1 diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
2 --- openssh-6.2p1/configure.ac.ldap 2013-03-20 02:55:15.000000000 +0100
3 +++ openssh-6.2p1/configure.ac 2013-03-25 21:27:15.888248071 +0100
4 @@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
8 +# Check whether user wants LDAP support
10 +INSTALL_SSH_LDAP_HELPER=""
12 + [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
14 + if test "x$withval" != "xno" ; then
16 + INSTALL_SSH_LDAP_HELPER="yes"
17 + CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
19 + if test "x$withval" != "xyes" ; then
20 + CPPFLAGS="$CPPFLAGS -I${withval}/include"
21 + LDFLAGS="$LDFLAGS -L${withval}/lib"
24 + AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
27 + AC_CHECK_HEADERS(lber.h)
28 + AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
29 + AC_CHECK_HEADERS(ldap_ssl.h)
31 + AC_ARG_WITH(ldap-lib,
32 + [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
34 + if test -z "$with_ldap_lib"; then
38 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
39 + AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
40 + AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
43 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
44 + AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
47 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
48 + AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
49 + if test -z "$found_ldap_lib"; then
50 + AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
52 + if test -z "$found_ldap_lib"; then
53 + AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
55 + if test -z "$found_ldap_lib"; then
56 + AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
60 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
61 + AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
64 + if test -z "$found_ldap_lib"; then
65 + AC_MSG_ERROR(could not locate a valid LDAP library)
68 + AC_MSG_CHECKING([for working LDAP support])
70 + [#include <sys/types.h>
72 + [(void)ldap_init(0, 0);],
73 + [AC_MSG_RESULT(yes)],
76 + AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
84 + ldap_controls_free \
89 + ldap_pvt_tls_set_option \
92 + AC_CHECK_FUNCS(ldap_set_rebind_proc,
93 + AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
97 + [ldap_set_rebind_proc(0, 0, 0);],
98 + [ac_cv_ldap_set_rebind_proc=3],
99 + [ac_cv_ldap_set_rebind_proc=2])
100 + AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
101 + AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
106 +AC_SUBST(INSTALL_SSH_LDAP_HELPER)
108 dnl Checks for library functions. Please keep in alphabetical order
111 diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
112 --- openssh-6.2p1/HOWTO.ldap-keys.ldap 2013-03-25 21:27:15.889248078 +0100
113 +++ openssh-6.2p1/HOWTO.ldap-keys 2013-03-25 21:27:15.889248078 +0100
118 +1) configure LDAP server
119 + * Use LDAP server documentation
120 +2) add appropriate LDAP schema
121 + * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
124 + - attached to the 'ldapPublicKey' objectclass
125 + - attached to the 'posixAccount' objectclass
126 + - with a filled 'sshPublicKey' attribute
127 +3) insert users into LDAP
128 + * Use LDAP Tree management tool as useful
129 + * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
131 + dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
133 + objectclass: person
134 + objectclass: organizationalPerson
135 + objectclass: posixAccount
136 + objectclass: ldapPublicKey
137 + description: Jonathan Archer
138 + userPassword: Porthos
144 + homeDirectory: /home/captain
145 + sshPublicKey: ssh-rss AAAAB3.... =captain@universe
146 + sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
147 +4) on the ssh side set in sshd_config
148 + * Set up the backend
149 + AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
150 + AuthorizedKeysCommandUser <appropriate user to run LDAP>
151 + * Do not forget to set
152 + PubkeyAuthentication yes
153 + * Swith off unnecessary auth methods
154 +5) confugure ldap.conf
155 + * Default ldap.conf is placed in /etc/ssh
156 + * The configuration style is the same as other ldap based aplications
157 +6) if necessary edit ssh-ldap-wrapper
158 + * There is a possibility to change ldap.conf location
159 + * There are some debug options
161 + /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
163 +HOW TO MIGRATE FROM LPK
165 +1) goto HOW TO START 4) .... the ldap schema is the same
167 +2) convert the group requests to the appropriate LDAP requests
169 +HOW TO SOLVE PROBLEMS
171 +1) use debug in sshd
172 + * /usr/sbin/sshd -d -d -d -d
173 +2) use debug in ssh-ldap-helper
174 + * ssh-ldap-helper -d -d -d -d -s <username>
175 +3) use tcpdump ... other ldap client etc.
179 +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
183 +1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
184 + allows write to users dn, somebody could replace some user's public key by his own and impersonate some
185 + of your users in all your server farm -- be VERY CAREFUL.
186 +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
187 + as the impersonated user.
188 +3) If LDAP server is down there may be no fallback on passwd auth.
193 + * Possibility to reuse the ssh-ldap-helper.
194 + * Tune the LDAP part to accept all possible LDAP configurations.
196 +2) differences from original lpk
197 + * No LDAP code in sshd.
198 + * Support for various LDAP platforms and configurations.
199 + * LDAP is configured in separate ldap.conf file.
202 + * http://pacsec.jp/core05/psj05-barisani-en.pdf
203 + * http://fritz.potsdam.edu/projects/openssh-lpk/
204 + * http://fritz.potsdam.edu/projects/sshgate/
205 + * http://dev.inversepath.com/trac/openssh-lpk
206 + * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
208 +4) contributors/ideas/greets
209 + - Eric AUGE <eau@phear.org>
210 + - Andrea Barisani <andrea@inversepath.com>
211 + - Falk Siemonsmeier.
213 + - Michael Durchgraf.
217 + - Robin H. Johnson.
221 + Jan F. Chadima <jchadima@redhat.com>
223 diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
224 --- openssh-6.2p1/ldapbody.c.ldap 2013-03-25 21:27:15.889248078 +0100
225 +++ openssh-6.2p1/ldapbody.c 2013-03-25 21:27:15.889248078 +0100
227 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
229 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
231 + * Redistribution and use in source and binary forms, with or without
232 + * modification, are permitted provided that the following conditions
234 + * 1. Redistributions of source code must retain the above copyright
235 + * notice, this list of conditions and the following disclaimer.
236 + * 2. Redistributions in binary form must reproduce the above copyright
237 + * notice, this list of conditions and the following disclaimer in the
238 + * documentation and/or other materials provided with the distribution.
