1 diff -urNp -x '*.orig' openssh-8.4p1.org/HOWTO.ldap-keys openssh-8.4p1/HOWTO.ldap-keys
2 --- openssh-8.4p1.org/HOWTO.ldap-keys 1970-01-01 01:00:00.000000000 +0100
3 +++ openssh-8.4p1/HOWTO.ldap-keys 2021-03-01 11:29:31.277623165 +0100
8 +1) configure LDAP server
9 + * Use LDAP server documentation
10 +2) add appropriate LDAP schema
11 + * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it.
14 + - attached to the 'ldapPublicKey' objectclass
15 + - attached to the 'posixAccount' objectclass
16 + - with a filled 'sshPublicKey' attribute
17 +3) insert users into LDAP
18 + * Use LDAP Tree management tool as useful
19 + * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
21 + dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
24 + objectclass: organizationalPerson
25 + objectclass: posixAccount
26 + objectclass: ldapPublicKey
27 + description: Jonathan Archer
28 + userPassword: Porthos
34 + homeDirectory: /home/captain
35 + sshPublicKey: ssh-rss AAAAB3.... =captain@universe
36 + sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
37 +4) on the ssh side set in sshd_config
38 + * Set up the backend
39 + AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
40 + AuthorizedKeysCommandUser <appropriate user to run LDAP>
41 + * Do not forget to set
42 + PubkeyAuthentication yes
43 + * Swith off unnecessary auth methods
44 +5) confugure ldap.conf
45 + * Default ldap.conf is placed in /etc/ssh
46 + * The configuration style is the same as other ldap based aplications
47 +6) if necessary edit ssh-ldap-wrapper
48 + * There is a possibility to change ldap.conf location
49 + * There are some debug options
51 + /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
53 +HOW TO MIGRATE FROM LPK
55 +1) goto HOW TO START 4) .... the ldap schema is the same
57 +2) convert the group requests to the appropriate LDAP requests
59 +HOW TO SOLVE PROBLEMS
62 + * /usr/sbin/sshd -d -d -d -d
63 +2) use debug in ssh-ldap-helper
64 + * ssh-ldap-helper -d -d -d -d -s <username>
65 +3) use tcpdump ... other ldap client etc.
69 +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
73 +1) LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
74 + allows write to users dn, somebody could replace some user's public key by his own and impersonate some
75 + of your users in all your server farm -- be VERY CAREFUL.
76 +2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
77 + as the impersonated user.
78 +3) If LDAP server is down there may be no fallback on passwd auth.
83 + * Possibility to reuse the ssh-ldap-helper.
84 + * Tune the LDAP part to accept all possible LDAP configurations.
86 +2) differences from original lpk
87 + * No LDAP code in sshd.
88 + * Support for various LDAP platforms and configurations.
89 + * LDAP is configured in separate ldap.conf file.
92 + * http://pacsec.jp/core05/psj05-barisani-en.pdf
93 + * http://fritz.potsdam.edu/projects/openssh-lpk/
94 + * http://fritz.potsdam.edu/projects/sshgate/
95 + * http://dev.inversepath.com/trac/openssh-lpk
96 + * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
98 +4) contributors/ideas/greets
99 + - Eric AUGE <eau@phear.org>
100 + - Andrea Barisani <andrea@inversepath.com>
101 + - Falk Siemonsmeier.
103 + - Michael Durchgraf.
107 + - Robin H. Johnson.
111 + Jan F. Chadima <jchadima@redhat.com>
113 diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
114 --- openssh-8.4p1.org/Makefile.in 2020-09-27 09:25:01.000000000 +0200
115 +++ openssh-8.4p1/Makefile.in 2021-03-01 11:29:31.280956671 +0100
116 @@ -23,6 +23,8 @@ SSH_PROGRAM=@bindir@/ssh
117 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
118 SFTP_SERVER=$(libexecdir)/sftp-server
119 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
120 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
121 +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
122 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
123 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
124 PRIVSEP_PATH=@PRIVSEP_PATH@
125 @@ -63,10 +65,11 @@ LDFLAGS_NOPIE=-L. -Lopenbsd-compat/ @LDF
129 +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
133 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
134 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
138 @@ -150,8 +153,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
140 SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
142 -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
143 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
144 +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
145 +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
148 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
149 @@ -230,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
150 ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
151 $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
153 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
154 + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
156 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
157 $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
159 @@ -395,6 +401,10 @@ install-files:
160 $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
161 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
162 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
163 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
164 + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
165 + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
167 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
168 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
169 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
170 @@ -412,6 +422,10 @@ install-files:
171 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
172 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
173 $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
174 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
175 + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
176 + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
180 $(MKDIR_P) $(DESTDIR)$(sysconfdir)
181 @@ -435,6 +449,13 @@ install-sysconf:
183 echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
185 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
186 + if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
187 + $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
189 + echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
193 host-key: ssh-keygen$(EXEEXT)
194 @if [ -z "$(DESTDIR)" ] ; then \
195 @@ -473,6 +494,8 @@ uninstall:
196 -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
197 -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
198 -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
199 + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
200 + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
201 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
202 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
203 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
204 @@ -485,6 +508,7 @@ uninstall:
205 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
206 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
207 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
208 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
211 $(MKDIR_P) `pwd`/regress/unittests/test_helper
212 diff -urNp -x '*.orig' openssh-8.4p1.org/configure.ac openssh-8.4p1/configure.ac
213 --- openssh-8.4p1.org/configure.ac 2021-03-01 11:29:31.004275724 +0100
214 +++ openssh-8.4p1/configure.ac 2021-03-01 11:29:31.277623165 +0100
215 @@ -1763,6 +1763,106 @@ AC_COMPILE_IFELSE(
216 CFLAGS="$SAVED_CFLAGS"
219 +# Check whether user wants LDAP support
221 +INSTALL_SSH_LDAP_HELPER=""
223 + [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
225 + if test "x$withval" != "xno" ; then
227 + INSTALL_SSH_LDAP_HELPER="yes"
228 + CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
230 + if test "x$withval" != "xyes" ; then
231 + CPPFLAGS="$CPPFLAGS -I${withval}/include"
232 + LDFLAGS="$LDFLAGS -L${withval}/lib"
235 + AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
238 + AC_CHECK_HEADERS(lber.h)
239 + AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
240 + AC_CHECK_HEADERS(ldap_ssl.h)
242 + AC_ARG_WITH(ldap-lib,
243 + [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
245 + if test -z "$with_ldap_lib"; then
249 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
250 + AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
251 + AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
254 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
255 + AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
258 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
259 + AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
260 + if test -z "$found_ldap_lib"; then
261 + AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
263 + if test -z "$found_ldap_lib"; then
264 + AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
266 + if test -z "$found_ldap_lib"; then
267 + AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
271 + if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
272 + AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
275 + if test -z "$found_ldap_lib"; then
276 + AC_MSG_ERROR(could not locate a valid LDAP library)
279 + AC_MSG_CHECKING([for working LDAP support])
281 + [#include <sys/types.h>
282 + #include <ldap.h>],
283 + [(void)ldap_init(0, 0);],
284 + [AC_MSG_RESULT(yes)],
287 + AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
293 + ldap_parse_result \
295 + ldap_controls_free \
300 + ldap_pvt_tls_set_option \
303 + AC_CHECK_FUNCS(ldap_set_rebind_proc,
304 + AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
307 + #include <ldap.h>],
308 + [ldap_set_rebind_proc(0, 0, 0);],
309 + [ac_cv_ldap_set_rebind_proc=3],
310 + [ac_cv_ldap_set_rebind_proc=2])
311 + AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
312 + AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
317 +AC_SUBST(INSTALL_SSH_LDAP_HELPER)
319 dnl Checks for library functions. Please keep in alphabetical order
322 diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper.c
323 --- openssh-8.4p1.org/ldap-helper.c 1970-01-01 01:00:00.000000000 +0100
324 +++ openssh-8.4p1/ldap-helper.c 2021-03-01 11:29:31.280956671 +0100
326 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
328 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
330 + * Redistribution and use in source and binary forms, with or without
331 + * modification, are permitted provided that the following conditions
333 + * 1. Redistributions of source code must retain the above copyright
334 + * notice, this list of conditions and the following disclaimer.
