diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/Makefile.in openssh-4.0p1-lpk/Makefile.in --- openssh-4.0p1/Makefile.in 2005-02-26 00:12:38.000000000 +0100 +++ openssh-4.0p1-lpk/Makefile.in 2005-03-12 00:38:11.000000000 +0100 @@ -86,7 +86,7 @@ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o + audit.o audit-bsm.o ldapauth.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/auth-rsa.c openssh-4.0p1-lpk/auth-rsa.c --- openssh-4.0p1/auth-rsa.c 2004-12-11 03:39:50.000000000 +0100 +++ openssh-4.0p1-lpk/auth-rsa.c 2005-03-12 00:34:31.000000000 +0100 @@ -160,10 +160,96 @@ u_long linenum = 0; struct stat st; Key *key; +#ifdef WITH_LDAP_PUBKEY + ldap_key_t * k; + int i = 0; +#endif /* Temporarily use the user's uid. */ temporarily_use_uid(pw); +#ifdef WITH_LDAP_PUBKEY + /* here is the job */ + key = key_new(KEY_RSA1); + + if (options.lpk.on) { + debug("[LDAP] trying LDAP first uid=%s", pw->pw_name); + if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) { + if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { + for (i = 0 ; i < k->num ; i++) { + char *cp, *options; + + for (cp = k->keys[i]; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + /* + * Check if there are options for this key, and if so, + * save their starting address and skip the option part + * for now. If there are no options, set the starting + * address to NULL. + */ + if (*cp < '0' || *cp > '9') { + int quoted = 0; + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + } else + options = NULL; + + /* Parse the key from the line. */ + if (hostfile_read_key(&cp, &bits, key) == 0) { + debug("[LDAP] line %d: non ssh1 key syntax", i); + continue; + } + /* cp now points to the comment part. */ + + /* Check if the we have found the desired key (identified by its modulus). */ + if (BN_cmp(key->rsa->n, client_n) != 0) + continue; + + /* check the real bits */ + if (bits != BN_num_bits(key->rsa->n)) + logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: " + "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); + + /* We have found the desired key. */ + /* + * If our options do not allow this key to be used, + * do not send challenge. + */ + if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i)) + continue; + + /* break out, this key is allowed */ + allowed = 1; + + /* add the return stuff etc... */ + /* Restore the privileged uid. */ + restore_uid(); + + /* return key if allowed */ + if (allowed && rkey != NULL) + *rkey = key; + else + key_free(key); + + ldap_keys_free(k); + return (allowed); + } + } else { + logit("[LDAP] no keys found for '%s'!", pw->pw_name); + } + } else { + logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); + } + } +#endif /* The authorized keys. */ file = authorized_keys_file(pw); debug("trying public RSA key file %s", file); diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/auth2-pubkey.c openssh-4.0p1-lpk/auth2-pubkey.c --- openssh-4.0p1/auth2-pubkey.c 2004-12-11 03:39:50.000000000 +0100 +++ openssh-4.0p1-lpk/auth2-pubkey.c 2005-03-12 00:34:31.000000000 +0100 @@ -43,6 +43,10 @@ #include "monitor_wrap.h" #include "misc.h" +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + /* import */ extern ServerOptions options; extern u_char *session_id2; @@ -176,10 +180,77 @@ struct stat st; Key *found; char *fp; +#ifdef WITH_LDAP_PUBKEY + ldap_key_t * k; + int i = 0; +#endif /* Temporarily use the user's uid. */ temporarily_use_uid(pw); +#ifdef WITH_LDAP_PUBKEY + found_key = 0; + /* allocate a new key type */ + found = key_new(key->type); + + /* first check if the options is enabled, then try.. */ + if (options.lpk.on) { + debug("[LDAP] trying LDAP first uid=%s",pw->pw_name); + if (ldap_ismember(&options.lpk, pw->pw_name) > 0) { + if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { + char *cp, *options = NULL; + /* Skip leading whitespace, empty and comment lines. */ + for (i = 0 ; i < k->num ; i++) { + for (cp = (char *)k->keys[i]; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '\n' || *cp == '#') + continue; + + if (key_read(found, &cp) != 1) { + /* no key? check if there are options for this key */ + int quoted = 0; + debug2("[LDAP] user_key_allowed: check