1 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/Makefile.in openssh-4.0p1-lpk/Makefile.in
2 --- openssh-4.0p1/Makefile.in 2005-02-26 00:12:38.000000000 +0100
3 +++ openssh-4.0p1-lpk/Makefile.in 2005-03-12 00:38:11.000000000 +0100
6 auth2-gss.o gss-serv.o gss-serv-krb5.o \
7 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
9 + audit.o audit-bsm.o ldapauth.o
11 MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
12 MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
13 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/auth-rsa.c openssh-4.0p1-lpk/auth-rsa.c
14 --- openssh-4.0p1/auth-rsa.c 2004-12-11 03:39:50.000000000 +0100
15 +++ openssh-4.0p1-lpk/auth-rsa.c 2005-03-12 00:34:31.000000000 +0100
20 +#ifdef WITH_LDAP_PUBKEY
25 /* Temporarily use the user's uid. */
26 temporarily_use_uid(pw);
28 +#ifdef WITH_LDAP_PUBKEY
29 + /* here is the job */
30 + key = key_new(KEY_RSA1);
32 + if (options.lpk.on) {
33 + debug("[LDAP] trying LDAP first uid=%s", pw->pw_name);
34 + if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) {
35 + if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
36 + for (i = 0 ; i < k->num ; i++) {
39 + for (cp = k->keys[i]; *cp == ' ' || *cp == '\t'; cp++)
41 + if (!*cp || *cp == '\n' || *cp == '#')
45 + * Check if there are options for this key, and if so,
46 + * save their starting address and skip the option part
47 + * for now. If there are no options, set the starting
50 + if (*cp < '0' || *cp > '9') {
53 + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
54 + if (*cp == '\\' && cp[1] == '"')
55 + cp++; /* Skip both */
56 + else if (*cp == '"')
62 + /* Parse the key from the line. */
63 + if (hostfile_read_key(&cp, &bits, key) == 0) {
64 + debug("[LDAP] line %d: non ssh1 key syntax", i);
67 + /* cp now points to the comment part. */
69 + /* Check if the we have found the desired key (identified by its modulus). */
70 + if (BN_cmp(key->rsa->n, client_n) != 0)
73 + /* check the real bits */
74 + if (bits != BN_num_bits(key->rsa->n))
75 + logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: "
76 + "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits);
78 + /* We have found the desired key. */
80 + * If our options do not allow this key to be used,
81 + * do not send challenge.
83 + if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i))
86 + /* break out, this key is allowed */
89 + /* add the return stuff etc... */
90 + /* Restore the privileged uid. */
93 + /* return key if allowed */
94 + if (allowed && rkey != NULL)
103 + logit("[LDAP] no keys found for '%s'!", pw->pw_name);
106 + logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
110 /* The authorized keys. */
111 file = authorized_keys_file(pw);
112 debug("trying public RSA key file %s", file);
113 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/auth2-pubkey.c openssh-4.0p1-lpk/auth2-pubkey.c
114 --- openssh-4.0p1/auth2-pubkey.c 2004-12-11 03:39:50.000000000 +0100
115 +++ openssh-4.0p1-lpk/auth2-pubkey.c 2005-03-12 00:34:31.000000000 +0100
117 #include "monitor_wrap.h"
120 +#ifdef WITH_LDAP_PUBKEY
121 +#include "ldapauth.h"
125 extern ServerOptions options;
126 extern u_char *session_id2;
127 @@ -176,10 +180,77 @@
131 +#ifdef WITH_LDAP_PUBKEY
136 /* Temporarily use the user's uid. */
137 temporarily_use_uid(pw);
139 +#ifdef WITH_LDAP_PUBKEY
141 + /* allocate a new key type */
142 + found = key_new(key->type);
144 + /* first check if the options is enabled, then try.. */
145 + if (options.lpk.on) {
146 + debug("[LDAP] trying LDAP first uid=%s",pw->pw_name);
147 + if (ldap_ismember(&options.lpk, pw->pw_name) > 0) {
148 + if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) {