240 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
241 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
242 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
243 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
244 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
245 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
246 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
247 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
248 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
249 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
252 +#include "ldapincludes.h"
254 +#include "xmalloc.h"
255 +#include "ldapconf.h"
256 +#include "ldapmisc.h"
257 +#include "ldapbody.h"
261 +#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
262 +#define PUBKEYATTR "sshPublicKey"
263 +#define LDAP_LOGFILE "%s/ldap.%d"
265 +static FILE *logfile = NULL;
268 +static char *attrs[] = {
274 +ldap_checkconfig (void)
276 +#ifdef HAVE_LDAP_INITIALIZE
277 + if (options.host == NULL && options.uri == NULL)
279 + if (options.host == NULL)
281 + fatal ("missing \"host\" in config file");
284 +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
286 +_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
288 + struct timeval timeout;
290 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
291 + LDAPMessage *result;
292 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
294 + debug2 ("Doing LDAP rebind to %s", options.binddn);
295 + if (options.ssl == SSL_START_TLS) {
296 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
297 + error ("ldap_starttls_s: %s", ldap_err2string (rc));
298 + return LDAP_OPERATIONS_ERROR;
302 +#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
303 + return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
305 + if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
306 + fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
308 + timeout.tv_sec = options.bind_timelimit;
309 + timeout.tv_usec = 0;
311 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
312 + error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
313 + ldap_msgfree (result);
314 + return LDAP_OPERATIONS_ERROR;
316 + debug3 ("LDAP rebind to %s succesfull", options.binddn);
323 +_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
326 + return LDAP_SUCCESS;
328 + *whop = strdup (options.binddn);
329 + *credp = strdup (options.bindpw);
330 + *methodp = LDAP_AUTH_SIMPLE;
331 + debug2 ("Doing LDAP rebind for %s", *whop);
332 + return LDAP_SUCCESS;
337 +ldap_do_connect(void)
339 + int rc, msgid, ld_errno = 0;
340 + struct timeval timeout;
341 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
343 + LDAPMessage *result;
344 + LDAPControl **controls;
346 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
348 + debug ("LDAP do connect");
352 + debug3 ("Reconnecting with ld_errno %d", ld_errno);
353 + if (options.bind_policy == 0 ||
354 + (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
356 + fatal ("Cannot connect to LDAP server");
359 + sleep (reconnect - 1);
365 + logit("reconnecting to LDAP server...");
372 +#ifdef HAVE_LDAP_SET_OPTION
373 + if (options.debug > 0) {
374 +#ifdef LBER_OPT_LOG_PRINT_FILE
375 + if (options.logdir) {
377 + int logfilenamelen;
379 + logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
380 + logfilename = xmalloc (logfilenamelen);
381 + snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
382 + logfilename[logfilenamelen - 1] = 0;
383 + if ((logfile = fopen (logfilename, "a")) == NULL)
384 + fatal ("cannot append to %s: %s", logfilename, strerror (errno));
385 + debug3 ("LDAP debug into %s", logfilename);
386 + free (logfilename);
387 + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
390 + if (options.debug) {
391 +#ifdef LBER_OPT_DEBUG_LEVEL
392 + ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
393 +#endif /* LBER_OPT_DEBUG_LEVEL */
394 +#ifdef LDAP_OPT_DEBUG_LEVEL
395 + (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
396 +#endif /* LDAP_OPT_DEBUG_LEVEL */
397 + debug3 ("Set LDAP debug to %d", options.debug);
400 +#endif /* HAVE_LDAP_SET_OPTION */
403 +#ifdef HAVE_LDAPSSL_INIT
404 + if (options.host != NULL) {
405 + if (options.ssl_on == SSL_LDAPS) {
406 + if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
407 + fatal ("ldapssl_client_init %s", ldap_err2string (rc));
408 + debug3 ("LDAPssl client init");
411 + if (options.ssl_on != SSL_OFF) {
412 + if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
413 + fatal ("ldapssl_init failed");
414 + debug3 ("LDAPssl init");
417 +#endif /* HAVE_LDAPSSL_INIT */
419 + /* continue with opening */
421 +#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
422 + /* Some global TLS-specific options need to be set before we create our
423 + * session context, so we set them here. */
425 +#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
427 + if (options.tls_randfile != NULL) {
428 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
429 + options.tls_randfile)) != LDAP_SUCCESS)
430 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
431 + ldap_err2string (rc));
432 + debug3 ("Set TLS random file %s", options.tls_randfile);
434 +#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
437 + if (options.tls_cacertfile != NULL) {
438 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
439 + options.tls_cacertfile)) != LDAP_SUCCESS)
440 + error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
441 + ldap_err2string (rc));
442 + debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
445 + /* ca cert directory */
446 + if (options.tls_cacertdir != NULL) {
447 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
448 + options.tls_cacertdir)) != LDAP_SUCCESS)
449 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
450 + ldap_err2string (rc));
451 + debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
454 + /* require cert? */
455 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
456 + &options.tls_checkpeer)) != LDAP_SUCCESS)
457 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
458 + ldap_err2string (rc));
459 + debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
461 + /* set cipher suite, certificate and private key: */
462 + if (options.tls_ciphers != NULL) {
463 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
464 + options.tls_ciphers)) != LDAP_SUCCESS)
465 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
466 + ldap_err2string (rc));
467 + debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
471 + if (options.tls_cert != NULL) {
472 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
473 + options.tls_cert)) != LDAP_SUCCESS)
474 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
475 + ldap_err2string (rc));
476 + debug3 ("Set TLS cert file %s ", options.tls_cert);
480 + if (options.tls_key != NULL) {
481 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
482 + options.tls_key)) != LDAP_SUCCESS)
483 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
484 + ldap_err2string (rc));
485 + debug3 ("Set TLS key file %s ", options.tls_key);
488 +#ifdef HAVE_LDAP_INITIALIZE
489 + if (options.uri != NULL) {
490 + if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
491 + fatal ("ldap_initialize %s", ldap_err2string (rc));
492 + debug3 ("LDAP initialize %s", options.uri);
495 +#endif /* HAVE_LDAP_INTITIALIZE */
497 + /* continue with opening */
498 + if ((ld == NULL) && (options.host != NULL)) {
499 +#ifdef HAVE_LDAP_INIT
500 + if ((ld = ldap_init (options.host, options.port)) == NULL)
501 + fatal ("ldap_init failed");
502 + debug3 ("LDAP init %s:%d", options.host, options.port);
504 + if ((ld = ldap_open (options.host, options.port)) == NULL)
505 + fatal ("ldap_open failed");
506 + debug3 ("LDAP open %s:%d", options.host, options.port);
507 +#endif /* HAVE_LDAP_INIT */
511 + fatal ("no way to open ldap");
513 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
514 + if (options.ssl == SSL_LDAPS) {
515 + if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
516 + fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
517 + debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
519 +#endif /* LDAP_OPT_X_TLS */
521 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
522 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
523 + &options.ldap_version);
525 + ld->ld_version = options.ldap_version;
527 + debug3 ("LDAP set version to %d", options.ldap_version);
529 +#if LDAP_SET_REBIND_PROC_ARGS == 3
530 + ldap_set_rebind_proc (ld, _rebind_proc, NULL);
531 +#elif LDAP_SET_REBIND_PROC_ARGS == 2
532 + ldap_set_rebind_proc (ld, _rebind_proc);
534 +#warning unknown LDAP_SET_REBIND_PROC_ARGS
536 + debug3 ("LDAP set rebind proc");
538 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
539 + (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
541 + ld->ld_deref = options.deref;
543 + debug3 ("LDAP set deref to %d", options.deref);
545 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
546 + (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
547 + &options.timelimit);
549 + ld->ld_timelimit = options.timelimit;
551 + debug3 ("LDAP set timelimit to %d", options.timelimit);
553 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
555 + * This is a new option in the Netscape SDK which sets
556 + * the TCP connect timeout. For want of a better value,
557 + * we use the bind_timelimit to control this.
