssh-lpk-sun.schema 2013-03-25 21:27:15.894248110 +0100
2113 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2114 +# useful with PKA-LDAP also
2116 +# Author: Eric AUGE <eau@phear.org>
2118 +# Schema for Sun Directory Server.
2119 +# Based on the original schema, modified by Stefan Fischer.
2124 +# octetString SYNTAX
2125 +attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2126 + DESC 'MANDATORY: OpenSSH Public key'
2127 + EQUALITY octetStringMatch
2128 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2130 +# printableString SYNTAX yes|no
2131 +objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2132 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2133 + MUST ( sshPublicKey $ uid )
2135 diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
2136 --- openssh-6.2p2/ssh-ldap.conf.5.ldap 2013-06-07 15:10:05.604942680 +0200
2137 +++ openssh-6.2p2/ssh-ldap.conf.5 2013-06-07 15:10:24.928857566 +0200
2139 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
2141 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2143 +.\" Permission to use, copy, modify, and distribute this software for any
2144 +.\" purpose with or without fee is hereby granted, provided that the above
2145 +.\" copyright notice and this permission notice appear in all copies.
2147 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2148 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2149 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2150 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2151 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2152 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2153 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2155 +.Dd $Mdocdate: may 12 2010 $
2156 +.Dt SSH-LDAP.CONF 5
2160 +.Nd configuration file for ssh-ldap-helper
2162 +.Nm /etc/ssh/ldap.conf
2164 +.Xr ssh-ldap-helper 8
2165 +reads configuration data from
2166 +.Pa /etc/ssh/ldap.conf
2167 +(or the file specified with
2169 +on the command line).
2170 +The file contains keyword-argument pairs, one per line.
2171 +Lines starting with
2173 +and empty lines are interpreted as comments.
2175 +The value starts with the first non-blank character after
2176 +the keyword's name, and terminates at the end of the line,
2177 +or at the last sequence of blanks before the end of the line.
2178 +Quoting values that contain blanks
2179 +may be incorrect, as the quotes would become part of the value.
2180 +The possible keywords and their meanings are as follows (note that
2181 +keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
2184 +The argument(s) are in the form
2185 +.Pa ldap[si]://[name[:port]]
2186 +and specify the URI(s) of an LDAP server(s) to which the
2187 +.Xr ssh-ldap-helper 8
2188 +should connect. The URI scheme may be any of
2193 +which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
2194 +over IPC (UNIX domain sockets), respectively.
2195 +Each server's name can be specified as a
2196 +domain-style name or an IP address literal. Optionally, the
2197 +server's name can followed by a ':' and the port number the LDAP
2198 +server is listening on. If no port number is provided, the default
2199 +port for the scheme is used (389 for ldap://, 636 for ldaps://).
2200 +For LDAP over IPC, name is the name of the socket, and no port
2201 +is required, nor allowed; note that directory separators must be
2202 +URL-encoded, like any other characters that are special to URLs;
2203 +A space separated list of URIs may be provided.
2204 +There is no default.
2206 +Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
2207 +The base must be specified as a DN in LDAP format.
2208 +There is no default.
2210 +Specifies the default BIND DN to use when connecting to the ldap server.
2211 +The bind DN must be specified as a Distinguished Name in LDAP format.
2212 +There is no default.
2214 +Specifies the default password to use when connecting to the ldap server via
2216 +There is no default.
2218 +Intentionaly does nothing. Recognized for compatibility reasons.
2220 +The argument(s) specifies the name(s) of an LDAP server(s) to which the
2221 +.Xr ssh-ldap-helper 8
2222 +should connect. Each server's name can be specified as a
2223 +domain-style name or an IP address and optionally followed by a ':' and
2224 +the port number the ldap server is listening on. A space-separated
2225 +list of hosts may be provided.
2226 +There is no default.
2228 +is deprecated in favor of
2231 +Specifies the default port used when connecting to LDAP servers(s).