149 + char *cp, *options = NULL;
150 + /* Skip leading whitespace, empty and comment lines. */
151 + for (i = 0 ; i < k->num ; i++) {
152 + for (cp = (char *)k->keys[i]; *cp == ' ' || *cp == '\t'; cp++)
154 + if (!*cp || *cp == '\n' || *cp == '#')
157 + if (key_read(found, &cp) != 1) {
158 + /* no key? check if there are options for this key */
160 + debug2("[LDAP] user_key_allowed: check options: '%s'", cp);
162 + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
163 + if (*cp == '\\' && cp[1] == '"')
164 + cp++; /* Skip both */
165 + else if (*cp == '"')
168 + /* Skip remaining whitespace. */
169 + for (; *cp == ' ' || *cp == '\t'; cp++)
171 + if (key_read(found, &cp) != 1) {
172 + debug2("[LDAP] user_key_allowed: advance: '%s'", cp);
173 + /* still no key? advance to next line*/
178 + if (key_equal(found, key) &&
179 + auth_parse_options(pw, options, file, linenum) == 1) {
181 + debug("[LDAP] matching key found");
182 + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
183 + verbose("[LDAP] Found matching %s key: %s", key_type(found), fp);
185 + /* restoring memory */
193 + }/* end of LDAP for() */
195 + logit("[LDAP] no keys found for '%s'!", pw->pw_name);
198 + logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup);
202 debug("trying public key file %s", file);
204 /* Fail quietly if file does not exist */
205 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/ldapauth.c openssh-4.0p1-lpk/ldapauth.c
206 --- openssh-4.0p1/ldapauth.c 1970-01-01 01:00:00.000000000 +0100
207 +++ openssh-4.0p1-lpk/ldapauth.c 2005-03-15 23:29:48.000000000 +0100
211 + * Copyright (c) 2005, Eric AUGE <eau@phear.org>
212 + * All rights reserved.
214 + * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
216 + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
217 + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
218 + * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
220 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
221 + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
222 + * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
223 + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
224 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
225 + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
236 +#include "ldapauth.h"
238 +static char *attrs[] = {
243 +/* just filter building stuff */
244 +#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46)
245 +#define REQUEST_GROUP(buffer,pwname,grp) \
246 + buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname), sizeof(char)); \
248 + perror("calloc()"); \
251 + snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname)
253 +#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64)
254 +#define REQUEST_USER(buffer, pwname) \
255 + buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \
257 + perror("calloc()"); \
260 + snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname)
262 +/* some portable and working tokenizer, lame though */
263 +static int tokenize(char ** o, size_t size, char * input) {
264 + unsigned int i = 0, num;
265 + char * charset = " \t";
266 + char * ptr = input;
268 + /* leading white spaces are ignored */
269 + num = strspn(ptr, charset);
272 + while ((num = strcspn(ptr, charset))) {
284 +/* init && bind XXX TLS missing */
285 +int ldap_connect(ldap_opt_t * ldap) {
286 + int version = LDAP_VERSION3;
288 + if (!ldap->servers)
291 + ldap->ld = ldap_init(ldap->servers, LDAP_PORT);
293 + ldap_perror(ldap->ld, "ldap_init()");
297 + if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) {
298 + ldap_perror(ldap->ld, "ldap_set_option()");
303 + if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) {