335 + * 2. Redistributions in binary form must reproduce the above copyright
336 + * notice, this list of conditions and the following disclaimer in the
337 + * documentation and/or other materials provided with the distribution.
339 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
340 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
341 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
342 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
343 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
344 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
345 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
346 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
347 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
348 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
351 +#include "ldapincludes.h"
354 +#include "xmalloc.h"
355 +#include "ldapconf.h"
356 +#include "ldapbody.h"
360 +static int config_debug = 0;
361 +int config_exclusive_config_file = 0;
362 +static char *config_file_name = "/etc/ssh/ldap.conf";
363 +static char *config_single_user = NULL;
364 +static int config_verbose = SYSLOG_LEVEL_VERBOSE;
365 +int config_warning_config_file = 0;
366 +extern char *__progname;
371 + fprintf(stderr, "usage: %s [options]\n",
373 + fprintf(stderr, "Options:\n");
374 + fprintf(stderr, " -d Output the log messages to stderr.\n");
375 + fprintf(stderr, " -e Check the config file for unknown commands.\n");
376 + fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
377 + fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
378 + fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
379 + fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
384 + * Main program for the ssh pka ldap agent.
388 +main(int ac, char **av)
391 + FILE *outfile = NULL;
393 + __progname = ssh_get_progname(av[0]);
395 + log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
398 + * Initialize option structure to indicate that no values have been
401 + initialize_options();
403 + /* Parse command-line arguments. */
404 + while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
411 + config_exclusive_config_file = 1;
412 + config_warning_config_file = 1;
416 + config_file_name = optarg;
420 + config_single_user = optarg;
421 + outfile = fdopen (dup (fileno (stdout)), "w");
426 + if (config_verbose < SYSLOG_LEVEL_DEBUG3)
431 + config_warning_config_file = 1;
441 + /* Initialize loging */
442 + log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
445 + fatal ("illegal extra parameter %s", av[1]);
447 + /* Ensure that fds 0 and 2 are open or directed to /dev/null */
448 + if (config_debug == 0)
451 + /* Read config file */
452 + read_config_file(config_file_name);
453 + fill_default_options();
454 + if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
455 + debug3 ("=== Configuration ===");
457 + debug3 ("=== *** ===");
460 + ldap_checkconfig();
463 + if (config_single_user) {
464 + process_user (config_single_user, outfile);
467 + fatal ("Not yet implemented");
469 + * open unix socket a run the loop on it
478 +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
479 +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
481 diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.h openssh-8.4p1/ldap-helper.h
482 --- openssh-8.4p1.org/ldap-helper.h 1970-01-01 01:00:00.000000000 +0100
483 +++ openssh-8.4p1/ldap-helper.h 2021-03-01 11:29:31.280956671 +0100
485 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
487 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
489 + * Redistribution and use in source and binary forms, with or without
490 + * modification, are permitted provided that the following conditions
492 + * 1. Redistributions of source code must retain the above copyright
493 + * notice, this list of conditions and the following disclaimer.
494 + * 2. Redistributions in binary form must reproduce the above copyright
495 + * notice, this list of conditions and the following disclaimer in the
496 + * documentation and/or other materials provided with the distribution.
498 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
499 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
500 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
501 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
502 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
503 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
504 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
505 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
506 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
507 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
510 +#ifndef LDAP_HELPER_H
511 +#define LDAP_HELPER_H
513 +extern int config_exclusive_config_file;
514 +extern int config_warning_config_file;
516 +#endif /* LDAP_HELPER_H */
517 diff -urNp -x '*.orig' openssh-8.4p1.org/ldap.conf openssh-8.4p1/ldap.conf
518 --- openssh-8.4p1.org/ldap.conf 1970-01-01 01:00:00.000000000 +0100
519 +++ openssh-8.4p1/ldap.conf 2021-03-01 11:29:31.280956671 +0100
521 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
523 +# This is the example configuration file for the OpenSSH
526 +# see ssh-ldap.conf(5)
529 +# URI with your LDAP server name. This allows to use
530 +# Unix Domain Sockets to connect to a local LDAP Server.
531 +#uri ldap://127.0.0.1/
532 +#uri ldaps://127.0.0.1/
533 +#uri ldapi://%2fvar%2frun%2fldapi_sock/
534 +# Note: %2f encodes the '/' used as directory separator
536 +# Another way to specify your LDAP server is to provide an
537 +# host name and the port of our LDAP server. Host name
538 +# must be resolvable without using LDAP.
539 +# Multiple hosts may be specified, each separated by a
540 +# space. How long nss_ldap takes to failover depends on
541 +# whether your LDAP client library supports configurable
542 +# network or connect timeouts (see bind_timelimit).
546 +# Optional: default is 389.
549 +# The distinguished name to bind to the server with.
550 +# Optional: default is to bind anonymously.
551 +#binddn cn=openssh_keys,dc=example,dc=org
553 +# The credentials to bind with.
554 +# Optional: default is no credential.
557 +# The distinguished name of the search base.
558 +#base dc=example,dc=org
560 +# The LDAP version to use (defaults to 3
561 +# if supported by client library)
572 +# Bind/connect timelimit
575 +# Reconnect policy: hard (default) will retry connecting to
576 +# the software with exponential backoff, soft will fail
580 +# SSL setup, may be implied by URI also.
585 +# OpenLDAP SSL options
586 +# Require and verify server certificate (yes/no)
587 +# Default is to use libldap's default behavior, which can be configured in
588 +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
589 +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
592 +# CA certificates for server certificate verification
593 +# At least one of these are required if tls_checkpeer is "yes"
594 +#tls_cacertfile /etc/ssl/ca.cert
595 +#tls_cacertdir /etc/pki/tls/certs
597 +# Seed the PRNG if /dev/urandom is not provided
598 +#tls_randfile /var/run/egd-pool
601 +# See man ciphers for syntax
604 +# Client certificate and key
605 +# Use these, if your server requires client authentication.
609 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c
610 --- openssh-8.4p1.org/ldapbody.c 1970-01-01 01:00:00.000000000 +0100
611 +++ openssh-8.4p1/ldapbody.c 2021-03-01 11:29:31.280956671 +0100
613 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
615 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
617 + * Redistribution and use in source and binary forms, with or without
618 + * modification, are permitted provided that the following conditions
620 + * 1. Redistributions of source code must retain the above copyright
621 + * notice, this list of conditions and the following disclaimer.
622 + * 2. Redistributions in binary form must reproduce the above copyright
623 + * notice, this list of conditions and the following disclaimer in the
624 + * documentation and/or other materials provided with the distribution.