559 + timeout = options.bind_timelimit * 1000;
560 + (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
561 + debug3 ("LDAP set opt connect timeout to %d", timeout);
564 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
565 + tv.tv_sec = options.bind_timelimit;
567 + (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
568 + debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
571 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
572 + (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
573 + options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
574 + debug3 ("LDAP set referrals to %d", options.referrals);
577 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
578 + (void) ldap_set_option (ld, LDAP_OPT_RESTART,
579 + options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
580 + debug3 ("LDAP set restart to %d", options.restart);
583 +#ifdef HAVE_LDAP_START_TLS_S
584 + if (options.ssl == SSL_START_TLS) {
587 + if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
589 + if (version < LDAP_VERSION3) {
590 + version = LDAP_VERSION3;
591 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
593 + debug3 ("LDAP set version to %d", version);
597 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
598 + fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
599 + debug3 ("LDAP start TLS");
601 +#endif /* HAVE_LDAP_START_TLS_S */
604 + if ((msgid = ldap_simple_bind (ld, options.binddn,
605 + options.bindpw)) == -1) {
606 + ld_errno = ldap_get_lderrno (ld, 0, 0);
608 + error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
612 + debug3 ("LDAP simple bind (%s)", options.binddn);
614 + timeout.tv_sec = options.bind_timelimit;
615 + timeout.tv_usec = 0;
616 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
617 + ld_errno = ldap_get_lderrno (ld, 0, 0);
619 + error ("ldap_result %s", ldap_err2string (ld_errno));
623 + debug3 ("LDAP result in time");
625 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
627 + if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
628 + fatal ("ldap_parse_result %s", ldap_err2string (parserc));
629 + debug3 ("LDAP parse result OK");
631 + if (controls != NULL) {
632 + ldap_controls_free (controls);
635 + rc = ldap_result2error (session->ld, result, TRUE);
637 + if (rc != LDAP_SUCCESS)
638 + fatal ("error trying to bind as user \"%s\" (%s)",
639 + options.binddn, ldap_err2string (rc));
641 + debug2 ("LDAP do connect OK");
645 +process_user (const char *user, FILE *output)
647 + LDAPMessage *res, *e;
649 + int bufflen, rc, i;
650 + struct timeval timeout;
652 + debug ("LDAP process user");
654 + /* quick check for attempts to be evil */
655 + if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
656 + (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
657 + logit ("illegal user name %s not processed", user);
661 + /* build filter for LDAP request */
662 + bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
663 + if (options.ssh_filter != NULL)
664 + bufflen += strlen (options.ssh_filter);
665 + buffer = xmalloc (bufflen);
666 + snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
667 + buffer[bufflen - 1] = 0;
669 + debug3 ("LDAP search scope = %d %s", options.scope, buffer);
671 + timeout.tv_sec = options.timelimit;
672 + timeout.tv_usec = 0;
673 + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
674 + error ("ldap_search_st(): %s", ldap_err2string (rc));
682 + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
684 + struct berval **keys;
686 + keys = ldap_get_values_len(ld, e, PUBKEYATTR);
687 + num = ldap_count_values_len(keys);
688 + for (i = 0 ; i < num ; i++) {
689 + char *cp; //, *options = NULL;
691 + for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
692 + if (!*cp || *cp == '\n' || *cp == '#')
695 + /* We have found the desired key. */
696 + fprintf (output, "%s\n", keys[i]->bv_val);
699 + ldap_value_free_len(keys);
703 + debug2 ("LDAP process user finished");
711 + debug ("LDAP do close");
712 + if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
713 + fatal ("ldap_unbind_ext: %s",
714 + ldap_err2string (rc));
717 + debug2 ("LDAP do close OK");
721 diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
722 --- openssh-6.2p1/ldapbody.h.ldap 2013-03-25 21:27:15.889248078 +0100
723 +++ openssh-6.2p1/ldapbody.h 2013-03-25 21:27:15.889248078 +0100
725 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
727 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
729 + * Redistribution and use in source and binary forms, with or without
730 + * modification, are permitted provided that the following conditions
732 + * 1. Redistributions of source code must retain the above copyright
733 + * notice, this list of conditions and the following disclaimer.
734 + * 2. Redistributions in binary form must reproduce the above copyright
735 + * notice, this list of conditions and the following disclaimer in the
736 + * documentation and/or other materials provided with the distribution.
738 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
739 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
740 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
741 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
742 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
743 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
744 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
745 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
746 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
747 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
755 +void ldap_checkconfig(void);
756 +void ldap_do_connect(void);
757 +void process_user(const char *, FILE *);
758 +void ldap_do_close(void);
760 +#endif /* LDAPBODY_H */
762 diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
763 --- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
764 +++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
766 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
768 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
770 + * Redistribution and use in source and binary forms, with or without
771 + * modification, are permitted provided that the following conditions
773 + * 1. Redistributions of source code must retain the above copyright
774 + * notice, this list of conditions and the following disclaimer.
775 + * 2. Redistributions in binary form must reproduce the above copyright
776 + * notice, this list of conditions and the following disclaimer in the
777 + * documentation and/or other materials provided with the distribution.
779 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
780 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
781 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
782 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
783 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
784 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
785 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
786 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
787 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
788 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
791 +#include "ldapincludes.h"
792 +#include "ldap-helper.h"
795 +#include "xmalloc.h"
796 +#include "ldapconf.h"
800 +/* Keyword tokens. */
804 + lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
805 + lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
806 + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
807 + lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
808 + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
809 + lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
810 + lAccountClass, lDeprecated, lUnsupported
813 +/* Textual representations of the tokens. */
821 + { "BindDN", lBindDN },
822 + { "BindPW", lBindPW },
823 + { "RootBindDN", lRootBindDN },
826 + { "Scope", lScope },
827 + { "Deref", lDeref },
828 + { "TimeLimit", lTimeLimit },
829 + { "TimeOut", lTimeLimit },
830 + { "Bind_Timelimit", lBind_TimeLimit },
831 + { "Network_TimeOut", lBind_TimeLimit },
836 + { "Ldap_Version", lLdap_Version },
837 + { "Version", lLdap_Version },
838 + { "Bind_Policy", lBind_Policy },
839 + { "SSLPath", lSSLPath },
841 + { "Referrals", lReferrals },
842 + { "Restart", lRestart },
843 + { "TLS_CheckPeer", lTLS_CheckPeer },
844 + { "TLS_ReqCert", lTLS_CheckPeer },
845 + { "TLS_CaCertFile", lTLS_CaCertFile },
846 + { "TLS_CaCert", lTLS_CaCertFile },
847 + { "TLS_CaCertDir", lTLS_CaCertDir },
848 + { "TLS_Ciphers", lTLS_Ciphers },
849 + { "TLS_Cipher_Suite", lTLS_Ciphers },
850 + { "TLS_Cert", lTLS_Cert },
851 + { "TLS_Certificate", lTLS_Cert },
852 + { "TLS_Key", lTLS_Key },
853 + { "TLS_RandFile", lTLS_RandFile },
859 + { "LogDir", lLogDir },
860 + { "Debug", lDebug },
861 + { "SSH_Filter", lSSH_Filter },
862 + { "AccountClass", lAccountClass },
863 + { NULL, lBadOption }
866 +/* Configuration ptions. */
871 + * Returns the number of the token pointed to by cp or oBadOption.
875 +parse_token(const char *cp, const char *filename, int linenum)
879 + for (i = 0; keywords[i].name; i++)
880 + if (strcasecmp(cp, keywords[i].name) == 0)
881 + return keywords[i].opcode;
883 + if (config_warning_config_file)
884 + logit("%s: line %d: Bad configuration option: %s",
885 + filename, linenum, cp);
890 + * Processes a single option line as used in the configuration files. This
891 + * only sets those values that have not already been set.