304 + /* failed then reinit the initial connect */
305 + ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()");
307 + ldap->ld = ldap_init(ldap->servers, LDAP_PORT);
309 + ldap_perror(ldap->ld, "ldap_init()");
313 + if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) {
314 + ldap_perror(ldap->ld, "ldap_set_option()");
320 + if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) != LDAP_SUCCESS) {
321 + ldap_perror(ldap->ld, "ldap_simple_bind_s()");
328 +/* must free allocated ressource */
329 +static char * ldap_build_host(char *host, int port) {
330 + unsigned int size = strlen(host)+11;
331 + char * h = (char *) calloc (size, sizeof(char));
336 + rc = snprintf(h, size, "%s:%d ", host, port);
342 +/* a bit dirty but leak free */
343 +char * ldap_parse_servers(char * servers) {
345 + char * tmp = NULL, *urls[32];
346 + unsigned int num = 0 , i = 0 , asize = 0;
347 + LDAPURLDesc *urld[32];
352 + /* local copy of the arg */
353 + s = strdup(servers);
357 + /* first separate into URL tokens */
358 + if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0)
363 + if ( ldap_is_ldap_url(urls[i]) ) {
364 + if (ldap_url_parse(urls[i], &urld[i]) != 0)
373 + /* how much memory do we need */
375 + for (i = 0 ; i < num ; i++)
376 + asize += strlen(urld[i]->lud_host)+11;
379 + s = (char *) calloc( asize+1 , sizeof(char));
381 + for (i = 0 ; i < num ; i++)
382 + ldap_free_urldesc(urld[i]);
386 + /* then build the final host string */
387 + for (i = 0 ; i < num ; i++) {
388 + /* built host part */
389 + tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port);
390 + strncat(s, tmp, strlen(tmp));
391 + ldap_free_urldesc(urld[i]);
398 +void ldap_options_print(ldap_opt_t * ldap) {
399 + printf("ldap options:\n");
400 + printf("servers: %s\n", ldap->servers);
401 + printf("user basedn: %s\n", ldap->u_basedn);
402 + printf("group basedn: %s\n", ldap->g_basedn);
403 + printf("binddn: %s\n", ldap->binddn);
404 + printf("bindpw: %s\n", ldap->bindpw);
405 + printf("group: %s\n", ldap->sgroup);
408 +void ldap_options_free(ldap_opt_t * l) {
427 +void ldap_keys_free(ldap_key_t * k) {
428 + ldap_value_free(k->keys);
433 +ldap_key_t * ldap_getuserkey(ldap_opt_t *l, char * user) {
434 + ldap_key_t * k = (ldap_key_t *) calloc (1, sizeof(ldap_key_t));
435 + LDAPMessage *res, *e;
442 + /* build filter for LDAP request */
443 + REQUEST_USER(filter, user);
445 + if ( ldap_search_s( l->ld,
447 + LDAP_SCOPE_SUBTREE,
449 + attrs, 0, &res ) != LDAP_SUCCESS) {
450 + ldap_perror(l->ld, "ldap_search_s()");
461 + /* check if any results */
462 + i = ldap_count_entries(l->ld,res);
470 + printf("[LDAP] duplicate entries, using the FIRST entry returned\n");
472 + e = ldap_first_entry(l->ld, res);
473 + k->keys = ldap_get_values(l->ld, e, PUBKEYATTR);
474 + k->num = ldap_count_values(k->keys);
482 + 0 if user is NOT member of current server group
483 + 1 if user IS MEMBER of current server group
485 +int ldap_ismember(ldap_opt_t * l, char * user) {
489 + if ((!l->sgroup) || !(l->g_basedn))
492 + /* build filter for LDAP request */
493 + REQUEST_GROUP(filter, user, l->sgroup);
495 + if (ldap_search_s ( l->ld,
497 + LDAP_SCOPE_SUBTREE,
499 + NULL, 0, &res) != LDAP_SUCCESS) {
500 + ldap_perror(l->ld, "ldap_search_s()");
508 + /* check if any results */
509 + if (ldap_count_entries(l->ld, res) > 0) {
517 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/ldapauth.h openssh-4.0p1-lpk/ldapauth.h
518 --- openssh-4.0p1/ldapauth.h 1970-01-01 01:00:00.000000000 +0100
519 +++ openssh-4.0p1-lpk/ldapauth.h 2005-03-12 00:34:31.000000000 +0100
523 + * Copyright (c) 2005, Eric AUGE <eau@phear.org>
524 + * All rights reserved.
