Bug 1871025

Summary: Deprecation notice: openssh-ldap
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Jelen <jjelen>
Component: doc-Release_Notes-8-en-USAssignee: Lucie Vařáková <lmanasko>
Status: CLOSED CURRENTRELEASE QA Contact: RHEL DPM <rhel-docs>
Severity: unspecified Docs Contact: Josip Vilicic <jvilicic>
Priority: medium    
Version: 8.3CC: jvilicic, rhel-docs, sbose
Target Milestone: rcKeywords: Documentation
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Deprecated Functionality
Doc Text:
.`openssh-ldap` has been deprecated The `openssh-ldap` subpackage has been deprecated in Red Hat Enterprise Linux 8 and will be removed in RHEL 9. As the `openssh-ldap` subpackage is not maintained upstream, Red Hat recommends using SSSD and the `sss_ssh_authorizedkeys` helper, which integrate better with other IdM solutions and are more secure. By default, the SSSD `ldap` and `ipa` providers read the `sshPublicKey` LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the `ad` provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. To allow the `sss_ssh_authorizedkeys` helper to get the key from SSSD, enable the `ssh` responder by adding `ssh` to the `services` option in the `sssd.conf` file. See the `sssd.conf(5)` man page for details. To allow `sshd` to use `sss_ssh_authorizedkeys`, add the `AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys` and `AuthorizedKeysCommandUser nobody` options to the `/etc/ssh/sshd_config` file as described by the `sss_ssh_authorizedkeys(1)` man page.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-09 12:46:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2020-08-21 07:24:42 UTC 
openssh-ldap subpackage provides helper binaries to pull authorized keys for sshd from ldap. It is implemented as an unmaintained downstream patch. The same functionality is provided by sssd-ldap with better integration with other IdM solutions and better security.

It will be removed in next major RHEL releases.

http://post-office.corp.redhat.com/archives/idm-tech/2020-August/msg00156.html