893 +#define WHITESPACE " \t\r\n"
896 +process_config_line(char *line, const char *filename, int linenum)
898 + char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
899 + char *rootbinddn = NULL;
900 + int opcode, *intptr, value;
903 + /* Strip trailing whitespace */
904 + for (len = strlen(line) - 1; len > 0; len--) {
905 + if (strchr(WHITESPACE, line[len]) == NULL)
911 + /* Get the keyword. (Each line is supposed to begin with a keyword). */
912 + if ((keyword = strdelim(&s)) == NULL)
914 + /* Ignore leading whitespace. */
915 + if (*keyword == '\0')
916 + keyword = strdelim(&s);
917 + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
920 + opcode = parse_token(keyword, filename, linenum);
924 + /* don't panic, but count bad options */
929 + xstringptr = &options.host;
931 + if (!s || *s == '\0')
932 + fatal("%s line %d: missing dn",filename,linenum);
933 + if (*xstringptr == NULL)
934 + *xstringptr = xstrdup(s);
938 + xstringptr = &options.uri;
939 + goto parse_xstring;
942 + xstringptr = &options.base;
943 + goto parse_xstring;
946 + xstringptr = &options.binddn;
947 + goto parse_xstring;
950 + charptr = &options.bindpw;
952 + arg = strdelim(&s);
953 + if (!arg || *arg == '\0')
954 + fatal("%.200s line %d: Missing argument.", filename, linenum);
955 + if (*charptr == NULL)
956 + *charptr = xstrdup(arg);
960 + xstringptr = &rootbinddn;
961 + goto parse_xstring;
964 + intptr = &options.scope;
965 + arg = strdelim(&s);
966 + if (!arg || *arg == '\0')
967 + fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
968 + value = 0; /* To avoid compiler warning... */
969 + if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
970 + value = LDAP_SCOPE_SUBTREE;
971 + else if (strcasecmp (arg, "one") == 0)
972 + value = LDAP_SCOPE_ONELEVEL;
973 + else if (strcasecmp (arg, "base") == 0)
974 + value = LDAP_SCOPE_BASE;
976 + fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
982 + intptr = &options.scope;
983 + arg = strdelim(&s);
984 + if (!arg || *arg == '\0')
985 + fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
986 + value = 0; /* To avoid compiler warning... */
987 + if (!strcasecmp (arg, "never"))
988 + value = LDAP_DEREF_NEVER;
989 + else if (!strcasecmp (arg, "searching"))
990 + value = LDAP_DEREF_SEARCHING;
991 + else if (!strcasecmp (arg, "finding"))
992 + value = LDAP_DEREF_FINDING;
993 + else if (!strcasecmp (arg, "always"))
994 + value = LDAP_DEREF_ALWAYS;
996 + fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
1002 + intptr = &options.port;
1004 + arg = strdelim(&s);
1005 + if (!arg || *arg == '\0')
1006 + fatal("%.200s line %d: Missing argument.", filename, linenum);
1007 + if (arg[0] < '0' || arg[0] > '9')
1008 + fatal("%.200s line %d: Bad number.", filename, linenum);
1010 + /* Octal, decimal, or hex format? */
1011 + value = strtol(arg, &endofnumber, 0);
1012 + if (arg == endofnumber)
1013 + fatal("%.200s line %d: Bad number.", filename, linenum);
1014 + if (*intptr == -1)
1019 + intptr = &options.timelimit;
1021 + arg = strdelim(&s);
1022 + if (!arg || *arg == '\0')
1023 + fatal("%s line %d: missing time value.",
1024 + filename, linenum);
1025 + if ((value = convtime(arg)) == -1)
1026 + fatal("%s line %d: invalid time value.",
1027 + filename, linenum);
1028 + if (*intptr == -1)
1032 + case lBind_TimeLimit:
1033 + intptr = &options.bind_timelimit;
1036 + case lLdap_Version:
1037 + intptr = &options.ldap_version;
1040 + case lBind_Policy:
1041 + intptr = &options.bind_policy;
1042 + arg = strdelim(&s);
1043 + if (!arg || *arg == '\0')
1044 + fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
1045 + value = 0; /* To avoid compiler warning... */
1046 + if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
1048 + else if (strcasecmp(arg, "soft") == 0)
1051 + fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
1052 + if (*intptr == -1)
1056 + charptr = &options.sslpath;
1057 + goto parse_string;
1060 + intptr = &options.ssl;
1061 + arg = strdelim(&s);
1062 + if (!arg || *arg == '\0')
1063 + fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
1064 + value = 0; /* To avoid compiler warning... */
1065 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1066 + value = SSL_LDAPS;
1067 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1069 + else if (!strcasecmp (arg, "start_tls"))
1070 + value = SSL_START_TLS;
1072 + fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
1073 + if (*intptr == -1)
1078 + intptr = &options.referrals;
1080 + arg = strdelim(&s);
1081 + if (!arg || *arg == '\0')
1082 + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
1083 + value = 0; /* To avoid compiler warning... */
1084 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1086 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1089 + fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
1090 + if (*intptr == -1)
1095 + intptr = &options.restart;
1098 + case lTLS_CheckPeer:
1099 + intptr = &options.tls_checkpeer;
1100 + arg = strdelim(&s);
1101 + if (!arg || *arg == '\0')
1102 + fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
1103 + value = 0; /* To avoid compiler warning... */
1104 + if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1105 + value = LDAP_OPT_X_TLS_NEVER;
1106 + else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1107 + value = LDAP_OPT_X_TLS_HARD;
1108 + else if (strcasecmp(arg, "demand") == 0)
1109 + value = LDAP_OPT_X_TLS_DEMAND;
1110 + else if (strcasecmp(arg, "allow") == 0)
1111 + value = LDAP_OPT_X_TLS_ALLOW;
1112 + else if (strcasecmp(arg, "try") == 0)
1113 + value = LDAP_OPT_X_TLS_TRY;
1115 + fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
1116 + if (*intptr == -1)
1119 + case lTLS_CaCertFile:
1120 + charptr = &options.tls_cacertfile;
1121 + goto parse_string;
1123 + case lTLS_CaCertDir:
1124 + charptr = &options.tls_cacertdir;
1125 + goto parse_string;
1127 + case lTLS_Ciphers:
1128 + xstringptr = &options.tls_ciphers;
1129 + goto parse_xstring;
1132 + charptr = &options.tls_cert;
1133 + goto parse_string;
1136 + charptr = &options.tls_key;
1137 + goto parse_string;
1139 + case lTLS_RandFile:
1140 + charptr = &options.tls_randfile;
1141 + goto parse_string;
1144 + charptr = &options.logdir;
1145 + goto parse_string;
1148 + intptr = &options.debug;
1152 + xstringptr = &options.ssh_filter;
1153 + goto parse_xstring;
1155 + case lAccountClass:
1156 + charptr = &options.account_class;
1157 + goto parse_string;
1160 + debug("%s line %d: Deprecated option \"%s\"",
1161 + filename, linenum, keyword);
1164 + case lUnsupported:
1165 + error("%s line %d: Unsupported option \"%s\"",
1166 + filename, linenum, keyword);
1170 + fatal("process_config_line: Unimplemented opcode %d", opcode);
1173 + /* Check that there is no garbage at end of line. */
1174 + if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1175 + fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1176 + filename, linenum, arg);
1182 + * Reads the config file and modifies the options accordingly. Options
1183 + * should already be initialized before this call. This never returns if
1184 + * there is an error. If the file does not exist, this returns 0.
1188 +read_config_file(const char *filename)
1192 + int active, linenum;
1193 + int bad_options = 0;
1196 + if ((f = fopen(filename, "r")) == NULL)
1197 + fatal("fopen %s: %s", filename, strerror(errno));
1199 + if (fstat(fileno(f), &sb) == -1)
1200 + fatal("fstat %s: %s", filename, strerror(errno));
1201 + if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1202 + (sb.st_mode & 022) != 0))
1203 + fatal("Bad owner or permissions on %s", filename);
1205 + debug("Reading configuration data %.200s", filename);
1208 + * Mark that we are now processing the options. This flag is turned
1209 + * on/off by Host specifications.
1213 + while (fgets(line, sizeof(line), f)) {
1214 + /* Update line number counter. */
1216 + if (process_config_line(line, filename, linenum) != 0)
1220 + if ((bad_options > 0) && config_exclusive_config_file)
1221 + fatal("%s: terminating, %d bad configuration options",
1222 + filename, bad_options);
1226 + * Initializes options to special values that indicate that they have not yet
1227 + * been set. Read_config_file will only set options with this value. Options
1228 + * are processed in the following order: command line, user config file,
1229 + * system config file. Last, fill_default_options is called.
1233 +initialize_options(void)
1235 + memset(&options, 'X', sizeof(options));
1236 + options.host = NULL;
1237 + options.uri = NULL;
1238 + options.base = NULL;
1239 + options.binddn = NULL;
1240 + options.bindpw = NULL;
1241 + options.scope = -1;
1242 + options.deref = -1;
1243 + options.port = -1;
1244 + options.timelimit = -1;
1245 + options.bind_timelimit = -1;
1246 + options.ldap_version = -1;
1247 + options.bind_policy = -1;
1248 + options.sslpath = NULL;
1250 + options.referrals = -1;
1251 + options.restart = -1;
1252 + options.tls_checkpeer = -1;
1253 + options.tls_cacertfile = NULL;
1254 + options.tls_cacertdir = NULL;
1255 + options.tls_ciphers = NULL;
1256 + options.tls_cert = NULL;
1257 + options.tls_key = NULL;
1258 + options.tls_randfile = NULL;
1259 + options.logdir = NULL;
1260 + options.debug = -1;
1261 + options.ssh_filter = NULL;
1262 + options.account_class = NULL;
1266 + * Called after processing other sources of option data, this fills those
1267 + * options for which no value has been specified with their default values.