526 + * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
528 + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
529 + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
530 + * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
532 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
533 + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
534 + * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
535 + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
536 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
537 + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
549 +/* tokens in use for config */
550 +#define _DEFAULT_LPK_TOKEN "UseLPK"
551 +#define _DEFAULT_SRV_TOKEN "LpkServers"
552 +#define _DEFAULT_USR_TOKEN "LpkUserDN"
553 +#define _DEFAULT_GRP_TOKEN "LpkGroupDN"
554 +#define _DEFAULT_BDN_TOKEN "LpkBindDN"
555 +#define _DEFAULT_BPW_TOKEN "LpkBindPw"
556 +#define _DEFAULT_MYG_TOKEN "LpkServerGroup"
558 +/* default options */
559 +#define _DEFAULT_LPK_ON 1
560 +#define _DEFAULT_LPK_SERVERS NULL
561 +#define _DEFAULT_LPK_UDN NULL
562 +#define _DEFAULT_LPK_GDN NULL
563 +#define _DEFAULT_LPK_BINDDN NULL
564 +#define _DEFAULT_LPK_BINDPW NULL
565 +#define _DEFAULT_LPK_SGROUP NULL
570 +#define PUBKEYATTR "sshPublicKey"
573 +typedef struct ldap_options {
574 + int on; /* Use it or NOT */
575 + LDAP * ld; /* LDAP file desc */
576 + char * servers; /* parsed servers for ldaplib failover handling */
577 + char * u_basedn; /* user basedn */
578 + char * g_basedn; /* group basedn */
579 + char * binddn; /* binddn */
580 + char * bindpw; /* bind password */
581 + char * sgroup; /* server group */
584 +typedef struct ldap_keys {
585 + char ** keys; /* the public keys retrieved */
586 + unsigned int num; /* number of keys */
590 +/* function headers */
591 +int ldap_connect(ldap_opt_t *);
592 +char * ldap_parse_servers(char *);
593 +void ldap_options_print(ldap_opt_t *);
594 +void ldap_options_free(ldap_opt_t *);
595 +void ldap_keys_free(ldap_key_t *);
596 +ldap_key_t * ldap_getuserkey(ldap_opt_t *, char *);
597 +int ldap_ismember(ldap_opt_t *, char *);
600 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/servconf.c openssh-4.0p1-lpk/servconf.c
601 --- openssh-4.0p1/servconf.c 2005-03-01 11:24:33.000000000 +0100
602 +++ openssh-4.0p1-lpk/servconf.c 2005-03-12 00:34:31.000000000 +0100
607 +#ifdef WITH_LDAP_PUBKEY
608 +#include "ldapauth.h"
611 static void add_listen_addr(ServerOptions *, char *, u_short);
612 static void add_one_listen_addr(ServerOptions *, char *, u_short);
615 options->authorized_keys_file = NULL;
616 options->authorized_keys_file2 = NULL;
617 options->num_accept_env = 0;
619 +#ifdef WITH_LDAP_PUBKEY
621 + options->lpk.ld = NULL;
622 + options->lpk.on = -1;
623 + options->lpk.servers = NULL;
624 + options->lpk.u_basedn = NULL;
625 + options->lpk.g_basedn = NULL;
626 + options->lpk.binddn = NULL;
627 + options->lpk.bindpw = NULL;
628 + options->lpk.sgroup = NULL;
630 /* Needs to be accessable in many places */
635 if (options->authorized_keys_file == NULL)
636 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
638 +#ifdef WITH_LDAP_PUBKEY
639 + if (options->lpk.on == -1)
640 + options->lpk.on = _DEFAULT_LPK_ON;
641 + if (options->lpk.servers == NULL)