2232 +The port may be specified as a number.
2233 +The default port is 389 for ldap:// or 636 for ldaps:// respectively.
2235 +is deprecated in favor of
2238 +Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
2239 +There are three options (values) that can be assigned to the
2240 +.Cm Scope parameter:
2245 +Alias for the subtree is
2249 +is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
2252 +is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
2255 +is used to indicate searching of all entries at all levels under and including the specified base DN.
2259 +Specifies how alias dereferencing is done when performing a search. There are four
2260 +possible values that can be assigned to the
2270 +means that the aliases are never dereferenced.
2273 +means that the aliases are dereferenced in subordinates of the base object, but
2274 +not in locating the base object of the search.
2277 +means that the aliases are only dereferenced when locating the base object of the search.
2280 +means that the aliases are dereferenced both in searching and in locating the base object
2285 +Specifies a time limit (in seconds) to use when performing searches.
2286 +The number should be a non-negative integer. A
2288 +of zero (0) specifies that the search time is unlimited. Please note that the server
2289 +may still apply any server-side limit on the duration of a search operation.
2290 +The default value is 10.
2294 +.It Cm Bind_TimeLimit
2295 +Specifies the timeout (in seconds) after which the poll(2)/select(2)
2296 +following a connect(2) returns in case of no activity.
2297 +The default value is 10.
2298 +.It Cm Network_TimeOut
2300 +.Cm Bind_TimeLimit .
2301 +.It Cm Ldap_Version
2302 +Specifies what version of the LDAP protocol should be used.
2303 +The allowed values are 2 or 3. The default is 3.
2308 +Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
2312 +.Dq hard has 2 aliases
2318 +means that reconects that the
2319 +.Xr ssh-ldap-helper 8
2320 +tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
2324 +.Xr ssh-ldap-helper 8
2325 +fails immediately when it cannot connect to the LDAP seerver.
2329 +Specifies the path to the X.509 certificate database.
2330 +There is no default.
2332 +Specifies whether to use SSL/TLS or not.
2333 +There are three allowed values:
2342 +are the aliases for
2347 +are the aliases for
2351 +is specified then StartTLS is used rather than raw LDAP over SSL.
2352 +The default for ldap:// is
2359 +In case of host based configuration the default is
2362 +Specifies if the client should automatically follow referrals returned
2364 +The value can be or
2371 +are the aliases for
2376 +are the aliases for
2378 +The default is yes.
2380 +Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
2381 +The value can be or
2388 +are the aliases for
2393 +are the aliases for
2395 +The default is yes.
2396 +.It Cm TLS_CheckPeer
2397 +Specifies what checks to perform on server certificates in a TLS session,
2399 +can be specified as one of the following keywords:
2416 +are the aliases for
2420 +means that the client will not request or check any server certificate.
2423 +means that the server certificate is requested. If no certificate is provided,
2424 +the session proceeds normally. If a bad certificate is provided, it will
2425 +be ignored and the session proceeds normally.
2428 +means that the server certificate is requested. If no certificate is provided,
2429 +the session proceeds normally. If a bad certificate is provided,
2430 +the session is immediately terminated.
2433 +means that the server certificate is requested. If no
2434 +certificate is provided, or a bad certificate is provided, the session
2435 +is immediately terminated.
2440 +It requires an SSL connection. In the case of the plain conection the
2441 +session is immediately terminated.
2446 +.Cm TLS_CheckPeer .
2447 +.It Cm TLS_CACertFile
2448 +Specifies the file that contains certificates for all of the Certificate
2449 +Authorities the client will recognize.
2450 +There is no default.
2453 +.Cm TLS_CACertFile .
2454 +.It Cm TLS_CACertDIR
2455 +Specifies the path of a directory that contains Certificate Authority
2456 +certificates in separate individual files. The
2458 +is always used before
2459 +.Cm TLS_CACertDir .