626 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
627 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
628 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
629 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
630 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
631 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
632 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
633 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
634 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
635 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
638 +#include "ldapincludes.h"
640 +#include "xmalloc.h"
641 +#include "ldapconf.h"
642 +#include "ldapmisc.h"
643 +#include "ldapbody.h"
647 +#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
648 +#define PUBKEYATTR "sshPublicKey"
649 +#define LDAP_LOGFILE "%s/ldap.%d"
651 +static FILE *logfile = NULL;
654 +static char *attrs[] = {
660 +ldap_checkconfig (void)
662 +#ifdef HAVE_LDAP_INITIALIZE
663 + if (options.host == NULL && options.uri == NULL)
665 + if (options.host == NULL)
667 + fatal ("missing \"host\" in config file");
670 +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
672 +_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
674 + struct timeval timeout;
676 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
677 + LDAPMessage *result;
678 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
680 + debug2 ("Doing LDAP rebind to %s", options.binddn);
681 + if (options.ssl == SSL_START_TLS) {
682 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
683 + error ("ldap_starttls_s: %s", ldap_err2string (rc));
684 + return LDAP_OPERATIONS_ERROR;
688 +#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
689 + return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
691 + if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
692 + fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
694 + timeout.tv_sec = options.bind_timelimit;
695 + timeout.tv_usec = 0;
697 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
698 + error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
699 + ldap_msgfree (result);
700 + return LDAP_OPERATIONS_ERROR;
702 + debug3 ("LDAP rebind to %s succesfull", options.binddn);
709 +_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
712 + return LDAP_SUCCESS;
714 + *whop = strdup (options.binddn);
715 + *credp = strdup (options.bindpw);
716 + *methodp = LDAP_AUTH_SIMPLE;
717 + debug2 ("Doing LDAP rebind for %s", *whop);
718 + return LDAP_SUCCESS;
723 +ldap_do_connect(void)
725 + int rc, msgid, ld_errno = 0;
726 + struct timeval timeout;
727 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
729 + LDAPMessage *result;
730 + LDAPControl **controls;
732 +#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
734 + debug ("LDAP do connect");
738 + debug3 ("Reconnecting with ld_errno %d", ld_errno);
739 + if (options.bind_policy == 0 ||
740 + (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
742 + fatal ("Cannot connect to LDAP server");
745 + sleep (reconnect - 1);
751 + logit("reconnecting to LDAP server...");
758 +#ifdef HAVE_LDAP_SET_OPTION
759 + if (options.debug > 0) {
760 +#ifdef LBER_OPT_LOG_PRINT_FILE
761 + if (options.logdir) {
763 + int logfilenamelen;
765 + logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
766 + logfilename = xmalloc (logfilenamelen);
767 + snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
768 + logfilename[logfilenamelen - 1] = 0;
769 + if ((logfile = fopen (logfilename, "a")) == NULL)
770 + fatal ("cannot append to %s: %s", logfilename, strerror (errno));
771 + debug3 ("LDAP debug into %s", logfilename);
772 + free (logfilename);
773 + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
776 + if (options.debug) {
777 +#ifdef LBER_OPT_DEBUG_LEVEL
778 + ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
779 +#endif /* LBER_OPT_DEBUG_LEVEL */
780 +#ifdef LDAP_OPT_DEBUG_LEVEL
781 + (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
782 +#endif /* LDAP_OPT_DEBUG_LEVEL */
783 + debug3 ("Set LDAP debug to %d", options.debug);
786 +#endif /* HAVE_LDAP_SET_OPTION */
789 +#ifdef HAVE_LDAPSSL_INIT
790 + if (options.host != NULL) {
791 + if (options.ssl_on == SSL_LDAPS) {
792 + if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
793 + fatal ("ldapssl_client_init %s", ldap_err2string (rc));
794 + debug3 ("LDAPssl client init");
797 + if (options.ssl_on != SSL_OFF) {
798 + if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
799 + fatal ("ldapssl_init failed");
800 + debug3 ("LDAPssl init");
803 +#endif /* HAVE_LDAPSSL_INIT */
805 + /* continue with opening */
807 +#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
808 + /* Some global TLS-specific options need to be set before we create our
809 + * session context, so we set them here. */
811 +#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
813 + if (options.tls_randfile != NULL) {
814 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
815 + options.tls_randfile)) != LDAP_SUCCESS)
816 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
817 + ldap_err2string (rc));
818 + debug3 ("Set TLS random file %s", options.tls_randfile);
820 +#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
823 + if (options.tls_cacertfile != NULL) {
824 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
825 + options.tls_cacertfile)) != LDAP_SUCCESS)
826 + error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
827 + ldap_err2string (rc));
828 + debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
831 + /* ca cert directory */
832 + if (options.tls_cacertdir != NULL) {
833 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
834 + options.tls_cacertdir)) != LDAP_SUCCESS)
835 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
836 + ldap_err2string (rc));
837 + debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
840 + /* require cert? */
841 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
842 + &options.tls_checkpeer)) != LDAP_SUCCESS)
843 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
844 + ldap_err2string (rc));
845 + debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
847 + /* set cipher suite, certificate and private key: */
848 + if (options.tls_ciphers != NULL) {
849 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
850 + options.tls_ciphers)) != LDAP_SUCCESS)
851 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
852 + ldap_err2string (rc));
853 + debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
857 + if (options.tls_cert != NULL) {
858 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
859 + options.tls_cert)) != LDAP_SUCCESS)
860 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
861 + ldap_err2string (rc));
862 + debug3 ("Set TLS cert file %s ", options.tls_cert);
866 + if (options.tls_key != NULL) {
867 + if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
868 + options.tls_key)) != LDAP_SUCCESS)
869 + fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
870 + ldap_err2string (rc));
871 + debug3 ("Set TLS key file %s ", options.tls_key);
874 +#ifdef HAVE_LDAP_INITIALIZE
875 + if (options.uri != NULL) {
876 + if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
877 + fatal ("ldap_initialize %s", ldap_err2string (rc));
878 + debug3 ("LDAP initialize %s", options.uri);
881 +#endif /* HAVE_LDAP_INTITIALIZE */
883 + /* continue with opening */
884 + if ((ld == NULL) && (options.host != NULL)) {
885 +#ifdef HAVE_LDAP_INIT
886 + if ((ld = ldap_init (options.host, options.port)) == NULL)
887 + fatal ("ldap_init failed");
888 + debug3 ("LDAP init %s:%d", options.host, options.port);
890 + if ((ld = ldap_open (options.host, options.port)) == NULL)
891 + fatal ("ldap_open failed");
892 + debug3 ("LDAP open %s:%d", options.host, options.port);
893 +#endif /* HAVE_LDAP_INIT */
897 + fatal ("no way to open ldap");
899 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
900 + if (options.ssl == SSL_LDAPS) {
901 + if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
902 + fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
903 + debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
905 +#endif /* LDAP_OPT_X_TLS */
907 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
908 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
909 + &options.ldap_version);
911 + ld->ld_version = options.ldap_version;
913 + debug3 ("LDAP set version to %d", options.ldap_version);
915 +#if LDAP_SET_REBIND_PROC_ARGS == 3
916 + ldap_set_rebind_proc (ld, _rebind_proc, NULL);
917 +#elif LDAP_SET_REBIND_PROC_ARGS == 2
918 + ldap_set_rebind_proc (ld, _rebind_proc);
920 +#warning unknown LDAP_SET_REBIND_PROC_ARGS
922 + debug3 ("LDAP set rebind proc");
924 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
925 + (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
927 + ld->ld_deref = options.deref;
929 + debug3 ("LDAP set deref to %d", options.deref);
931 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
932 + (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
933 + &options.timelimit);
935 + ld->ld_timelimit = options.timelimit;
937 + debug3 ("LDAP set timelimit to %d", options.timelimit);
939 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
941 + * This is a new option in the Netscape SDK which sets
942 + * the TCP connect timeout. For want of a better value,
943 + * we use the bind_timelimit to control this.