642 + options->lpk.servers = _DEFAULT_LPK_SERVERS;
643 + if (options->lpk.u_basedn == NULL)
644 + options->lpk.u_basedn = _DEFAULT_LPK_UDN;
645 + if (options->lpk.g_basedn == NULL)
646 + options->lpk.g_basedn = _DEFAULT_LPK_GDN;
647 + if (options->lpk.binddn == NULL)
648 + options->lpk.binddn = _DEFAULT_LPK_BINDDN;
649 + if (options->lpk.bindpw == NULL)
650 + options->lpk.bindpw = _DEFAULT_LPK_BINDPW;
651 + if (options->lpk.sgroup == NULL)
652 + options->lpk.sgroup = _DEFAULT_LPK_SGROUP;
654 /* Turn privilege separation on by default */
655 if (use_privsep == -1)
658 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
659 sUsePrivilegeSeparation,
660 sDeprecated, sUnsupported
661 +#ifdef WITH_LDAP_PUBKEY
662 + ,sLdapPublickey, sLdapServers, sLdapUserDN, sLdapGroupDN, sBindDN, sBindPw, sMyGroup
666 /* Textual representation of the tokens. */
668 { "clientalivecountmax", sClientAliveCountMax },
669 { "authorizedkeysfile", sAuthorizedKeysFile },
670 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
671 +#ifdef WITH_LDAP_PUBKEY
672 + { _DEFAULT_LPK_TOKEN, sLdapPublickey },
673 + { _DEFAULT_SRV_TOKEN, sLdapServers },
674 + { _DEFAULT_USR_TOKEN, sLdapUserDN },
675 + { _DEFAULT_GRP_TOKEN, sLdapGroupDN },
676 + { _DEFAULT_BDN_TOKEN, sBindDN },
677 + { _DEFAULT_BPW_TOKEN, sBindPw },
678 + { _DEFAULT_MYG_TOKEN, sMyGroup },
680 { "useprivilegeseparation", sUsePrivilegeSeparation},
681 { "acceptenv", sAcceptEnv },
687 +#ifdef WITH_LDAP_PUBKEY
688 + case sLdapPublickey:
689 + intptr = &options->lpk.on;
692 + /* arg = strdelim(&cp); */
696 + if (!arg || *arg == '\0')
697 + fatal("%s line %d: missing ldap server",filename,linenum);
698 + arg[strlen(arg)] = '\0';
699 + if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL)
700 + fatal("%s line %d: error in ldap servers", filename, linenum);
701 + memset(arg,0,strlen(arg));
704 + /* arg = strdelim(&cp); */
708 + if (!arg || *arg == '\0')
709 + fatal("%s line %d: missing ldap server",filename,linenum);
710 + arg[strlen(arg)] = '\0';
711 + options->lpk.u_basedn = xstrdup(arg);
712 + memset(arg,0,strlen(arg));
715 + /* arg = strdelim(&cp); */
719 + if (!arg || *arg == '\0')
720 + fatal("%s line %d: missing ldap server",filename,linenum);
721 + arg[strlen(arg)] = '\0';
722 + options->lpk.g_basedn = xstrdup(arg);
723 + memset(arg,0,strlen(arg));
726 + /* arg = strdelim(&cp); */
730 + if (!arg || *arg == '\0')
731 + fatal("%s line %d: missing binddn",filename,linenum);
732 + arg[strlen(arg)] = '\0';
733 + options->lpk.binddn = xstrdup(arg);
734 + memset(arg,0,strlen(arg));
737 + /* arg = strdelim(&cp); */
741 + if (!arg || *arg == '\0')
742 + fatal("%s line %d: missing bindpw",filename,linenum);
743 + arg[strlen(arg)] = '\0';
744 + options->lpk.bindpw = xstrdup(arg);
745 + memset(arg,0,strlen(arg));
751 + if (!arg || *arg == '\0')
752 + fatal("%s line %d: missing groupname",filename, linenum);
753 + arg[strlen(arg)] = '\0';
754 + options->lpk.sgroup = xstrdup(arg);
755 + memset(arg,0,strlen(arg));
760 fatal("%s line %d: Missing handler for opcode %s (%d)",
761 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/servconf.h openssh-4.0p1-lpk/servconf.h
762 --- openssh-4.0p1/servconf.h 2005-01-20 00:57:56.000000000 +0100
763 +++ openssh-4.0p1-lpk/servconf.h 2005-03-12 00:34:31.000000000 +0100