1271 +fill_default_options(void)
1273 + if (options.uri != NULL) {
1274 + LDAPURLDesc *ludp;
1276 + if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
1277 + if (options.ssl == -1) {
1278 + if (strcmp (ludp->lud_scheme, "ldap") == 0)
1280 + if (strcmp (ludp->lud_scheme, "ldapi") == 0)
1282 + else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
1285 + if (options.host == NULL)
1286 + options.host = xstrdup (ludp->lud_host);
1287 + if (options.port == -1)
1288 + options.port = ludp->lud_port;
1290 + ldap_free_urldesc (ludp);
1293 + if (options.ssl == -1)
1294 + options.ssl = SSL_START_TLS;
1295 + if (options.port == -1)
1296 + options.port = (options.ssl == 0) ? 389 : 636;
1297 + if (options.uri == NULL) {
1299 +#define MAXURILEN 4096
1301 + options.uri = xmalloc (MAXURILEN);
1302 + len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
1303 + (options.ssl == 0) ? "" : "s", options.host, options.port);
1304 + options.uri[MAXURILEN - 1] = 0;
1305 + options.uri = xreallocarray (options.uri, len + 1, 1);
1307 + if (options.binddn == NULL)
1308 + options.binddn = "";
1309 + if (options.bindpw == NULL)
1310 + options.bindpw = "";
1311 + if (options.scope == -1)
1312 + options.scope = LDAP_SCOPE_SUBTREE;
1313 + if (options.deref == -1)
1314 + options.deref = LDAP_DEREF_NEVER;
1315 + if (options.timelimit == -1)
1316 + options.timelimit = 10;
1317 + if (options.bind_timelimit == -1)
1318 + options.bind_timelimit = 10;
1319 + if (options.ldap_version == -1)
1320 + options.ldap_version = 3;
1321 + if (options.bind_policy == -1)
1322 + options.bind_policy = 1;
1323 + if (options.referrals == -1)
1324 + options.referrals = 1;
1325 + if (options.restart == -1)
1326 + options.restart = 1;
1327 + if (options.tls_checkpeer == -1)
1328 + options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
1329 + if (options.debug == -1)
1330 + options.debug = 0;
1331 + if (options.ssh_filter == NULL)
1332 + options.ssh_filter = "";
1333 + if (options.account_class == NULL)
1334 + options.account_class = "posixAccount";
1337 +static const char *
1338 +lookup_opcode_name(OpCodes code)
1342 + for (i = 0; keywords[i].name != NULL; i++)
1343 + if (keywords[i].opcode == code)
1344 + return(keywords[i].name);
1349 +dump_cfg_string(OpCodes code, const char *val)
1352 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1354 + debug3("%s %s", lookup_opcode_name(code), val);
1358 +dump_cfg_int(OpCodes code, int val)
1361 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1363 + debug3("%s %d", lookup_opcode_name(code), val);
1372 +dump_cfg_namedint(OpCodes code, int val, struct names *names)
1377 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1379 + for (i = 0; names[i].value != -1; i++)
1380 + if (names[i].value == val) {
1381 + debug3("%s %s", lookup_opcode_name(code), names[i].name);
1384 + debug3("%s unknown: %d", lookup_opcode_name(code), val);
1388 +static struct names _yesnotls[] = {
1391 + { 2, "Start_TLS" },
1394 +static struct names _scope[] = {
1395 + { LDAP_SCOPE_BASE, "Base" },
1396 + { LDAP_SCOPE_ONELEVEL, "One" },
1397 + { LDAP_SCOPE_SUBTREE, "Sub"},
1400 +static struct names _deref[] = {
1401 + { LDAP_DEREF_NEVER, "Never" },
1402 + { LDAP_DEREF_SEARCHING, "Searching" },
1403 + { LDAP_DEREF_FINDING, "Finding" },
1404 + { LDAP_DEREF_ALWAYS, "Always" },
1407 +static struct names _yesno[] = {
1412 +static struct names _bindpolicy[] = {
1417 +static struct names _checkpeer[] = {
1418 + { LDAP_OPT_X_TLS_NEVER, "Never" },
1419 + { LDAP_OPT_X_TLS_HARD, "Hard" },
1420 + { LDAP_OPT_X_TLS_DEMAND, "Demand" },
1421 + { LDAP_OPT_X_TLS_ALLOW, "Allow" },
1422 + { LDAP_OPT_X_TLS_TRY, "TRY" },
1428 + dump_cfg_string(lURI, options.uri);
1429 + dump_cfg_string(lHost, options.host);
1430 + dump_cfg_int(lPort, options.port);
1431 + dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
1432 + dump_cfg_int(lLdap_Version, options.ldap_version);
1433 + dump_cfg_int(lTimeLimit, options.timelimit);
1434 + dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
1435 + dump_cfg_string(lBase, options.base);
1436 + dump_cfg_string(lBindDN, options.binddn);
1437 + dump_cfg_string(lBindPW, options.bindpw);
1438 + dump_cfg_namedint(lScope, options.scope, _scope);
1439 + dump_cfg_namedint(lDeref, options.deref, _deref);
1440 + dump_cfg_namedint(lReferrals, options.referrals, _yesno);
1441 + dump_cfg_namedint(lRestart, options.restart, _yesno);
1442 + dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
1443 + dump_cfg_string(lSSLPath, options.sslpath);
1444 + dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
1445 + dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
1446 + dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
1447 + dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
1448 + dump_cfg_string(lTLS_Cert, options.tls_cert);
1449 + dump_cfg_string(lTLS_Key, options.tls_key);
1450 + dump_cfg_string(lTLS_RandFile, options.tls_randfile);
1451 + dump_cfg_string(lLogDir, options.logdir);
1452 + dump_cfg_int(lDebug, options.debug);
1453 + dump_cfg_string(lSSH_Filter, options.ssh_filter);
1454 + dump_cfg_string(lAccountClass, options.logdir);
1457 diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
1458 --- openssh-6.2p2/ldapconf.h.ldap 2013-06-07 15:10:05.602942689 +0200
1459 +++ openssh-6.2p2/ldapconf.h 2013-06-07 15:10:24.928857566 +0200
1461 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1463 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1465 + * Redistribution and use in source and binary forms, with or without
1466 + * modification, are permitted provided that the following conditions
1468 + * 1. Redistributions of source code must retain the above copyright
1469 + * notice, this list of conditions and the following disclaimer.
1470 + * 2. Redistributions in binary form must reproduce the above copyright
1471 + * notice, this list of conditions and the following disclaimer in the
1472 + * documentation and/or other materials provided with the distribution.
1474 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1475 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1476 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1477 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1478 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1479 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1480 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1481 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1482 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1483 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1490 +#define SSL_LDAPS 1
1491 +#define SSL_START_TLS 2
1493 +/* Data structure for representing option data. */
1505 + int bind_timelimit;
1512 + int tls_checkpeer;
1513 + char *tls_cacertfile;
1514 + char *tls_cacertdir;
1515 + char *tls_ciphers;
1518 + char *tls_randfile;
1522 + char *account_class;
1525 +extern Options options;
1527 +void read_config_file(const char *);
1528 +void initialize_options(void);
1529 +void fill_default_options(void);
1530 +void dump_config(void);
1532 +#endif /* LDAPCONF_H */
1533 diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
1534 --- openssh-6.2p1/ldap.conf.ldap 2013-03-25 21:27:15.891248091 +0100
1535 +++ openssh-6.2p1/ldap.conf 2013-03-25 21:27:15.891248091 +0100
1537 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
1539 +# This is the example configuration file for the OpenSSH
1542 +# see ssh-ldap.conf(5)
1545 +# URI with your LDAP server name. This allows to use
1546 +# Unix Domain Sockets to connect to a local LDAP Server.
