Bug 455350

Summary: [FEAT] OpenSSH to support centralized management of SSH keys
Product: Red Hat Enterprise Linux 6 Reporter: Daniel Riek <riek>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: barrowkwan, borgan, ddumas, herrold, jrieden, k.georgiou, liko, mkhusid, mvadkert, reed, sgrubb, snagar, soumplis, syeghiay, tao
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.3p1-47.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:30:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 215741, 655920    

Description Daniel Riek 2008-07-14 22:58:19 UTC 
Copying this RHEL5 RFE to RHEL6, in order to track for that release.

The requested changes have not been accepted upstream, so the request is to
either try to help getting them accepted upstream or to find an alternate
solution for the problem of dynamic ssh-key distribution (and removal) for
(large) centrally managed environments.

+++ This bug was initially created as a clone of Bug #215741 +++

Description of problem:

When a user is disabled (ie locked) on the ldap server (because they are
terminated, etc...) and they have access to their ssh private key, they will
still be able to login to any server in the organization that contains their ssh
public key. This can be considered an security breach by an auditing team.

With the ability to lookup ssh keys over LDAP, the directory server will have
the ability to not send the public key to the user logging in, even if they have
the correct private key.

Additional info:

A patch enabling this is available here: http://dev.inversepath.com/trac/openssh-lpk
Comment 1 Reed Loden 2009-04-06 10:05:27 UTC 
The patch has moved to http://code.google.com/p/openssh-lpk/
Comment 3 Steve Grubb 2009-11-18 15:25:51 UTC 
*** Bug 529062 has been marked as a duplicate of this bug. ***
Comment 4 Jan F. Chadima 2009-11-20 10:26:36 UTC 
The more correct patch to sshd is posted to mindrot bugzilla as #1663
Comment 5 Siddharth Nagar 2010-03-11 15:41:31 UTC 
Deferring to 6.1
Comment 6 Jan F. Chadima 2010-06-07 10:21:59 UTC 
The patched version is successfuly tested and deployed in fedora.
Comment 17 Denise Dumas 2011-02-08 19:59:19 UTC 
This is in Modified but I'm not seeing it in the openssh errata. You need to get the brew build updates and add it. This should have happened by the 6.1 code freeze, which was last Friday Feb 4.
Comment 21 Miroslav Vadkerti 2011-03-10 12:06:04 UTC 
I was manually able to use this feature and it works. Testing was done only using ldap server without TLS. I'm currently creating a RHTS test that will automatize the testing and will also test the feature in more depth.

The problem is the documentation because it is in many places misleading and it is scattered in 3 files:
/usr/share/doc/openssh-ldap-5.5p1/lpk-user-example.txt
/usr/share/doc/openssh-ldap-5.5p1/README.lpk
/usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys

I recommend to have one file which will contain step to step up-to-date guide how to set up openssh for getting public keys from ldap server and some basic information maybe. Sections describing LPK should be wiped, for example this from lpk-user-example.txt:
Add the following config to /etc/ssh/ssh_config
UseLPK yes
LpkServers ldap://myhost.mydomain.com
LpkUserDN  ou=People,dc=mydomain,dc=com

The man page for ssh-ldap-helper is misleading as it says it can be used in sshd_config. This is not true, ssh-wrapper should be used instead in the latest version. The man page should mention that this tool is great for manual testing (not the oposite as it does now).

ssh-ldap-helper run without parameters should return the help and not end without a message.

The man page for ssh-ldap.conf was generated incorrectly and is missing new lines:
http://pastebin.test.redhat.com/43497

Both man pages should be reviewed by some other senior developer and then also by the documentation team.

Moving to assigned as the documentation for this nice feature needs improvements.
Comment 22 Miroslav Vadkerti 2011-03-11 08:11:30 UTC 
Great the new package openssh-5.3p1-46.el5 now comes with a nice HOWTO in one file. The howto is understandable but needs to be reviewed by the documentation team to fix any gramatical issues. I'm contacting them to get this done.

The man page for ssh-ldap-helper is corrected now.

The ssh-ldap.conf is still broken (no newlines) and needs to be fixed so the bug stays in assigned.
Comment 26 errata-xmlrpc 2011-05-19 13:30:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0598.html
Comment 27 Barrow Kwan 2012-05-07 21:44:36 UTC 
I am trying to get this working with our Active Directory but has problem with the ldap_searching string.

I am wondering if this can be made configurable in the /etc/ssh/ldap.conf


In the openssh-5.3p1-ldap.patch file,  if we can make this changeable in /etc/ssh/ldap.conf, that will be very helpful.

right now I have to change this

+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"

to


+#define LDAPSEARCH_FORMAT "(&(objectclass=user)(uid=%s)%s)"


thanks