768 +#ifdef WITH_LDAP_PUBKEY
769 +#include "ldapauth.h"
772 #define MAX_PORTS 256 /* Max # ports. */
774 #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */
776 char *authorized_keys_file; /* File containing public keys */
777 char *authorized_keys_file2;
778 int use_pam; /* Enable auth via PAM */
779 +#ifdef WITH_LDAP_PUBKEY
784 void initialize_server_options(ServerOptions *);
785 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd.c openssh-4.0p1-lpk/sshd.c
786 --- openssh-4.0p1/sshd.c 2005-03-06 12:38:52.000000000 +0100
787 +++ openssh-4.0p1-lpk/sshd.c 2005-03-12 00:37:33.000000000 +0100
789 int deny_severity = LOG_WARNING;
792 +#ifdef WITH_LDAP_PUBKEY
793 +#include "ldapauth.h"
799 @@ -1076,6 +1080,13 @@
803 +#ifdef WITH_LDAP_PUBKEY
804 + ldap_options_print(&options.lpk);
805 + /* XXX initialize/check ldap connection and set *LD */
806 + if (options.lpk.on && ldap_connect(&options.lpk) < 0) {
807 + error("[LDAP] Could not initialize ldap connections");
810 debug("sshd version %.100s", SSH_RELEASE);
812 /* load private host keys */
813 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd_config openssh-4.0p1-lpk/sshd_config
814 --- openssh-4.0p1/sshd_config 2005-01-20 00:57:56.000000000 +0100
815 +++ openssh-4.0p1-lpk/sshd_config 2005-03-12 00:34:31.000000000 +0100
820 -#RSAAuthentication yes
821 -#PubkeyAuthentication yes
822 +RSAAuthentication yes
823 +PubkeyAuthentication yes
824 #AuthorizedKeysFile .ssh/authorized_keys
826 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
830 # To disable tunneled clear text passwords, change to no here!
831 -#PasswordAuthentication yes
832 -#PermitEmptyPasswords no
833 +PasswordAuthentication yes
834 +PermitEmptyPasswords no
836 # Change to no to disable s/key passwords
837 -#ChallengeResponseAuthentication yes
838 +ChallengeResponseAuthentication no
841 #KerberosAuthentication no
846 -#UsePrivilegeSeparation yes
847 +UsePrivilegeSeparation no
848 #PermitUserEnvironment no
851 #ClientAliveInterval 0
852 #ClientAliveCountMax 3
856 # no default banner path
859 +# here is the new patched ldap related tokens
860 +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
862 +LpkServers ldap://127.0.0.4 ldap://127.0.0.3 ldap://127.0.0.1/
863 +LpkUserDN ou=users,dc=phear,dc=org
864 +LpkGroupDN ou=groups,dc=phear,dc=org
865 +#LpkBindDN cn=Manager,dc=phear,dc=org
869 # override default of no subsystems
870 Subsystem sftp /usr/libexec/sftp-server
871 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd_config.5 openssh-4.0p1-lpk/sshd_config.5
872 --- openssh-4.0p1/sshd_config.5 2005-03-01 11:24:34.000000000 +0100
873 +++ openssh-4.0p1-lpk/sshd_config.5 2005-03-12 00:34:31.000000000 +0100
877 .Pa /usr/X11R6/bin/xauth .
879 +Enable LDAP public key resolution. The argument must be
884 +Specifies LDAP one or more [:space:] separated server's url the following form may be used:
886 +.Bl -item -offset indent -compact
890 +.Ar LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3
892 +.It Cm LpkUserDN/LpkGroupDN
894 +.Ar LpkUserDN ou=groups,dc=phear,dc=org
899 +Specifies a LDAP bind DN to use when doing ldap lookups.
901 +Specifies a LDAP bind Password associated to the previous token.
902 +.It Cm LpkServerGroup
903 +Specifies the group is the host is part of.