1547 +#uri ldap://127.0.0.1/
1548 +#uri ldaps://127.0.0.1/
1549 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
1550 +# Note: %2f encodes the '/' used as directory separator
1552 +# Another way to specify your LDAP server is to provide an
1553 +# host name and the port of our LDAP server. Host name
1554 +# must be resolvable without using LDAP.
1555 +# Multiple hosts may be specified, each separated by a
1556 +# space. How long nss_ldap takes to failover depends on
1557 +# whether your LDAP client library supports configurable
1558 +# network or connect timeouts (see bind_timelimit).
1562 +# Optional: default is 389.
1565 +# The distinguished name to bind to the server with.
1566 +# Optional: default is to bind anonymously.
1567 +#binddn cn=openssh_keys,dc=example,dc=org
1569 +# The credentials to bind with.
1570 +# Optional: default is no credential.
1573 +# The distinguished name of the search base.
1574 +#base dc=example,dc=org
1576 +# The LDAP version to use (defaults to 3
1577 +# if supported by client library)
1580 +# The search scope.
1588 +# Bind/connect timelimit
1591 +# Reconnect policy: hard (default) will retry connecting to
1592 +# the software with exponential backoff, soft will fail
1596 +# SSL setup, may be implied by URI also.
1601 +# OpenLDAP SSL options
1602 +# Require and verify server certificate (yes/no)
1603 +# Default is to use libldap's default behavior, which can be configured in
1604 +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
1605 +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
1606 +#tls_checkpeer hard
1608 +# CA certificates for server certificate verification
1609 +# At least one of these are required if tls_checkpeer is "yes"
1610 +#tls_cacertfile /etc/ssl/ca.cert
1611 +#tls_cacertdir /etc/pki/tls/certs
1613 +# Seed the PRNG if /dev/urandom is not provided
1614 +#tls_randfile /var/run/egd-pool
1617 +# See man ciphers for syntax
1620 +# Client certificate and key
1621 +# Use these, if your server requires client authentication.
1625 diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
1626 --- openssh-6.2p1/ldap-helper.c.ldap 2013-03-25 21:27:15.892248097 +0100
1627 +++ openssh-6.2p1/ldap-helper.c 2013-03-25 21:27:15.892248097 +0100
1629 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1631 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1633 + * Redistribution and use in source and binary forms, with or without
1634 + * modification, are permitted provided that the following conditions
1636 + * 1. Redistributions of source code must retain the above copyright
1637 + * notice, this list of conditions and the following disclaimer.
1638 + * 2. Redistributions in binary form must reproduce the above copyright
1639 + * notice, this list of conditions and the following disclaimer in the
1640 + * documentation and/or other materials provided with the distribution.
1642 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1643 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1644 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1645 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1646 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1647 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1648 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1649 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1650 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1651 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1654 +#include "ldapincludes.h"
1657 +#include "xmalloc.h"
1658 +#include "ldapconf.h"
1659 +#include "ldapbody.h"
1660 +#include <string.h>
1661 +#include <unistd.h>
1663 +static int config_debug = 0;
1664 +int config_exclusive_config_file = 0;
1665 +static char *config_file_name = "/etc/ssh/ldap.conf";
1666 +static char *config_single_user = NULL;
1667 +static int config_verbose = SYSLOG_LEVEL_VERBOSE;
1668 +int config_warning_config_file = 0;
1669 +extern char *__progname;
1674 + fprintf(stderr, "usage: %s [options]\n",
1676 + fprintf(stderr, "Options:\n");
1677 + fprintf(stderr, " -d Output the log messages to stderr.\n");
1678 + fprintf(stderr, " -e Check the config file for unknown commands.\n");
1679 + fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
1680 + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
1681 + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
1682 + fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
1687 + * Main program for the ssh pka ldap agent.
1691 +main(int ac, char **av)
1694 + FILE *outfile = NULL;
1696 + __progname = ssh_get_progname(av[0]);
1698 + log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
1701 + * Initialize option structure to indicate that no values have been
1704 + initialize_options();
1706 + /* Parse command-line arguments. */
1707 + while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
1714 + config_exclusive_config_file = 1;
1715 + config_warning_config_file = 1;
1719 + config_file_name = optarg;
1723 + config_single_user = optarg;
1724 + outfile = fdopen (dup (fileno (stdout)), "w");
1729 + if (config_verbose < SYSLOG_LEVEL_DEBUG3)
1734 + config_warning_config_file = 1;
1744 + /* Initialize loging */
1745 + log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
1748 + fatal ("illegal extra parameter %s", av[1]);
1750 + /* Ensure that fds 0 and 2 are open or directed to /dev/null */
1751 + if (config_debug == 0)
1754 + /* Read config file */
1755 + read_config_file(config_file_name);
1756 + fill_default_options();
1757 + if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
1758 + debug3 ("=== Configuration ===");
1760 + debug3 ("=== *** ===");
1763 + ldap_checkconfig();
1764 + ldap_do_connect();
1766 + if (config_single_user) {
1767 + process_user (config_single_user, outfile);
1770 + fatal ("Not yet implemented");
1772 + * open unix socket a run the loop on it
1781 +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
1782 +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
1784 diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
1785 --- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100
1786 +++ openssh-6.2p1/ldap-helper.h 2013-03-25 21:27:15.892248097 +0100
1788 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1790 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1792 + * Redistribution and use in source and binary forms, with or without
1793 + * modification, are permitted provided that the following conditions
1795 + * 1. Redistributions of source code must retain the above copyright
1796 + * notice, this list of conditions and the following disclaimer.
1797 + * 2. Redistributions in binary form must reproduce the above copyright
1798 + * notice, this list of conditions and the following disclaimer in the
1799 + * documentation and/or other materials provided with the distribution.
1801 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1802 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1803 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1804 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1805 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1806 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1807 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1808 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1809 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1810 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1813 +#ifndef LDAP_HELPER_H
1814 +#define LDAP_HELPER_H
1816 +extern int config_exclusive_config_file;
1817 +extern int config_warning_config_file;
1819 +#endif /* LDAP_HELPER_H */
1820 diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
1821 --- openssh-6.2p1/ldapincludes.h.ldap 2013-03-25 21:27:15.892248097 +0100
1822 +++ openssh-6.2p1/ldapincludes.h 2013-03-25 21:27:15.892248097 +0100
1824 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1826 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1828 + * Redistribution and use in source and binary forms, with or without
1829 + * modification, are permitted provided that the following conditions
1831 + * 1. Redistributions of source code must retain the above copyright
1832 + * notice, this list of conditions and the following disclaimer.
1833 + * 2. Redistributions in binary form must reproduce the above copyright
1834 + * notice, this list of conditions and the following disclaimer in the
1835 + * documentation and/or other materials provided with the distribution.