945 + timeout = options.bind_timelimit * 1000;
946 + (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
947 + debug3 ("LDAP set opt connect timeout to %d", timeout);
950 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
951 + tv.tv_sec = options.bind_timelimit;
953 + (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
954 + debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
957 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
958 + (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
959 + options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
960 + debug3 ("LDAP set referrals to %d", options.referrals);
963 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
964 + (void) ldap_set_option (ld, LDAP_OPT_RESTART,
965 + options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
966 + debug3 ("LDAP set restart to %d", options.restart);
969 +#ifdef HAVE_LDAP_START_TLS_S
970 + if (options.ssl == SSL_START_TLS) {
973 + if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
975 + if (version < LDAP_VERSION3) {
976 + version = LDAP_VERSION3;
977 + (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
979 + debug3 ("LDAP set version to %d", version);
983 + if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
984 + fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
985 + debug3 ("LDAP start TLS");
987 +#endif /* HAVE_LDAP_START_TLS_S */
990 + if ((msgid = ldap_simple_bind (ld, options.binddn,
991 + options.bindpw)) == -1) {
992 + ld_errno = ldap_get_lderrno (ld, 0, 0);
994 + error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
998 + debug3 ("LDAP simple bind (%s)", options.binddn);
1000 + timeout.tv_sec = options.bind_timelimit;
1001 + timeout.tv_usec = 0;
1002 + if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
1003 + ld_errno = ldap_get_lderrno (ld, 0, 0);
1005 + error ("ldap_result %s", ldap_err2string (ld_errno));
1009 + debug3 ("LDAP result in time");
1011 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
1013 + if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
1014 + fatal ("ldap_parse_result %s", ldap_err2string (parserc));
1015 + debug3 ("LDAP parse result OK");
1017 + if (controls != NULL) {
1018 + ldap_controls_free (controls);
1021 + rc = ldap_result2error (session->ld, result, TRUE);
1023 + if (rc != LDAP_SUCCESS)
1024 + fatal ("error trying to bind as user \"%s\" (%s)",
1025 + options.binddn, ldap_err2string (rc));
1027 + debug2 ("LDAP do connect OK");
1031 +process_user (const char *user, FILE *output)
1033 + LDAPMessage *res, *e;
1035 + int bufflen, rc, i;
1036 + struct timeval timeout;
1038 + debug ("LDAP process user");
1040 + /* quick check for attempts to be evil */
1041 + if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
1042 + (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
1043 + logit ("illegal user name %s not processed", user);
1047 + /* build filter for LDAP request */
1048 + bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
1049 + if (options.ssh_filter != NULL)
1050 + bufflen += strlen (options.ssh_filter);
1051 + buffer = xmalloc (bufflen);
1052 + snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
1053 + buffer[bufflen - 1] = 0;
1055 + debug3 ("LDAP search scope = %d %s", options.scope, buffer);
1057 + timeout.tv_sec = options.timelimit;
1058 + timeout.tv_usec = 0;
1059 + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
1060 + error ("ldap_search_st(): %s", ldap_err2string (rc));
1068 + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
1070 + struct berval **keys;
1072 + keys = ldap_get_values_len(ld, e, PUBKEYATTR);
1073 + num = ldap_count_values_len(keys);
1074 + for (i = 0 ; i < num ; i++) {
1075 + char *cp; //, *options = NULL;
1077 + for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
1078 + if (!*cp || *cp == '\n' || *cp == '#')
1081 + /* We have found the desired key. */
1082 + fprintf (output, "%s\n", keys[i]->bv_val);
1085 + ldap_value_free_len(keys);
1088 + ldap_msgfree(res);
1089 + debug2 ("LDAP process user finished");
1093 +ldap_do_close(void)
1097 + debug ("LDAP do close");
1098 + if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
1099 + fatal ("ldap_unbind_ext: %s",
1100 + ldap_err2string (rc));
1103 + debug2 ("LDAP do close OK");
1107 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.h openssh-8.4p1/ldapbody.h
1108 --- openssh-8.4p1.org/ldapbody.h 1970-01-01 01:00:00.000000000 +0100
1109 +++ openssh-8.4p1/ldapbody.h 2021-03-01 11:29:31.280956671 +0100
1111 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1113 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1115 + * Redistribution and use in source and binary forms, with or without
1116 + * modification, are permitted provided that the following conditions
1118 + * 1. Redistributions of source code must retain the above copyright
1119 + * notice, this list of conditions and the following disclaimer.
1120 + * 2. Redistributions in binary form must reproduce the above copyright
1121 + * notice, this list of conditions and the following disclaimer in the
1122 + * documentation and/or other materials provided with the distribution.
1124 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1125 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1126 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1127 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1128 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1129 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1130 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1131 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1132 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1133 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1141 +void ldap_checkconfig(void);
1142 +void ldap_do_connect(void);
1143 +void process_user(const char *, FILE *);
1144 +void ldap_do_close(void);
1146 +#endif /* LDAPBODY_H */
1148 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c
1149 --- openssh-8.4p1.org/ldapconf.c 1970-01-01 01:00:00.000000000 +0100
1150 +++ openssh-8.4p1/ldapconf.c 2021-03-01 11:29:31.280956671 +0100
1152 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1154 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1156 + * Redistribution and use in source and binary forms, with or without
1157 + * modification, are permitted provided that the following conditions
1159 + * 1. Redistributions of source code must retain the above copyright
1160 + * notice, this list of conditions and the following disclaimer.
1161 + * 2. Redistributions in binary form must reproduce the above copyright
1162 + * notice, this list of conditions and the following disclaimer in the
1163 + * documentation and/or other materials provided with the distribution.
1165 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1166 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1167 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1168 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1169 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1170 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1171 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1172 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1173 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1174 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1177 +#include "ldapincludes.h"
1178 +#include "ldap-helper.h"
1181 +#include "xmalloc.h"
1182 +#include "ldapconf.h"
1183 +#include <unistd.h>
1184 +#include <string.h>
1186 +/* Keyword tokens. */
1190 + lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
1191 + lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
1192 + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
1193 + lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
1194 + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
1195 + lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
1196 + lAccountClass, lDeprecated, lUnsupported
1199 +/* Textual representations of the tokens. */
1206 + { "Base", lBase },
1207 + { "BindDN", lBindDN },
1208 + { "BindPW", lBindPW },
1209 + { "RootBindDN", lRootBindDN },
1210 + { "Host", lHost },
1211 + { "Port", lPort },
1212 + { "Scope", lScope },
1213 + { "Deref", lDeref },
1214 + { "TimeLimit", lTimeLimit },
1215 + { "TimeOut", lTimeLimit },
1216 + { "Bind_Timelimit", lBind_TimeLimit },
1217 + { "Network_TimeOut", lBind_TimeLimit },
1222 + { "Ldap_Version", lLdap_Version },
1223 + { "Version", lLdap_Version },
1224 + { "Bind_Policy", lBind_Policy },
1225 + { "SSLPath", lSSLPath },
1227 + { "Referrals", lReferrals },
1228 + { "Restart", lRestart },
1229 + { "TLS_CheckPeer", lTLS_CheckPeer },
1230 + { "TLS_ReqCert", lTLS_CheckPeer },
1231 + { "TLS_CaCertFile", lTLS_CaCertFile },
1232 + { "TLS_CaCert", lTLS_CaCertFile },
1233 + { "TLS_CaCertDir", lTLS_CaCertDir },
1234 + { "TLS_Ciphers", lTLS_Ciphers },
1235 + { "TLS_Cipher_Suite", lTLS_Ciphers },
1236 + { "TLS_Cert", lTLS_Cert },
1237 + { "TLS_Certificate", lTLS_Cert },
1238 + { "TLS_Key", lTLS_Key },
1239 + { "TLS_RandFile", lTLS_RandFile },
1245 + { "LogDir", lLogDir },
1246 + { "Debug", lDebug },
1247 + { "SSH_Filter", lSSH_Filter },
1248 + { "AccountClass", lAccountClass },
1249 + { NULL, lBadOption }
1252 +/* Configuration ptions. */
1257 + * Returns the number of the token pointed to by cp or oBadOption.
1261 +parse_token(const char *cp, const char *filename, int linenum)
1265 + for (i = 0; keywords[i].name; i++)
1266 + if (strcasecmp(cp, keywords[i].name) == 0)
1267 + return keywords[i].opcode;
1269 + if (config_warning_config_file)
1270 + logit("%s: line %d: Bad configuration option: %s",
1271 + filename, linenum, cp);
1272 + return lBadOption;
1276 + * Processes a single option line as used in the configuration files. This
1277 + * only sets those values that have not already been set.
