[packages/openssh.git] / openssh-lpk-4.3p1-0.3.7.patch

diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/Makefile.in openssh-4.3p1-lpk/Makefile.in
--- openssh-4.3p1/Makefile.in	2006-01-01 09:47:05.000000000 +0100
+++ openssh-4.3p1-lpk/Makefile.in	2006-04-18 15:46:59.000000000 +0200
@@ -86,7 +86,7 @@
 	auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-	audit.o audit-bsm.o
+	audit.o audit-bsm.o ldapauth.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.3p1/README.lpk openssh-4.3p1-lpk/README.lpk
--- openssh-4.3p1/README.lpk	1970-01-01 01:00:00.000000000 +0100
+++ openssh-4.3p1-lpk/README.lpk	2006-04-18 15:46:59.000000000 +0200
@@ -0,0 +1,265 @@
+OpenSSH LDAP PUBLIC KEY PATCH 
+Copyright (c) 2003 Eric AUGE (eau@phear.org)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. The name of the author may not be used to endorse or promote products
+   derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+purposes of this patch:
+
+This patch would help to have authentication centralization policy
+using ssh public key authentication.
+This patch could be an alternative to other "secure" authentication system
+working in a similar way (Kerberos, SecurID, etc...), except the fact 
+that it's based on OpenSSH and its public key abilities.
+
+>> FYI: <<
+'uid': means unix accounts existing on the current server
+'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config)
+
+example schema:
+
+
+                                  server1 (uid: eau,rival,toto) (lpkServerGroup: unix)
+                ___________      /
+               /           \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix)
+              | LDAP Server |    \
+	      | eau  ,rival |     server2 (uid: rival, eau) (lpkServerGroup: unix)
+	      | titi ,toto  |
+	      | userx,....  |         server5 (uid: eau)  (lpkServerGroup: mail)
+               \___________/ \       /
+	                       ----- - server4 (uid: eau, rival)  (no group configured)
+			             \
+				        etc...
+
+- WHAT WE NEED :
+
+  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
+  * patched sshd (with this patch ;)
+  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
+        User entry:
+	- attached to the 'ldapPublicKey' objectclass
+	- attached to the 'posixAccount' objectclass
+	- with a filled 'sshPublicKey' attribute 
+	Example:
+		dn: uid=eau,ou=users,dc=cuckoos,dc=net
+		objectclass: top
+		objectclass: person
+		objectclass: organizationalPerson
+		objectclass: posixAccount
+		objectclass: ldapPublicKey
+		description: Eric AUGE Account
+		userPassword: blah
+		cn: Eric AUGE
+		sn: Eric AUGE
+		uid: eau
+		uidNumber: 1034
+		gidNumber: 1
+		homeDirectory: /export/home/eau
+		sshPublicKey: ssh-dss AAAAB3...
+		sshPublicKey: ssh-dss AAAAM5...
+
+	Group entry:
+	- attached to the 'posixGroup' objectclass
+	- with a 'cn' groupname attribute
+	- with multiple 'memberUid' attributes filled with usernames allowed in this group
+	Example:
+		# few members
+		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
+		objectclass: top
+		objectclass: posixGroup
+		description: Unix based servers group
+		cn: unix
+		gidNumber: 1002
+		memberUid: eau
+		memberUid: user1
+		memberUid: user2
+
+
+- HOW IT WORKS :
+
+  * without patch
+  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
+  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
+
+  * with the patch
+  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
+  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
+  (usually in $HOME/.ssh/authorized_keys)
+
+  If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into.
+  If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled).
+
+  7 tokens are added to sshd_config :
+  # here is the new patched ldap related tokens
+  # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup
+  UseLPK yes								# look the pub key into LDAP
+  LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3	# which LDAP server for users ? (URL format)
+  LpkUserDN  ou=users,dc=foobar,dc=net					# which base DN for users ?
+  LpkGroupDN ou=groups,dc=foobar,dc=net					# which base DN for groups ? 
+  LpkBindDN cn=manager,dc=foobar,dc=net					# which bind DN ?
+  LpkBindPw asecret							# bind DN credidentials
+  LpkServerGroup agroupname						# the group the server is part of
+
Commit	Line	Data
48dfc510	1	diff -Nru -x Makefile -x 'buildpkg.' -x opensshd.init -x 'ssh_prng_' openssh-4.3p1/Makefile.in openssh-4.3p1-lpk/Makefile.in
	2	--- openssh-4.3p1/Makefile.in 2006-01-01 09:47:05.000000000 +0100
	3	+++ openssh-4.3p1-lpk/Makefile.in 2006-04-18 15:46:59.000000000 +0200
	4	@@ -86,7 +86,7 @@
	5	auth-krb5.o \
	6	auth2-gss.o gss-serv.o gss-serv-krb5.o \
	7	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
	8	- audit.o audit-bsm.o
	9	+ audit.o audit-bsm.o ldapauth.o
	10
	11	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
	12	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
	13	diff -Nru -x Makefile -x 'buildpkg.' -x opensshd.init -x 'ssh_prng_' openssh-4.3p1/README.lpk openssh-4.3p1-lpk/README.lpk
	14	--- openssh-4.3p1/README.lpk 1970-01-01 01:00:00.000000000 +0100
	15	+++ openssh-4.3p1-lpk/README.lpk 2006-04-18 15:46:59.000000000 +0200
	16	@@ -0,0 +1,265 @@
	17	+OpenSSH LDAP PUBLIC KEY PATCH
	18	+Copyright (c) 2003 Eric AUGE (eau@phear.org)
	19	+All rights reserved.