1837 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1838 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1839 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1840 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1841 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1842 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1843 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1844 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1845 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1846 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1849 +#ifndef LDAPINCLUDES_H
1850 +#define LDAPINCLUDES_H
1852 +#include "includes.h"
1860 +#ifdef HAVE_LDAP_SSL_H
1861 +#include <ldap_ssl.h>
1864 +#endif /* LDAPINCLUDES_H */
1865 diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
1866 --- openssh-6.2p1/ldapmisc.c.ldap 2013-03-25 21:27:15.893248104 +0100
1867 +++ openssh-6.2p1/ldapmisc.c 2013-03-25 21:27:15.893248104 +0100
1870 +#include "ldapincludes.h"
1871 +#include "ldapmisc.h"
1873 +#ifndef HAVE_LDAP_GET_LDERRNO
1875 +ldap_get_lderrno (LDAP * ld, char **m, char **s)
1877 +#ifdef HAVE_LDAP_GET_OPTION
1882 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
1883 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
1886 + lderrno = ld->ld_errno;
1890 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
1891 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
1894 + *s = ld->ld_error;
1899 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
1900 + if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
1903 + *m = ld->ld_matched;
1911 +#ifndef HAVE_LDAP_SET_LDERRNO
1913 +ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
1915 +#ifdef HAVE_LDAP_SET_OPTION
1919 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
1920 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
1923 + ld->ld_errno = lderrno;
1927 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
1928 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
1936 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
1937 + if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
1940 + ld->ld_matched = m;
1944 + return LDAP_SUCCESS;
1948 diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
1949 --- openssh-6.2p1/ldapmisc.h.ldap 2013-03-25 21:27:15.893248104 +0100
1950 +++ openssh-6.2p1/ldapmisc.h 2013-03-25 21:27:15.893248104 +0100
1952 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1954 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1956 + * Redistribution and use in source and binary forms, with or without
1957 + * modification, are permitted provided that the following conditions
1959 + * 1. Redistributions of source code must retain the above copyright
1960 + * notice, this list of conditions and the following disclaimer.
1961 + * 2. Redistributions in binary form must reproduce the above copyright
1962 + * notice, this list of conditions and the following disclaimer in the
1963 + * documentation and/or other materials provided with the distribution.
1965 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1966 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1967 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1968 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1969 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1970 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1971 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1972 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1973 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1974 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1980 +#include "ldapincludes.h"
1982 +int ldap_get_lderrno (LDAP *, char **, char **);
1983 +int ldap_set_lderrno (LDAP *, int, const char *, const char *);
1985 +#endif /* LDAPMISC_H */
1987 --- openssh-7.2p1/Makefile.in.orig 2016-02-26 04:40:04.000000000 +0100
1988 +++ openssh-7.2p1/Makefile.in 2016-03-04 19:44:30.903306337 +0100
1990 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
1991 SFTP_SERVER=$(libexecdir)/sftp-server
1992 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
1993 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
1994 +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
1995 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
1996 PRIVSEP_PATH=@PRIVSEP_PATH@
1997 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
2002 +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
2006 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
2007 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
2012 sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
2015 -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
2016 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
2017 +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
2018 +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
2021 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
2022 @@ -235,6 +235,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
2023 ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
2024 $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
2026 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
2027 + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
2029 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
2030 $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
2032 @@ -395,6 +395,10 @@ install-files:
2033 $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
2034 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
2035 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
2036 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
2037 + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
2038 + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
2040 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
2041 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
2042 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
2043 @@ -416,6 +416,10 @@ install-files:
2044 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
2045 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
2046 $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
2047 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
2048 + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
2049 + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
2053 $(MKDIR_P) $(DESTDIR)$(sysconfdir)
2054 @@ -352,6 +366,13 @@
2056 echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
2058 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
2059 + if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
2060 + $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
2062 + echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
2066 host-key: ssh-keygen$(EXEEXT)
2067 @if [ -z "$(DESTDIR)" ] ; then \
2068 @@ -488,6 +488,8 @@ uninstall:
2069 -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
2070 -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
2071 -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
2072 + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
2073 + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
2074 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
2075 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
2076 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
2077 @@ -502,6 +502,7 @@ uninstall:
2078 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
2079 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
2080 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
2081 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
2084 $(MKDIR_P) `pwd`/regress/unittests/test_helper
2085 diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
2086 --- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100
2087 +++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100
2090 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2091 +# useful with PKA-LDAP also
2093 +# Author: Eric AUGE <eau@phear.org>
2095 +# Based on the proposal of : Mark Ruijter
2099 +# octetString SYNTAX
2100 +attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2101 + DESC 'MANDATORY: OpenSSH Public key'
2102 + EQUALITY octetStringMatch
2103 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2105 +# printableString SYNTAX yes|no
2106 +objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2107 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2108 + MUST ( sshPublicKey $ uid )
2110 diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
2111 --- openssh-6.2p1/openssh-lpk-sun.schema.ldap 2013-03-25 21:27:15.894248110 +0100
2112 +++ openssh-6.2p1/openssh-lpk-sun.schema 2013-03-25 21:27:15.894248110 +0100
2115 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2116 +# useful with PKA-LDAP also
2118 +# Author: Eric AUGE <eau@phear.org>
2120 +# Schema for Sun Directory Server.
2121 +# Based on the original schema, modified by Stefan Fischer.
2126 +# octetString SYNTAX
2127 +attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2128 + DESC 'MANDATORY: OpenSSH Public key'
2129 + EQUALITY octetStringMatch
2130 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2132 +# printableString SYNTAX yes|no
2133 +objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2134 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2135 + MUST ( sshPublicKey $ uid )
2137 diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
2138 --- openssh-6.2p2/ssh-ldap.conf.5.ldap 2013-06-07 15:10:05.604942680 +0200
2139 +++ openssh-6.2p2/ssh-ldap.conf.5 2013-06-07 15:10:24.928857566 +0200
2141 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
2143 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2145 +.\" Permission to use, copy, modify, and distribute this software for any
2146 +.\" purpose with or without fee is hereby granted, provided that the above
2147 +.\" copyright notice and this permission notice appear in all copies.
2149 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2150 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2151 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2152 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2153 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2154 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2155 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2157 +.Dd $Mdocdate: may 12 2010 $
2158 +.Dt SSH-LDAP.CONF 5
2162 +.Nd configuration file for ssh-ldap-helper
2164 +.Nm /etc/ssh/ldap.conf
2166 +.Xr ssh-ldap-helper 8
2167 +reads configuration data from
2168 +.Pa /etc/ssh/ldap.conf
2169 +(or the file specified with
2171 +on the command line).
2172 +The file contains keyword-argument pairs, one per line.
2173 +Lines starting with
2175 +and empty lines are interpreted as comments.
2177 +The value starts with the first non-blank character after
2178 +the keyword's name, and terminates at the end of the line,
2179 +or at the last sequence of blanks before the end of the line.
2180 +Quoting values that contain blanks
2181 +may be incorrect, as the quotes would become part of the value.
2182 +The possible keywords and their meanings are as follows (note that
2183 +keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
2186 +The argument(s) are in the form
2187 +.Pa ldap[si]://[name[:port]]
2188 +and specify the URI(s) of an LDAP server(s) to which the
2189 +.Xr ssh-ldap-helper 8
2190 +should connect. The URI scheme may be any of
2195 +which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
2196 +over IPC (UNIX domain sockets), respectively.
2197 +Each server's name can be specified as a
2198 +domain-style name or an IP address literal. Optionally, the
2199 +server's name can followed by a ':' and the port number the LDAP
2200 +server is listening on. If no port number is provided, the default
2201 +port for the scheme is used (389 for ldap://, 636 for ldaps://).
2202 +For LDAP over IPC, name is the name of the socket, and no port
2203 +is required, nor allowed; note that directory separators must be
2204 +URL-encoded, like any other characters that are special to URLs;
2205 +A space separated list of URIs may be provided.
2206 +There is no default.
2208 +Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
2209 +The base must be specified as a DN in LDAP format.
2210 +There is no default.
2212 +Specifies the default BIND DN to use when connecting to the ldap server.
2213 +The bind DN must be specified as a Distinguished Name in LDAP format.
2214 +There is no default.
2216 +Specifies the default password to use when connecting to the ldap server via
2218 +There is no default.
2220 +Intentionaly does nothing. Recognized for compatibility reasons.
2222 +The argument(s) specifies the name(s) of an LDAP server(s) to which the
2223 +.Xr ssh-ldap-helper 8
2224 +should connect. Each server's name can be specified as a
2225 +domain-style name or an IP address and optionally followed by a ':' and
2226 +the port number the ldap server is listening on. A space-separated
2227 +list of hosts may be provided.