1279 +#define WHITESPACE " \t\r\n"
1282 +process_config_line(char *line, const char *filename, int linenum)
1284 + char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
1285 + char *rootbinddn = NULL;
1286 + int opcode, *intptr, value;
1289 + /* Strip trailing whitespace */
1290 + for (len = strlen(line) - 1; len > 0; len--) {
1291 + if (strchr(WHITESPACE, line[len]) == NULL)
1297 + /* Get the keyword. (Each line is supposed to begin with a keyword). */
1298 + if ((keyword = strdelim(&s)) == NULL)
1300 + /* Ignore leading whitespace. */
1301 + if (*keyword == '\0')
1302 + keyword = strdelim(&s);
1303 + if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
1306 + opcode = parse_token(keyword, filename, linenum);
1310 + /* don't panic, but count bad options */
1315 + xstringptr = &options.host;
1317 + if (!s || *s == '\0')
1318 + fatal("%s line %d: missing dn",filename,linenum);
1319 + if (*xstringptr == NULL)
1320 + *xstringptr = xstrdup(s);
1324 + xstringptr = &options.uri;
1325 + goto parse_xstring;
1328 + xstringptr = &options.base;
1329 + goto parse_xstring;
1332 + xstringptr = &options.binddn;
1333 + goto parse_xstring;
1336 + charptr = &options.bindpw;
1338 + arg = strdelim(&s);
1339 + if (!arg || *arg == '\0')
1340 + fatal("%.200s line %d: Missing argument.", filename, linenum);
1341 + if (*charptr == NULL)
1342 + *charptr = xstrdup(arg);
1346 + xstringptr = &rootbinddn;
1347 + goto parse_xstring;
1350 + intptr = &options.scope;
1351 + arg = strdelim(&s);
1352 + if (!arg || *arg == '\0')
1353 + fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
1354 + value = 0; /* To avoid compiler warning... */
1355 + if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
1356 + value = LDAP_SCOPE_SUBTREE;
1357 + else if (strcasecmp (arg, "one") == 0)
1358 + value = LDAP_SCOPE_ONELEVEL;
1359 + else if (strcasecmp (arg, "base") == 0)
1360 + value = LDAP_SCOPE_BASE;
1362 + fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
1363 + if (*intptr == -1)
1368 + intptr = &options.scope;
1369 + arg = strdelim(&s);
1370 + if (!arg || *arg == '\0')
1371 + fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
1372 + value = 0; /* To avoid compiler warning... */
1373 + if (!strcasecmp (arg, "never"))
1374 + value = LDAP_DEREF_NEVER;
1375 + else if (!strcasecmp (arg, "searching"))
1376 + value = LDAP_DEREF_SEARCHING;
1377 + else if (!strcasecmp (arg, "finding"))
1378 + value = LDAP_DEREF_FINDING;
1379 + else if (!strcasecmp (arg, "always"))
1380 + value = LDAP_DEREF_ALWAYS;
1382 + fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
1383 + if (*intptr == -1)
1388 + intptr = &options.port;
1390 + arg = strdelim(&s);
1391 + if (!arg || *arg == '\0')
1392 + fatal("%.200s line %d: Missing argument.", filename, linenum);
1393 + if (arg[0] < '0' || arg[0] > '9')
1394 + fatal("%.200s line %d: Bad number.", filename, linenum);
1396 + /* Octal, decimal, or hex format? */
1397 + value = strtol(arg, &endofnumber, 0);
1398 + if (arg == endofnumber)
1399 + fatal("%.200s line %d: Bad number.", filename, linenum);
1400 + if (*intptr == -1)
1405 + intptr = &options.timelimit;
1407 + arg = strdelim(&s);
1408 + if (!arg || *arg == '\0')
1409 + fatal("%s line %d: missing time value.",
1410 + filename, linenum);
1411 + if ((value = convtime(arg)) == -1)
1412 + fatal("%s line %d: invalid time value.",
1413 + filename, linenum);
1414 + if (*intptr == -1)
1418 + case lBind_TimeLimit:
1419 + intptr = &options.bind_timelimit;
1422 + case lLdap_Version:
1423 + intptr = &options.ldap_version;
1426 + case lBind_Policy:
1427 + intptr = &options.bind_policy;
1428 + arg = strdelim(&s);
1429 + if (!arg || *arg == '\0')
1430 + fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
1431 + value = 0; /* To avoid compiler warning... */
1432 + if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
1434 + else if (strcasecmp(arg, "soft") == 0)
1437 + fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
1438 + if (*intptr == -1)
1442 + charptr = &options.sslpath;
1443 + goto parse_string;
1446 + intptr = &options.ssl;
1447 + arg = strdelim(&s);
1448 + if (!arg || *arg == '\0')
1449 + fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
1450 + value = 0; /* To avoid compiler warning... */
1451 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1452 + value = SSL_LDAPS;
1453 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1455 + else if (!strcasecmp (arg, "start_tls"))
1456 + value = SSL_START_TLS;
1458 + fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
1459 + if (*intptr == -1)
1464 + intptr = &options.referrals;
1466 + arg = strdelim(&s);
1467 + if (!arg || *arg == '\0')
1468 + fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
1469 + value = 0; /* To avoid compiler warning... */
1470 + if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1472 + else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1475 + fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
1476 + if (*intptr == -1)
1481 + intptr = &options.restart;
1484 + case lTLS_CheckPeer:
1485 + intptr = &options.tls_checkpeer;
1486 + arg = strdelim(&s);
1487 + if (!arg || *arg == '\0')
1488 + fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
1489 + value = 0; /* To avoid compiler warning... */
1490 + if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
1491 + value = LDAP_OPT_X_TLS_NEVER;
1492 + else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
1493 + value = LDAP_OPT_X_TLS_HARD;
1494 + else if (strcasecmp(arg, "demand") == 0)
1495 + value = LDAP_OPT_X_TLS_DEMAND;
1496 + else if (strcasecmp(arg, "allow") == 0)
1497 + value = LDAP_OPT_X_TLS_ALLOW;
1498 + else if (strcasecmp(arg, "try") == 0)
1499 + value = LDAP_OPT_X_TLS_TRY;
1501 + fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
1502 + if (*intptr == -1)
1505 + case lTLS_CaCertFile:
1506 + charptr = &options.tls_cacertfile;
1507 + goto parse_string;
1509 + case lTLS_CaCertDir:
1510 + charptr = &options.tls_cacertdir;
1511 + goto parse_string;
1513 + case lTLS_Ciphers:
1514 + xstringptr = &options.tls_ciphers;
1515 + goto parse_xstring;
1518 + charptr = &options.tls_cert;
1519 + goto parse_string;
1522 + charptr = &options.tls_key;
1523 + goto parse_string;
1525 + case lTLS_RandFile:
1526 + charptr = &options.tls_randfile;
1527 + goto parse_string;
1530 + charptr = &options.logdir;
1531 + goto parse_string;
1534 + intptr = &options.debug;
1538 + xstringptr = &options.ssh_filter;
1539 + goto parse_xstring;
1541 + case lAccountClass:
1542 + charptr = &options.account_class;
1543 + goto parse_string;
1546 + debug("%s line %d: Deprecated option \"%s\"",
1547 + filename, linenum, keyword);
1550 + case lUnsupported:
1551 + error("%s line %d: Unsupported option \"%s\"",
1552 + filename, linenum, keyword);
1556 + fatal("process_config_line: Unimplemented opcode %d", opcode);
1559 + /* Check that there is no garbage at end of line. */
1560 + if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1561 + fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1562 + filename, linenum, arg);
1568 + * Reads the config file and modifies the options accordingly. Options
1569 + * should already be initialized before this call. This never returns if
1570 + * there is an error. If the file does not exist, this returns 0.
1574 +read_config_file(const char *filename)
1578 + int active, linenum;
1579 + int bad_options = 0;
1582 + if ((f = fopen(filename, "r")) == NULL)
1583 + fatal("fopen %s: %s", filename, strerror(errno));
1585 + if (fstat(fileno(f), &sb) == -1)
1586 + fatal("fstat %s: %s", filename, strerror(errno));
1587 + if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1588 + (sb.st_mode & 022) != 0))
1589 + fatal("Bad owner or permissions on %s", filename);
1591 + debug("Reading configuration data %.200s", filename);
1594 + * Mark that we are now processing the options. This flag is turned
1595 + * on/off by Host specifications.
1599 + while (fgets(line, sizeof(line), f)) {
1600 + /* Update line number counter. */
1602 + if (process_config_line(line, filename, linenum) != 0)
1606 + if ((bad_options > 0) && config_exclusive_config_file)
1607 + fatal("%s: terminating, %d bad configuration options",
1608 + filename, bad_options);
1612 + * Initializes options to special values that indicate that they have not yet
1613 + * been set. Read_config_file will only set options with this value. Options
1614 + * are processed in the following order: command line, user config file,
1615 + * system config file. Last, fill_default_options is called.
1619 +initialize_options(void)
1621 + memset(&options, 'X', sizeof(options));
1622 + options.host = NULL;
1623 + options.uri = NULL;
1624 + options.base = NULL;
1625 + options.binddn = NULL;
1626 + options.bindpw = NULL;
1627 + options.scope = -1;
1628 + options.deref = -1;
1629 + options.port = -1;
1630 + options.timelimit = -1;
1631 + options.bind_timelimit = -1;
1632 + options.ldap_version = -1;
1633 + options.bind_policy = -1;
1634 + options.sslpath = NULL;
1636 + options.referrals = -1;
1637 + options.restart = -1;
1638 + options.tls_checkpeer = -1;
1639 + options.tls_cacertfile = NULL;
1640 + options.tls_cacertdir = NULL;
1641 + options.tls_ciphers = NULL;
1642 + options.tls_cert = NULL;
1643 + options.tls_key = NULL;
1644 + options.tls_randfile = NULL;
1645 + options.logdir = NULL;
1646 + options.debug = -1;
1647 + options.ssh_filter = NULL;
1648 + options.account_class = NULL;
1652 + * Called after processing other sources of option data, this fills those
1653 + * options for which no value has been specified with their default values.