	20	+
	21	+Redistribution and use in source and binary forms, with or without
	22	+modification, are permitted provided that the following conditions
	23	+are met:
	24	+1. Redistributions of source code must retain the above copyright
	25	+ notice, this list of conditions and the following disclaimer.
	26	+2. Redistributions in binary form must reproduce the above copyright
	27	+ notice, this list of conditions and the following disclaimer in the
	28	+ documentation and/or other materials provided with the distribution.
	29	+3. The name of the author may not be used to endorse or promote products
	30	+ derived from this software without specific prior written permission.
	31	+
	32	+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	33	+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	34	+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	35	+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	36	+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	37	+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	38	+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	39	+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	40	+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	41	+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	42	+
	43	+purposes of this patch:
	44	+
	45	+This patch would help to have authentication centralization policy
	46	+using ssh public key authentication.
	47	+This patch could be an alternative to other "secure" authentication system
	48	+working in a similar way (Kerberos, SecurID, etc...), except the fact
	49	+that it's based on OpenSSH and its public key abilities.
	50	+
	51	+>> FYI: <<
	52	+'uid': means unix accounts existing on the current server
	53	+'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config)
	54	+
	55	+example schema:
	56	+
	57	+
	58	+ server1 (uid: eau,rival,toto) (lpkServerGroup: unix)
	59	+ ___________ /
	60	+ / \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix)
	61	+ \| LDAP Server \| \
	62	+ \| eau ,rival \| server2 (uid: rival, eau) (lpkServerGroup: unix)
	63	+ \| titi ,toto \|
	64	+ \| userx,.... \| server5 (uid: eau) (lpkServerGroup: mail)
65	+ \___________/ \ /
66	+ ----- - server4 (uid: eau, rival) (no group configured)
67	+ \
68	+ etc...
69	+
70	+- WHAT WE NEED :
71	+
72	+ * configured LDAP server somewhere on the network (i.e. OpenLDAP)
73	+ * patched sshd (with this patch ;)
74	+ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
75	+ User entry:
76	+ - attached to the 'ldapPublicKey' objectclass
77	+ - attached to the 'posixAccount' objectclass
78	+ - with a filled 'sshPublicKey' attribute
79	+ Example:
80	+ dn: uid=eau,ou=users,dc=cuckoos,dc=net
81	+ objectclass: top
82	+ objectclass: person
83	+ objectclass: organizationalPerson
84	+ objectclass: posixAccount
85	+ objectclass: ldapPublicKey
86	+ description: Eric AUGE Account
87	+ userPassword: blah
88	+ cn: Eric AUGE
89	+ sn: Eric AUGE
90	+ uid: eau
91	+ uidNumber: 1034
92	+ gidNumber: 1
93	+ homeDirectory: /export/home/eau
94	+ sshPublicKey: ssh-dss AAAAB3...
95	+ sshPublicKey: ssh-dss AAAAM5...
96	+
97	+ Group entry:
98	+ - attached to the 'posixGroup' objectclass
99	+ - with a 'cn' groupname attribute
100	+ - with multiple 'memberUid' attributes filled with usernames allowed in this group
101	+ Example:
102	+ # few members
103	+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net
104	+ objectclass: top
105	+ objectclass: posixGroup
106	+ description: Unix based servers group
107	+ cn: unix
108	+ gidNumber: 1002
109	+ memberUid: eau
110	+ memberUid: user1
111	+ memberUid: user2
112	+
113	+
114	+- HOW IT WORKS :
115	+
116	+ * without patch
117	+ If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
118	+ and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
119	+
120	+ * with the patch
121	+ If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
122	+ It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem.
123	+ (usually in $HOME/.ssh/authorized_keys)
124	+
125	+ If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into.
126	+ If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled).
127	+
128	+ 7 tokens are added to sshd_config :
129	+ # here is the new patched ldap related tokens
130	+ # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup
131	+ UseLPK yes # look the pub key into LDAP
132	+ LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 # which LDAP server for users ? (URL format)
133	+ LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ?
134	+ LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ?
135	+ LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ?
136	+ LpkBindPw asecret # bind DN credidentials
137	+ LpkServerGroup agroupname # the group the server is part of
138	+
139