2228 +There is no default.
2230 +is deprecated in favor of
2233 +Specifies the default port used when connecting to LDAP servers(s).
2234 +The port may be specified as a number.
2235 +The default port is 389 for ldap:// or 636 for ldaps:// respectively.
2237 +is deprecated in favor of
2240 +Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
2241 +There are three options (values) that can be assigned to the
2242 +.Cm Scope parameter:
2247 +Alias for the subtree is
2251 +is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
2254 +is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
2257 +is used to indicate searching of all entries at all levels under and including the specified base DN.
2261 +Specifies how alias dereferencing is done when performing a search. There are four
2262 +possible values that can be assigned to the
2272 +means that the aliases are never dereferenced.
2275 +means that the aliases are dereferenced in subordinates of the base object, but
2276 +not in locating the base object of the search.
2279 +means that the aliases are only dereferenced when locating the base object of the search.
2282 +means that the aliases are dereferenced both in searching and in locating the base object
2287 +Specifies a time limit (in seconds) to use when performing searches.
2288 +The number should be a non-negative integer. A
2290 +of zero (0) specifies that the search time is unlimited. Please note that the server
2291 +may still apply any server-side limit on the duration of a search operation.
2292 +The default value is 10.
2296 +.It Cm Bind_TimeLimit
2297 +Specifies the timeout (in seconds) after which the poll(2)/select(2)
2298 +following a connect(2) returns in case of no activity.
2299 +The default value is 10.
2300 +.It Cm Network_TimeOut
2302 +.Cm Bind_TimeLimit .
2303 +.It Cm Ldap_Version
2304 +Specifies what version of the LDAP protocol should be used.
2305 +The allowed values are 2 or 3. The default is 3.
2310 +Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
2314 +.Dq hard has 2 aliases
2320 +means that reconects that the
2321 +.Xr ssh-ldap-helper 8
2322 +tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
2326 +.Xr ssh-ldap-helper 8
2327 +fails immediately when it cannot connect to the LDAP seerver.
2331 +Specifies the path to the X.509 certificate database.
2332 +There is no default.
2334 +Specifies whether to use SSL/TLS or not.
2335 +There are three allowed values:
2344 +are the aliases for
2349 +are the aliases for
2353 +is specified then StartTLS is used rather than raw LDAP over SSL.
2354 +The default for ldap:// is
2361 +In case of host based configuration the default is
2364 +Specifies if the client should automatically follow referrals returned
2366 +The value can be or
2373 +are the aliases for
2378 +are the aliases for
2380 +The default is yes.
2382 +Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
2383 +The value can be or
2390 +are the aliases for
2395 +are the aliases for
2397 +The default is yes.
2398 +.It Cm TLS_CheckPeer
2399 +Specifies what checks to perform on server certificates in a TLS session,
2401 +can be specified as one of the following keywords:
2418 +are the aliases for
2422 +means that the client will not request or check any server certificate.
2425 +means that the server certificate is requested. If no certificate is provided,
2426 +the session proceeds normally. If a bad certificate is provided, it will
2427 +be ignored and the session proceeds normally.
2430 +means that the server certificate is requested. If no certificate is provided,
2431 +the session proceeds normally. If a bad certificate is provided,
2432 +the session is immediately terminated.
2435 +means that the server certificate is requested. If no
2436 +certificate is provided, or a bad certificate is provided, the session
2437 +is immediately terminated.
2442 +It requires an SSL connection. In the case of the plain conection the
2443 +session is immediately terminated.
2448 +.Cm TLS_CheckPeer .
2449 +.It Cm TLS_CACertFile
2450 +Specifies the file that contains certificates for all of the Certificate
2451 +Authorities the client will recognize.
2452 +There is no default.
2455 +.Cm TLS_CACertFile .
2456 +.It Cm TLS_CACertDIR
2457 +Specifies the path of a directory that contains Certificate Authority
2458 +certificates in separate individual files. The
2460 +is always used before
2461 +.Cm TLS_CACertDir .
2462 +The specified directory must be managed with the OpenSSL c_rehash utility.
2463 +There is no default.
2465 +Specifies acceptable cipher suite and preference order.
2466 +The value should be a cipher specification for OpenSSL,
2468 +.Dq HIGH:MEDIUM:+SSLv2 .
2471 +.It Cm TLS_Cipher_Suite
2475 +Specifies the file that contains the client certificate.
2476 +There is no default.
2477 +.It Cm TLS_Certificate
2481 +Specifies the file that contains the private key that matches the certificate
2484 +file. Currently, the private key must not be protected with a password, so
2485 +it is of critical importance that the key file is protected carefully.
2486 +There is no default.
2487 +.It Cm TLS_RandFile
2488 +Specifies the file to obtain random bits from when /dev/[u]random is
2489 +not available. Generally set to the name of the EGD/PRNGD socket.
2490 +The environment variable RANDFILE can also be used to specify the filename.
2491 +There is no default.
2493 +Specifies the directory used for logging by the LDAP client library.
2494 +There is no default.
2496 +Specifies the debug level used for logging by the LDAP client library.
2497 +There is no default.
2499 +Specifies the user filter applied on the LDAP serch.
2500 +The default is no filter.
2501 +.It Cm AccountClass
2502 +Specifies the LDAP class used to find user accounts.
2503 +The default is posixAccount.
2507 +.It Pa /etc/ssh/ldap.conf
2508 +Ldap configuration file for
2509 +.Xr ssh-ldap-helper 8 .
2513 +.Xr ssh-ldap-helper 8
2517 +OpenSSH 5.5 + PKA-LDAP .
2519 +.An Jan F. Chadima Aq jchadima@redhat.com
2520 diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
2521 --- openssh-6.2p1/ssh-ldap-helper.8.ldap 2013-03-25 21:27:15.895248117 +0100
2522 +++ openssh-6.2p1/ssh-ldap-helper.8 2013-03-25 21:27:15.895248117 +0100
2524 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
2526 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2528 +.\" Permission to use, copy, modify, and distribute this software for any
2529 +.\" purpose with or without fee is hereby granted, provided that the above
2530 +.\" copyright notice and this permission notice appear in all copies.
2532 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2533 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2534 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2535 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2536 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2537 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2538 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2540 +.Dd $Mdocdate: April 29 2010 $
2541 +.Dt SSH-LDAP-HELPER 8
2544 +.Nm ssh-ldap-helper
2545 +.Nd sshd helper program for ldap support
2547 +.Nm ssh-ldap-helper
2555 +to access keys provided by an LDAP.
2557 +is disabled by default and can only be enabled in the
2558 +sshd configuration file
2559 +.Pa /etc/ssh/sshd_config
2561 +.Cm AuthorizedKeysCommand
2563 +.Dq /usr/libexec/ssh-ldap-wrapper .
2566 +is not intended to be invoked by the user, but from
2568 +.Xr ssh-ldap-wrapper .
2570 +The options are as follows:
2573 +Set the debug mode;
2575 +prints all logs to stderr instead of syslog.
2579 +halts if it encounters an unknown item in the ldap.conf file.
2582 +uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
2585 +prints out the user's keys to stdout and exits.
2588 +increases verbosity.
2591 +writes warnings about unknown items in the ldap.conf configuration file.
2595 +.Xr sshd_config 5 ,
2596 +.Xr ssh-ldap.conf 5 ,
2600 +OpenSSH 5.5 + PKA-LDAP .
2602 +.An Jan F. Chadima Aq jchadima@redhat.com
2603 diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
2604 --- openssh-6.2p1/ssh-ldap-wrapper.ldap 2013-03-25 21:27:15.896248124 +0100
2605 +++ openssh-6.2p1/ssh-ldap-wrapper 2013-03-25 21:27:15.896248124 +0100
2609 +exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"