1657 +fill_default_options(void)
1659 + if (options.uri != NULL) {
1660 + LDAPURLDesc *ludp;
1662 + if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
1663 + if (options.ssl == -1) {
1664 + if (strcmp (ludp->lud_scheme, "ldap") == 0)
1666 + if (strcmp (ludp->lud_scheme, "ldapi") == 0)
1668 + else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
1671 + if (options.host == NULL)
1672 + options.host = xstrdup (ludp->lud_host);
1673 + if (options.port == -1)
1674 + options.port = ludp->lud_port;
1676 + ldap_free_urldesc (ludp);
1679 + if (options.ssl == -1)
1680 + options.ssl = SSL_START_TLS;
1681 + if (options.port == -1)
1682 + options.port = (options.ssl == 0) ? 389 : 636;
1683 + if (options.uri == NULL) {
1685 +#define MAXURILEN 4096
1687 + options.uri = xmalloc (MAXURILEN);
1688 + len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
1689 + (options.ssl == 0) ? "" : "s", options.host, options.port);
1690 + options.uri[MAXURILEN - 1] = 0;
1691 + options.uri = xreallocarray (options.uri, len + 1, 1);
1693 + if (options.binddn == NULL)
1694 + options.binddn = "";
1695 + if (options.bindpw == NULL)
1696 + options.bindpw = "";
1697 + if (options.scope == -1)
1698 + options.scope = LDAP_SCOPE_SUBTREE;
1699 + if (options.deref == -1)
1700 + options.deref = LDAP_DEREF_NEVER;
1701 + if (options.timelimit == -1)
1702 + options.timelimit = 10;
1703 + if (options.bind_timelimit == -1)
1704 + options.bind_timelimit = 10;
1705 + if (options.ldap_version == -1)
1706 + options.ldap_version = 3;
1707 + if (options.bind_policy == -1)
1708 + options.bind_policy = 1;
1709 + if (options.referrals == -1)
1710 + options.referrals = 1;
1711 + if (options.restart == -1)
1712 + options.restart = 1;
1713 + if (options.tls_checkpeer == -1)
1714 + options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
1715 + if (options.debug == -1)
1716 + options.debug = 0;
1717 + if (options.ssh_filter == NULL)
1718 + options.ssh_filter = "";
1719 + if (options.account_class == NULL)
1720 + options.account_class = "posixAccount";
1723 +static const char *
1724 +lookup_opcode_name(OpCodes code)
1728 + for (i = 0; keywords[i].name != NULL; i++)
1729 + if (keywords[i].opcode == code)
1730 + return(keywords[i].name);
1735 +dump_cfg_string(OpCodes code, const char *val)
1738 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1740 + debug3("%s %s", lookup_opcode_name(code), val);
1744 +dump_cfg_int(OpCodes code, int val)
1747 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1749 + debug3("%s %d", lookup_opcode_name(code), val);
1758 +dump_cfg_namedint(OpCodes code, int val, struct names *names)
1763 + debug3("%s <UNDEFINED>", lookup_opcode_name(code));
1765 + for (i = 0; names[i].value != -1; i++)
1766 + if (names[i].value == val) {
1767 + debug3("%s %s", lookup_opcode_name(code), names[i].name);
1770 + debug3("%s unknown: %d", lookup_opcode_name(code), val);
1774 +static struct names _yesnotls[] = {
1777 + { 2, "Start_TLS" },
1780 +static struct names _scope[] = {
1781 + { LDAP_SCOPE_BASE, "Base" },
1782 + { LDAP_SCOPE_ONELEVEL, "One" },
1783 + { LDAP_SCOPE_SUBTREE, "Sub"},
1786 +static struct names _deref[] = {
1787 + { LDAP_DEREF_NEVER, "Never" },
1788 + { LDAP_DEREF_SEARCHING, "Searching" },
1789 + { LDAP_DEREF_FINDING, "Finding" },
1790 + { LDAP_DEREF_ALWAYS, "Always" },
1793 +static struct names _yesno[] = {
1798 +static struct names _bindpolicy[] = {
1803 +static struct names _checkpeer[] = {
1804 + { LDAP_OPT_X_TLS_NEVER, "Never" },
1805 + { LDAP_OPT_X_TLS_HARD, "Hard" },
1806 + { LDAP_OPT_X_TLS_DEMAND, "Demand" },
1807 + { LDAP_OPT_X_TLS_ALLOW, "Allow" },
1808 + { LDAP_OPT_X_TLS_TRY, "TRY" },
1814 + dump_cfg_string(lURI, options.uri);
1815 + dump_cfg_string(lHost, options.host);
1816 + dump_cfg_int(lPort, options.port);
1817 + dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
1818 + dump_cfg_int(lLdap_Version, options.ldap_version);
1819 + dump_cfg_int(lTimeLimit, options.timelimit);
1820 + dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
1821 + dump_cfg_string(lBase, options.base);
1822 + dump_cfg_string(lBindDN, options.binddn);
1823 + dump_cfg_string(lBindPW, options.bindpw);
1824 + dump_cfg_namedint(lScope, options.scope, _scope);
1825 + dump_cfg_namedint(lDeref, options.deref, _deref);
1826 + dump_cfg_namedint(lReferrals, options.referrals, _yesno);
1827 + dump_cfg_namedint(lRestart, options.restart, _yesno);
1828 + dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
1829 + dump_cfg_string(lSSLPath, options.sslpath);
1830 + dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
1831 + dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
1832 + dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
1833 + dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
1834 + dump_cfg_string(lTLS_Cert, options.tls_cert);
1835 + dump_cfg_string(lTLS_Key, options.tls_key);
1836 + dump_cfg_string(lTLS_RandFile, options.tls_randfile);
1837 + dump_cfg_string(lLogDir, options.logdir);
1838 + dump_cfg_int(lDebug, options.debug);
1839 + dump_cfg_string(lSSH_Filter, options.ssh_filter);
1840 + dump_cfg_string(lAccountClass, options.logdir);
1843 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.h openssh-8.4p1/ldapconf.h
1844 --- openssh-8.4p1.org/ldapconf.h 1970-01-01 01:00:00.000000000 +0100
1845 +++ openssh-8.4p1/ldapconf.h 2021-03-01 11:29:31.280956671 +0100
1847 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1849 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1851 + * Redistribution and use in source and binary forms, with or without
1852 + * modification, are permitted provided that the following conditions
1854 + * 1. Redistributions of source code must retain the above copyright
1855 + * notice, this list of conditions and the following disclaimer.
1856 + * 2. Redistributions in binary form must reproduce the above copyright
1857 + * notice, this list of conditions and the following disclaimer in the
1858 + * documentation and/or other materials provided with the distribution.
1860 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1861 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1862 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1863 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1864 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1865 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1866 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1867 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1868 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1869 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1876 +#define SSL_LDAPS 1
1877 +#define SSL_START_TLS 2
1879 +/* Data structure for representing option data. */
1891 + int bind_timelimit;
1898 + int tls_checkpeer;
1899 + char *tls_cacertfile;
1900 + char *tls_cacertdir;
1901 + char *tls_ciphers;
1904 + char *tls_randfile;
1908 + char *account_class;
1911 +extern Options options;
1913 +void read_config_file(const char *);
1914 +void initialize_options(void);
1915 +void fill_default_options(void);
1916 +void dump_config(void);
1918 +#endif /* LDAPCONF_H */
1919 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapincludes.h openssh-8.4p1/ldapincludes.h
1920 --- openssh-8.4p1.org/ldapincludes.h 1970-01-01 01:00:00.000000000 +0100
1921 +++ openssh-8.4p1/ldapincludes.h 2021-03-01 11:29:31.280956671 +0100
1923 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
1925 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
1927 + * Redistribution and use in source and binary forms, with or without
1928 + * modification, are permitted provided that the following conditions
1930 + * 1. Redistributions of source code must retain the above copyright
1931 + * notice, this list of conditions and the following disclaimer.