options: '%s'", cp); + options = cp; + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; + } + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (key_read(found, &cp) != 1) { + debug2("[LDAP] user_key_allowed: advance: '%s'", cp); + /* still no key? advance to next line*/ + continue; + } + } + + if (key_equal(found, key) && + auth_parse_options(pw, options, file, linenum) == 1) { + found_key = 1; + debug("[LDAP] matching key found"); + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + verbose("[LDAP] Found matching %s key: %s", key_type(found), fp); + + /* restoring memory */ + ldap_keys_free(k); + xfree(fp); + restore_uid(); + key_free(found); + return found_key; + break; + } + }/* end of LDAP for() */ + } else { + logit("[LDAP] no keys found for '%s'!", pw->pw_name); + } + } else { + logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); + } + } +#endif debug("trying public key file %s", file); /* Fail quietly if file does not exist */ diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/ldapauth.c openssh-4.0p1-lpk/ldapauth.c --- openssh-4.0p1/ldapauth.c 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/ldapauth.c 2005-03-15 23:29:48.000000000 +0100 @@ -0,0 +1,308 @@ +/* + * + * Copyright (c) 2005, Eric AUGE + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * + */ + +#include +#include +#include +#include + + +#include "ldapauth.h" + +static char *attrs[] = { + PUBKEYATTR, + NULL +}; + +/* just filter building stuff */ +#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46) +#define REQUEST_GROUP(buffer,pwname,grp) \ + buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname), sizeof(char)); \ + if (!buffer) { \ + perror("calloc()"); \ + return FAILURE; \ + } \ + snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname) + +#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64) +#define REQUEST_USER(buffer, pwname) \ + buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \ + if (!buffer) { \ + perror("calloc()"); \ + return NULL; \ + } \ + snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname) + +/* some portable and working tokenizer, lame though */ +static int tokenize(char ** o, size_t size, char * input) { + unsigned int i = 0, num; + char * charset = " \t"; + char * ptr = input; + + /* leading white spaces are ignored */ + num = strspn(ptr, charset); + ptr += num; + + while ((num = strcspn(ptr, charset))) { + if (i < size-1) { + o[i++] = ptr; + ptr += num; + if (*ptr) + *ptr++ = '\0'; + } + } + o[i] = NULL; + return SUCCESS; +} + +/* init && bind XXX TLS missing */ +int ldap_connect(ldap_opt_t * ldap) { + int version = LDAP_VERSION3; + + if (!ldap->servers) + return FAILURE; + + ldap->ld = ldap_init(ldap->servers, LDAP_PORT); + if (!ldap->ld) { + ldap_perror(ldap->ld, "ldap_init()"); + return FAILURE; + } + + if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { + ldap_perror(ldap->ld, "ldap_set_option()"); + return FAILURE; + } + + /* TLS support */ + if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) { + /* failed then reinit the initial connect */ + ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()"); + + ldap->ld = ldap_init(ldap->servers, LDAP_PORT); + if (!ldap->ld) { + ldap_perror(ldap->ld, "ldap_init()"); + return FAILURE; + } + + if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { + ldap_perror(ldap->ld, "ldap_set_option()"); + return FAILURE; + } + } + + + if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) != LDAP_SUCCESS) { + ldap_perror(ldap->ld, "ldap_simple_bind_s()"); + return FAILURE; + } + + return SUCCESS; +} + +/* must free allocated ressource */ +static char * ldap_build_host(char *host, int port) { + unsigned int size = strlen(host)+11; + char * h = (char *) calloc (size, sizeof(char)); + int rc; + if (!h) + return NULL; + + rc = snprintf(h, size, "%s:%d ", host, port); + if (rc == -1) + return NULL; + return h; +} + +/* a bit dirty but leak free */ +char * ldap_parse_servers(char * servers) { + char * s = NULL; + char * tmp = NULL, *urls[32]; + unsigned int num = 0 , i = 0 , asize = 0; + LDAPURLDesc *urld[32]; + + if (!servers) + return NULL; + + /* local copy of the arg */ + s = strdup(servers); + if (!s) + return NULL; + + /* first separate into URL tokens */ + if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0) + return NULL; + + i = 0; + while (urls[i]) { + if ( ldap_is_ldap_url(urls[i]) ) { + if (ldap_url_parse(urls[i], &urld[i]) != 0) + return NULL; + } + i++; + } + + /* now free(s) */ + free (s); + + /* how much memory do we need */ + num = i; + for (i = 0 ; i < num ; i++) + asize += strlen(urld[i]->lud_host)+11; + + /* alloc */ + s = (char *) calloc( asize+1 , sizeof(char)); + if (!s) { + for (i = 0 ; i < num ; i++) + ldap_free_urldesc(urld[i]); + return NULL; + } + + /* then build the final host string */ + for (i = 0 ; i < num ; i++) { + /* built host part */ + tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port); + strncat(s, tmp, strlen(tmp)); + ldap_free_urldesc(urld[i]); + free(tmp); + } + + return s; +} + +void ldap_options_print(ldap_opt_t * ldap) { + printf("ldap options:\n"); + printf("servers: %s\n", ldap->servers); + printf("user basedn: %s\n", ldap->u_basedn); + printf("group basedn: %s\n", ldap->g_basedn); + printf("binddn: %s\n", ldap->binddn); + printf("bindpw: %s\n", ldap->bindpw); + printf("group: %s\n", ldap->sgroup); +} + +void ldap_options_free(ldap_opt_t * l) { + if (!l) + return; + if (l->servers) + free(l->servers); + if (l->u_basedn) + free(l->u_basedn); + if (l->g_basedn) + free(l->g_basedn); + if (l->binddn) + free(l->binddn); + if (l->bindpw) + free(l->bindpw); + if (l->sgroup) + free(l->sgroup); + free(l); +} + +/* free keys */ +void ldap_keys_free(ldap_key_t * k) { + ldap_value_free(k->keys); + free(k); + return; +} + +ldap_key_t * ldap_getuserkey(ldap_opt_t *l, char * user) { + ldap_key_t * k = (ldap_key_t *) calloc (1, sizeof(ldap_key_t)); + LDAPMessage *res, *e; + char * filter; + int i; + + if (!k) + return NULL; + + /* build filter for LDAP request */ + REQUEST_USER(filter, user); + + if ( ldap_search_s( l->ld, + l->u_basedn, + LDAP_SCOPE_SUBTREE, + filter, + attrs, 0, &res ) != LDAP_SUCCESS) { + ldap_perror(l->ld, "ldap_search_s()"); + + free(filter); + free(k); + + return NULL; + } + + /* free */ + free(filter); + + /* check if any results */ + i = ldap_count_entries(l->ld,res); + if (i <= 0) { + ldap_msgfree(res); + free(k); + return NULL; + } + + if (i > 1) + printf("[LDAP] duplicate entries, using the FIRST entry returned\n"); + + e = ldap_first_entry(l->ld, res); + k->keys = ldap_get_values(l->ld, e, PUBKEYATTR); + k->num = ldap_count_values(k->keys); + + ldap_msgfree(res); + return k; +} + + +/* -1 if trouble + 0 if user is NOT member of current server group + 1 if user IS MEMBER of current server group + */ +int ldap_ismember(ldap_opt_t * l, char * user) { + LDAPMessage *res; + char * filter; + + if ((!l->sgroup) || !(l->g_basedn)) + return 1; + + /* build filter for LDAP request */ + REQUEST_GROUP(filter, user, l->sgroup); + + if (ldap_search_s ( l->ld, + l->g_basedn, + LDAP_SCOPE_SUBTREE, + filter, + NULL, 0, &res) != LDAP_SUCCESS) { + ldap_perror(l->ld, "ldap_search_s()"); + + free(filter); + return FAILURE; + } + + free(filter); + + /* check if any results */ + if (ldap_count_entries(l->ld, res) > 0) { + ldap_msgfree(res); + return 1; + } + + ldap_msgfree(res); + return 0; +} diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/ldapauth.h openssh-4.0p1-lpk/ldapauth.h --- openssh-4.0p1/ldapauth.h 1970-01-01 01:00:00.000000000 +0100 +++ openssh-4.0p1-lpk/ldapauth.h 2005-03-12 00:34:31.000000000 +0100 @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2005, Eric AUGE + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + * + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * + */ + +#ifndef LDAPAUTH_H +#define LDAPAUTH_H + +#include +#include +#include + +/* tokens in use for config */ +#define _DEFAULT_LPK_TOKEN "UseLPK" +#define _DEFAULT_SRV_TOKEN "LpkServers" +#define _DEFAULT_USR_TOKEN "LpkUserDN" +#define _DEFAULT_GRP_TOKEN "LpkGroupDN" +#define _DEFAULT_BDN_TOKEN "LpkBindDN" +#define _DEFAULT_BPW_TOKEN "LpkBindPw" +#define _DEFAULT_MYG_TOKEN "LpkServerGroup" + +/* default options */ +#define _DEFAULT_LPK_ON 1 +#define _DEFAULT_LPK_SERVERS NULL +#define _DEFAULT_LPK_UDN NULL +#define _DEFAULT_LPK_GDN NULL +#define _DEFAULT_LPK_BINDDN NULL +#define _DEFAULT_LPK_BINDPW NULL +#define _DEFAULT_LPK_SGROUP NULL + +/* defines */ +#define FAILURE -1 +#define SUCCESS 0 +#define PUBKEYATTR "sshPublicKey" + +/* structures */ +typedef struct ldap_options { + int on; /* Use it or NOT */ + LDAP * ld; /* LDAP file desc */ + char * servers; /* parsed servers for ldaplib failover handling */ + char * u_basedn; /* user basedn */ + char * g_basedn; /* group basedn */ + char * binddn; /* binddn */ + char * bindpw; /* bind password */ + char * sgroup; /* server group */ +} ldap_opt_t; + +typedef struct ldap_keys { + char ** keys; /* the public keys retrieved */ + unsigned int num; /* number of keys */ +} ldap_key_t; + + +/* function headers */ +int ldap_connect(ldap_opt_t *); +char * ldap_parse_servers(char *); +void ldap_options_print(ldap_opt_t *); +void ldap_options_free(ldap_opt_t *); +void ldap_keys_free(ldap_key_t *); +ldap_key_t * ldap_getuserkey(ldap_opt_t *, char *); +int ldap_ismember(ldap_opt_t *, char *); + +#endif diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/servconf.c openssh-4.0p1-lpk/servconf.c --- openssh-4.0p1/servconf.c 2005-03-01 11:24:33.000000000 +0100 +++ openssh-4.0p1-lpk/servconf.c 2005-03-12 00:34:31.000000000 +0100 @@ -23,6 +23,10 @@ #include "kex.h" #include "mac.h" +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -101,7 +105,17 @@ options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; options->num_accept_env = 0; - +#ifdef WITH_LDAP_PUBKEY + /* XXX dirty */ + options->lpk.ld = NULL; + options->lpk.on = -1; + options->lpk.servers = NULL; + options->lpk.u_basedn = NULL; + options->lpk.g_basedn = NULL; + options->lpk.binddn = NULL; + options->lpk.bindpw = NULL; + options->lpk.sgroup = NULL; +#endif /* Needs to be accessable in many places */ use_privsep = -1; } @@ -229,7 +243,22 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; - +#ifdef WITH_LDAP_PUBKEY + if (options->lpk.on == -1) + options->lpk.on = _DEFAULT_LPK_ON; + if (options->lpk.servers == NULL) + options->lpk.servers = _DEFAULT_LPK_SERVERS; + if (options->lpk.u_basedn == NULL) + options->lpk.u_basedn = _DEFAULT_LPK_UDN; + if (options->lpk.g_basedn == NULL) + options->lpk.g_basedn = _DEFAULT_LPK_GDN; + if (options->lpk.binddn == NULL) + options->lpk.binddn = _DEFAULT_LPK_BINDDN; + if (options->lpk.bindpw == NULL) + options->lpk.bindpw = _DEFAULT_LPK_BINDPW; + if (options->lpk.sgroup == NULL) + options->lpk.sgroup = _DEFAULT_LPK_SGROUP; +#endif /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@ -273,6 +302,9 @@ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sUsePrivilegeSeparation, sDeprecated, sUnsupported +#ifdef WITH_LDAP_PUBKEY + ,sLdapPublickey, sLdapServers, sLdapUserDN, sLdapGroupDN, sBindDN, sBindPw, sMyGroup +#endif } ServerOpCodes; /* Textual representation of the tokens. */ @@ -371,6 +403,15 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, +#ifdef WITH_LDAP_PUBKEY + { _DEFAULT_LPK_TOKEN, sLdapPublickey }, + { _DEFAULT_SRV_TOKEN, sLdapServers }, + { _DEFAULT_USR_TOKEN, sLdapUserDN }, + { _DEFAULT_GRP_TOKEN, sLdapGroupDN }, + { _DEFAULT_BDN_TOKEN, sBindDN }, + { _DEFAULT_BPW_TOKEN, sBindPw }, + { _DEFAULT_MYG_TOKEN, sMyGroup }, +#endif { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, { NULL, sBadOption } @@ -949,6 +990,77 @@ while (arg) arg = strdelim(&cp); break; +#ifdef WITH_LDAP_PUBKEY + case sLdapPublickey: + intptr = &options->lpk.on; + goto parse_flag; + case sLdapServers: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL) + fatal("%s line %d: error in ldap servers", filename, linenum); + memset(arg,0,strlen(arg)); + break; + case sLdapUserDN: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.u_basedn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sLdapGroupDN: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing ldap server",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.g_basedn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sBindDN: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing binddn",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.binddn = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sBindPw: + /* arg = strdelim(&cp); */ + p = line; + while(*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing bindpw",filename,linenum); + arg[strlen(arg)] = '\0'; + options->lpk.bindpw = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; + case sMyGroup: + p = line; + while (*p++); + arg = p; + if (!arg || *arg == '\0') + fatal("%s line %d: missing groupname",filename, linenum); + arg[strlen(arg)] = '\0'; + options->lpk.sgroup = xstrdup(arg); + memset(arg,0,strlen(arg)); + break; +#endif default: fatal("%s line %d: Missing handler for opcode %s (%d)", diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/servconf.h openssh-4.0p1-lpk/servconf.h --- openssh-4.0p1/servconf.h 2005-01-20 00:57:56.000000000 +0100 +++ openssh-4.0p1-lpk/servconf.h 2005-03-12 00:34:31.000000000 +0100 @@ -18,6 +18,10 @@ #include "buffer.h" +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + #define MAX_PORTS 256 /* Max # ports. */ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ @@ -134,6 +138,9 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int use_pam; /* Enable auth via PAM */ +#ifdef WITH_LDAP_PUBKEY + ldap_opt_t lpk; +#endif } ServerOptions; void initialize_server_options(ServerOptions *); diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd.c openssh-4.0p1-lpk/sshd.c --- openssh-4.0p1/sshd.c 2005-03-06 12:38:52.000000000 +0100 +++ openssh-4.0p1-lpk/sshd.c 2005-03-12 00:37:33.000000000 +0100 @@ -93,6 +93,10 @@ int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +#ifdef WITH_LDAP_PUBKEY +#include "ldapauth.h" +#endif + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -1076,6 +1080,13 @@ exit(1); } +#ifdef WITH_LDAP_PUBKEY + ldap_options_print(&options.lpk); + /* XXX initialize/check ldap connection and set *LD */ + if (options.lpk.on && ldap_connect(&options.lpk) < 0) { + error("[LDAP] Could not initialize ldap connections"); + } +#endif debug("sshd version %.100s", SSH_RELEASE); /* load private host keys */ diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd_config openssh-4.0p1-lpk/sshd_config --- openssh-4.0p1/sshd_config 2005-01-20 00:57:56.000000000 +0100 +++ openssh-4.0p1-lpk/sshd_config 2005-03-12 00:34:31.000000000 +0100 @@ -38,8 +38,8 @@ #StrictModes yes #MaxAuthTries 6 -#RSAAuthentication yes -#PubkeyAuthentication yes +RSAAuthentication yes +PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts @@ -53,11 +53,11 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no +PasswordAuthentication yes +PermitEmptyPasswords no # Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -88,9 +88,9 @@ #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation no #PermitUserEnvironment no -#Compression yes +Compression no #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes @@ -99,6 +99,16 @@ # no default banner path #Banner /some/path + +# here is the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +UseLPK yes +LpkServers ldap://127.0.0.4 ldap://127.0.0.3 ldap://127.0.0.1/ +LpkUserDN ou=users,dc=phear,dc=org +LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +LpkServerGroup mail # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server diff -Nru -x 'config.*' -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.0p1/sshd_config.5 openssh-4.0p1-lpk/sshd_config.5 --- openssh-4.0p1/sshd_config.5 2005-03-01 11:24:34.000000000 +0100 +++ openssh-4.0p1-lpk/sshd_config.5 2005-03-12 00:34:31.000000000 +0100 @@ -760,6 +760,32 @@ program. The default is .Pa /usr/X11R6/bin/xauth . +.It Cm UseLPK +Enable LDAP public key resolution. The argument must be +.Dq yes +or +.Dq no . +.It Cm LpkServers +Specifies LDAP one or more [:space:] separated server's url the following form may be used: +.Pp +.Bl -item -offset indent -compact +.It +.Cm LpkServers +.Sm off +.Ar LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3 +.Sm on +.It Cm LpkUserDN/LpkGroupDN +.Sm off +.Ar LpkUserDN ou=groups,dc=phear,dc=org +.Sm on +.El +.Pp +.It Cm LpkBindDN +Specifies a LDAP bind DN to use when doing ldap lookups. +.It Cm LpkBindPw +Specifies a LDAP bind Password associated to the previous token. +.It Cm LpkServerGroup +Specifies the group is the host is part of. .El .Ss Time Formats .Nm sshd