2460 +The specified directory must be managed with the OpenSSL c_rehash utility.
2461 +There is no default.
2463 +Specifies acceptable cipher suite and preference order.
2464 +The value should be a cipher specification for OpenSSL,
2466 +.Dq HIGH:MEDIUM:+SSLv2 .
2469 +.It Cm TLS_Cipher_Suite
2473 +Specifies the file that contains the client certificate.
2474 +There is no default.
2475 +.It Cm TLS_Certificate
2479 +Specifies the file that contains the private key that matches the certificate
2482 +file. Currently, the private key must not be protected with a password, so
2483 +it is of critical importance that the key file is protected carefully.
2484 +There is no default.
2485 +.It Cm TLS_RandFile
2486 +Specifies the file to obtain random bits from when /dev/[u]random is
2487 +not available. Generally set to the name of the EGD/PRNGD socket.
2488 +The environment variable RANDFILE can also be used to specify the filename.
2489 +There is no default.
2491 +Specifies the directory used for logging by the LDAP client library.
2492 +There is no default.
2494 +Specifies the debug level used for logging by the LDAP client library.
2495 +There is no default.
2497 +Specifies the user filter applied on the LDAP serch.
2498 +The default is no filter.
2499 +.It Cm AccountClass
2500 +Specifies the LDAP class used to find user accounts.
2501 +The default is posixAccount.
2505 +.It Pa /etc/ssh/ldap.conf
2506 +Ldap configuration file for
2507 +.Xr ssh-ldap-helper 8 .
2511 +.Xr ssh-ldap-helper 8
2515 +OpenSSH 5.5 + PKA-LDAP .
2517 +.An Jan F. Chadima Aq jchadima@redhat.com
2518 diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
2519 --- openssh-6.2p1/ssh-ldap-helper.8.ldap 2013-03-25 21:27:15.895248117 +0100
2520 +++ openssh-6.2p1/ssh-ldap-helper.8 2013-03-25 21:27:15.895248117 +0100
2522 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
2524 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2526 +.\" Permission to use, copy, modify, and distribute this software for any
2527 +.\" purpose with or without fee is hereby granted, provided that the above
2528 +.\" copyright notice and this permission notice appear in all copies.
2530 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2531 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2532 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2533 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2534 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2535 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2536 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2538 +.Dd $Mdocdate: April 29 2010 $
2539 +.Dt SSH-LDAP-HELPER 8
2542 +.Nm ssh-ldap-helper
2543 +.Nd sshd helper program for ldap support
2545 +.Nm ssh-ldap-helper
2553 +to access keys provided by an LDAP.
2555 +is disabled by default and can only be enabled in the
2556 +sshd configuration file
2557 +.Pa /etc/ssh/sshd_config
2559 +.Cm AuthorizedKeysCommand
2561 +.Dq /usr/libexec/ssh-ldap-wrapper .
2564 +is not intended to be invoked by the user, but from
2566 +.Xr ssh-ldap-wrapper .
2568 +The options are as follows:
2571 +Set the debug mode;
2573 +prints all logs to stderr instead of syslog.
2577 +halts if it encounters an unknown item in the ldap.conf file.
2580 +uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
2583 +prints out the user's keys to stdout and exits.
2586 +increases verbosity.
2589 +writes warnings about unknown items in the ldap.conf configuration file.
2593 +.Xr sshd_config 5 ,
2594 +.Xr ssh-ldap.conf 5 ,
2598 +OpenSSH 5.5 + PKA-LDAP .
2600 +.An Jan F. Chadima Aq jchadima@redhat.com
2601 diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
2602 --- openssh-6.2p1/ssh-ldap-wrapper.ldap 2013-03-25 21:27:15.896248124 +0100
2603 +++ openssh-6.2p1/ssh-ldap-wrapper 2013-03-25 21:27:15.896248124 +0100
2607 +exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"