1932 + * 2. Redistributions in binary form must reproduce the above copyright
1933 + * notice, this list of conditions and the following disclaimer in the
1934 + * documentation and/or other materials provided with the distribution.
1936 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1937 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1938 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1939 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1940 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1941 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1942 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1943 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1944 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1945 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1948 +#ifndef LDAPINCLUDES_H
1949 +#define LDAPINCLUDES_H
1951 +#include "includes.h"
1959 +#ifdef HAVE_LDAP_SSL_H
1960 +#include <ldap_ssl.h>
1963 +#endif /* LDAPINCLUDES_H */
1964 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapmisc.c openssh-8.4p1/ldapmisc.c
1965 --- openssh-8.4p1.org/ldapmisc.c 1970-01-01 01:00:00.000000000 +0100
1966 +++ openssh-8.4p1/ldapmisc.c 2021-03-01 11:29:31.280956671 +0100
1969 +#include "ldapincludes.h"
1970 +#include "ldapmisc.h"
1972 +#ifndef HAVE_LDAP_GET_LDERRNO
1974 +ldap_get_lderrno (LDAP * ld, char **m, char **s)
1976 +#ifdef HAVE_LDAP_GET_OPTION
1981 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
1982 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
1985 + lderrno = ld->ld_errno;
1989 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
1990 + if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
1993 + *s = ld->ld_error;
1998 +#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
1999 + if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
2002 + *m = ld->ld_matched;
2010 +#ifndef HAVE_LDAP_SET_LDERRNO
2012 +ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
2014 +#ifdef HAVE_LDAP_SET_OPTION
2018 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
2019 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
2022 + ld->ld_errno = lderrno;
2026 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
2027 + if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
2035 +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
2036 + if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
2039 + ld->ld_matched = m;
2043 + return LDAP_SUCCESS;
2047 diff -urNp -x '*.orig' openssh-8.4p1.org/ldapmisc.h openssh-8.4p1/ldapmisc.h
2048 --- openssh-8.4p1.org/ldapmisc.h 1970-01-01 01:00:00.000000000 +0100
2049 +++ openssh-8.4p1/ldapmisc.h 2021-03-01 11:29:31.280956671 +0100
2051 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
2053 + * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
2055 + * Redistribution and use in source and binary forms, with or without
2056 + * modification, are permitted provided that the following conditions
2058 + * 1. Redistributions of source code must retain the above copyright
2059 + * notice, this list of conditions and the following disclaimer.
2060 + * 2. Redistributions in binary form must reproduce the above copyright
2061 + * notice, this list of conditions and the following disclaimer in the
2062 + * documentation and/or other materials provided with the distribution.
2064 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
2065 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
2066 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
2067 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
2068 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2069 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
2070 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
2071 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
2072 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
2073 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2079 +#include "ldapincludes.h"
2081 +int ldap_get_lderrno (LDAP *, char **, char **);
2082 +int ldap_set_lderrno (LDAP *, int, const char *, const char *);
2084 +#endif /* LDAPMISC_H */
2086 diff -urNp -x '*.orig' openssh-8.4p1.org/openssh-lpk-openldap.schema openssh-8.4p1/openssh-lpk-openldap.schema
2087 --- openssh-8.4p1.org/openssh-lpk-openldap.schema 1970-01-01 01:00:00.000000000 +0100
2088 +++ openssh-8.4p1/openssh-lpk-openldap.schema 2021-03-01 11:29:31.280956671 +0100
2091 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2092 +# useful with PKA-LDAP also
2094 +# Author: Eric AUGE <eau@phear.org>
2096 +# Based on the proposal of : Mark Ruijter
2100 +# octetString SYNTAX
2101 +attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2102 + DESC 'MANDATORY: OpenSSH Public key'
2103 + EQUALITY octetStringMatch
2104 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2106 +# printableString SYNTAX yes|no
2107 +objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2108 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2109 + MUST ( sshPublicKey $ uid )
2111 diff -urNp -x '*.orig' openssh-8.4p1.org/openssh-lpk-sun.schema openssh-8.4p1/openssh-lpk-sun.schema
2112 --- openssh-8.4p1.org/openssh-lpk-sun.schema 1970-01-01 01:00:00.000000000 +0100
2113 +++ openssh-8.4p1/openssh-lpk-sun.schema 2021-03-01 11:29:31.284290176 +0100
2116 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
2117 +# useful with PKA-LDAP also
2119 +# Author: Eric AUGE <eau@phear.org>
2121 +# Schema for Sun Directory Server.
2122 +# Based on the original schema, modified by Stefan Fischer.
2127 +# octetString SYNTAX
2128 +attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
2129 + DESC 'MANDATORY: OpenSSH Public key'
2130 + EQUALITY octetStringMatch
2131 + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
2133 +# printableString SYNTAX yes|no
2134 +objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
2135 + DESC 'MANDATORY: OpenSSH LPK objectclass'
2136 + MUST ( sshPublicKey $ uid )
2138 diff -urNp -x '*.orig' openssh-8.4p1.org/ssh-ldap-helper.8 openssh-8.4p1/ssh-ldap-helper.8
2139 --- openssh-8.4p1.org/ssh-ldap-helper.8 1970-01-01 01:00:00.000000000 +0100
2140 +++ openssh-8.4p1/ssh-ldap-helper.8 2021-03-01 11:29:31.284290176 +0100
2142 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
2144 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2146 +.\" Permission to use, copy, modify, and distribute this software for any
2147 +.\" purpose with or without fee is hereby granted, provided that the above
2148 +.\" copyright notice and this permission notice appear in all copies.
2150 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2151 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2152 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2153 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2154 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2155 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2156 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2158 +.Dd $Mdocdate: April 29 2010 $
2159 +.Dt SSH-LDAP-HELPER 8
2162 +.Nm ssh-ldap-helper
2163 +.Nd sshd helper program for ldap support
2165 +.Nm ssh-ldap-helper
2173 +to access keys provided by an LDAP.
2175 +is disabled by default and can only be enabled in the
2176 +sshd configuration file
2177 +.Pa /etc/ssh/sshd_config
2179 +.Cm AuthorizedKeysCommand
2181 +.Dq /usr/libexec/ssh-ldap-wrapper .
2184 +is not intended to be invoked by the user, but from
2186 +.Xr ssh-ldap-wrapper .
2188 +The options are as follows:
2191 +Set the debug mode;
2193 +prints all logs to stderr instead of syslog.
2197 +halts if it encounters an unknown item in the ldap.conf file.
2200 +uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
2203 +prints out the user's keys to stdout and exits.
2206 +increases verbosity.
2209 +writes warnings about unknown items in the ldap.conf configuration file.
2213 +.Xr sshd_config 5 ,
2214 +.Xr ssh-ldap.conf 5 ,
2218 +OpenSSH 5.5 + PKA-LDAP .
2220 +.An Jan F. Chadima Aq jchadima@redhat.com
2221 diff -urNp -x '*.orig' openssh-8.4p1.org/ssh-ldap-wrapper openssh-8.4p1/ssh-ldap-wrapper
2222 --- openssh-8.4p1.org/ssh-ldap-wrapper 1970-01-01 01:00:00.000000000 +0100
2223 +++ openssh-8.4p1/ssh-ldap-wrapper 2021-03-01 11:29:31.284290176 +0100
2227 +exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
2229 diff -urNp -x '*.orig' openssh-8.4p1.org/ssh-ldap.conf.5 openssh-8.4p1/ssh-ldap.conf.5
2230 --- openssh-8.4p1.org/ssh-ldap.conf.5 1970-01-01 01:00:00.000000000 +0100
2231 +++ openssh-8.4p1/ssh-ldap.conf.5 2021-03-01 11:29:31.284290176 +0100
2233 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
2235 +.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
2237 +.\" Permission to use, copy, modify, and distribute this software for any
2238 +.\" purpose with or without fee is hereby granted, provided that the above
2239 +.\" copyright notice and this permission notice appear in all copies.
2241 +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
2242 +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
2243 +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
2244 +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2245 +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
2246 +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
2247 +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2249 +.Dd $Mdocdate: may 12 2010 $
2250 +.Dt SSH-LDAP.CONF 5
2254 +.Nd configuration file for ssh-ldap-helper
2256 +.Nm /etc/ssh/ldap.conf
2258 +.Xr ssh-ldap-helper 8
2259 +reads configuration data from
2260 +.Pa /etc/ssh/ldap.conf
2261 +(or the file specified with
2263 +on the command line).
2264 +The file contains keyword-argument pairs, one per line.
2265 +Lines starting with
2267 +and empty lines are interpreted as comments.
2269 +The value starts with the first non-blank character after
2270 +the keyword's name, and terminates at the end of the line,
2271 +or at the last sequence of blanks before the end of the line.
2272 +Quoting values that contain blanks
2273 +may be incorrect, as the quotes would become part of the value.
2274 +The possible keywords and their meanings are as follows (note that
2275 +keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
2278 +The argument(s) are in the form
2279 +.Pa ldap[si]://[name[:port]]
2280 +and specify the URI(s) of an LDAP server(s) to which the
2281 +.Xr ssh-ldap-helper 8
2282 +should connect. The URI scheme may be any of
2287 +which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
2288 +over IPC (UNIX domain sockets), respectively.
2289 +Each server's name can be specified as a
2290 +domain-style name or an IP address literal. Optionally, the
2291 +server's name can followed by a ':' and the port number the LDAP
2292 +server is listening on. If no port number is provided, the default
2293 +port for the scheme is used (389 for ldap://, 636 for ldaps://).
2294 +For LDAP over IPC, name is the name of the socket, and no port
2295 +is required, nor allowed; note that directory separators must be
2296 +URL-encoded, like any other characters that are special to URLs;
2297 +A space separated list of URIs may be provided.
2298 +There is no default.
2300 +Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
2301 +The base must be specified as a DN in LDAP format.
2302 +There is no default.
2304 +Specifies the default BIND DN to use when connecting to the ldap server.
2305 +The bind DN must be specified as a Distinguished Name in LDAP format.
2306 +There is no default.
2308 +Specifies the default password to use when connecting to the ldap server via
2310 +There is no default.
2312 +Intentionaly does nothing. Recognized for compatibility reasons.
2314 +The argument(s) specifies the name(s) of an LDAP server(s) to which the
2315 +.Xr ssh-ldap-helper 8
2316 +should connect. Each server's name can be specified as a
2317 +domain-style name or an IP address and optionally followed by a ':' and
2318 +the port number the ldap server is listening on. A space-separated
2319 +list of hosts may be provided.
2320 +There is no default.
2322 +is deprecated in favor of
2325 +Specifies the default port used when connecting to LDAP servers(s).
2326 +The port may be specified as a number.
2327 +The default port is 389 for ldap:// or 636 for ldaps:// respectively.
2329 +is deprecated in favor of
2332 +Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
2333 +There are three options (values) that can be assigned to the
2334 +.Cm Scope parameter:
2339 +Alias for the subtree is
2343 +is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
2346 +is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
2349 +is used to indicate searching of all entries at all levels under and including the specified base DN.
2353 +Specifies how alias dereferencing is done when performing a search. There are four
2354 +possible values that can be assigned to the
2364 +means that the aliases are never dereferenced.
2367 +means that the aliases are dereferenced in subordinates of the base object, but
2368 +not in locating the base object of the search.
2371 +means that the aliases are only dereferenced when locating the base object of the search.
2374 +means that the aliases are dereferenced both in searching and in locating the base object
2379 +Specifies a time limit (in seconds) to use when performing searches.
2380 +The number should be a non-negative integer. A
2382 +of zero (0) specifies that the search time is unlimited. Please note that the server
2383 +may still apply any server-side limit on the duration of a search operation.
2384 +The default value is 10.
2388 +.It Cm Bind_TimeLimit
2389 +Specifies the timeout (in seconds) after which the poll(2)/select(2)
2390 +following a connect(2) returns in case of no activity.
2391 +The default value is 10.
2392 +.It Cm Network_TimeOut
2394 +.Cm Bind_TimeLimit .
2395 +.It Cm Ldap_Version
2396 +Specifies what version of the LDAP protocol should be used.
2397 +The allowed values are 2 or 3. The default is 3.
2402 +Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
2406 +.Dq hard has 2 aliases
2412 +means that reconects that the
2413 +.Xr ssh-ldap-helper 8
2414 +tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
2418 +.Xr ssh-ldap-helper 8
2419 +fails immediately when it cannot connect to the LDAP seerver.
2423 +Specifies the path to the X.509 certificate database.
2424 +There is no default.
2426 +Specifies whether to use SSL/TLS or not.
2427 +There are three allowed values:
2436 +are the aliases for
2441 +are the aliases for
2445 +is specified then StartTLS is used rather than raw LDAP over SSL.
2446 +The default for ldap:// is
2453 +In case of host based configuration the default is
2456 +Specifies if the client should automatically follow referrals returned
2458 +The value can be or
2465 +are the aliases for
2470 +are the aliases for
2472 +The default is yes.
2474 +Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
2475 +The value can be or
2482 +are the aliases for
2487 +are the aliases for
2489 +The default is yes.
2490 +.It Cm TLS_CheckPeer
2491 +Specifies what checks to perform on server certificates in a TLS session,
2493 +can be specified as one of the following keywords:
2510 +are the aliases for
2514 +means that the client will not request or check any server certificate.
2517 +means that the server certificate is requested. If no certificate is provided,
2518 +the session proceeds normally. If a bad certificate is provided, it will
2519 +be ignored and the session proceeds normally.
2522 +means that the server certificate is requested. If no certificate is provided,
2523 +the session proceeds normally. If a bad certificate is provided,
2524 +the session is immediately terminated.
2527 +means that the server certificate is requested. If no
2528 +certificate is provided, or a bad certificate is provided, the session
2529 +is immediately terminated.
2534 +It requires an SSL connection. In the case of the plain conection the
2535 +session is immediately terminated.
2540 +.Cm TLS_CheckPeer .
2541 +.It Cm TLS_CACertFile
2542 +Specifies the file that contains certificates for all of the Certificate
2543 +Authorities the client will recognize.
2544 +There is no default.
2547 +.Cm TLS_CACertFile .
2548 +.It Cm TLS_CACertDIR
2549 +Specifies the path of a directory that contains Certificate Authority
2550 +certificates in separate individual files. The
2552 +is always used before
2553 +.Cm TLS_CACertDir .
2554 +The specified directory must be managed with the OpenSSL c_rehash utility.
2555 +There is no default.
2557 +Specifies acceptable cipher suite and preference order.
2558 +The value should be a cipher specification for OpenSSL,
2560 +.Dq HIGH:MEDIUM:+SSLv2 .
2563 +.It Cm TLS_Cipher_Suite
2567 +Specifies the file that contains the client certificate.
2568 +There is no default.
2569 +.It Cm TLS_Certificate
2573 +Specifies the file that contains the private key that matches the certificate
2576 +file. Currently, the private key must not be protected with a password, so
2577 +it is of critical importance that the key file is protected carefully.
2578 +There is no default.
2579 +.It Cm TLS_RandFile
2580 +Specifies the file to obtain random bits from when /dev/[u]random is
2581 +not available. Generally set to the name of the EGD/PRNGD socket.
2582 +The environment variable RANDFILE can also be used to specify the filename.
2583 +There is no default.
2585 +Specifies the directory used for logging by the LDAP client library.
2586 +There is no default.
2588 +Specifies the debug level used for logging by the LDAP client library.
2589 +There is no default.
2591 +Specifies the user filter applied on the LDAP serch.
2592 +The default is no filter.
2593 +.It Cm AccountClass
2594 +Specifies the LDAP class used to find user accounts.
2595 +The default is posixAccount.
2599 +.It Pa /etc/ssh/ldap.conf
2600 +Ldap configuration file for
2601 +.Xr ssh-ldap-helper 8 .
2605 +.Xr ssh-ldap-helper 8
2609 +OpenSSH 5.5 + PKA-LDAP .
2611 +.An Jan F. Chadima Aq jchadima@redhat.com