Bug 589360

Summary: openssh-ldap doesn't accept tls_checkpeer yes
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: jchadima, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.5p1-10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-17 13:46:17 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Ruben Kerkhof 2010-05-05 18:56:35 EDT
Description of problem:

I'm testing the new ldap public key support. My /etc/ldap.conf contains the following setting:

tls_checkpeer yes

Which, according to nss_ldap(5) is either yes or no

Running the ldap helper shows that this is not valid:

/usr/libexec/openssh/ssh-ldap-helper -v
debug1: Reading configuration data /etc/ldap.conf
/etc/ldap.conf line 17: Bad never/hard/demand/alow/try argument.


Version-Release number of selected component (if applicable):
openssh-ldap-5.5p1-6.fc14.x86_64
Comment 1 Tomas Mraz 2010-05-06 02:57:00 EDT
I think that /etc/openldap/ldap.conf should be used instead of /etc/ldap.conf.
The /etc/ldap.conf belongs to nss_ldap (before the split of pam_ldap) and should not be used anymore.
Comment 2 Jan F. Chadima 2010-05-06 04:58:48 EDT
The tls_checkpeer have this options according to the ldap docummentation newer, hard, demand allow and try
I'll make aliases newer = off and hard = on
Comment 3 Jan F. Chadima 2010-05-06 04:59:21 EDT
The tls_checkpeer have this options according to the ldap docummentation newer, hard, demand allow and try
I'll make aliases newer = off and hard = on
Comment 4 Ruben Kerkhof 2010-05-06 06:44:42 EDT
Hi Jan,

What documentation are you looking at? man ldap.conf(5) doesn't describe the tls_checkpeer setting.

Tomas is probably right, the config file should be /etc/openldap/ldap.conf

If I try that, I get the following output:

[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f /etc/openldap/ldap.conf -s test
debug1: Reading configuration data /etc/openldap/ldap.conf
/etc/openldap/ldap.conf: line 6: Bad configuration option: TLS_CACERT
/etc/openldap/ldap.conf: line 8: Bad configuration option: TLS_REQCERT
debug1: LDAP do connect
debug1: LDAP process user
ldap_search_st(): Confidentiality required
debug1: LDAP do close
Comment 5 Jan F. Chadima 2010-05-06 10:12:43 EDT
Ok, I made the configuration compatibility  aliases TLS_CACERT (tls_cacertfile)  and TLS_REQCERT (tls_checkpeer).
Comment 6 Ruben Kerkhof 2010-05-06 11:46:12 EDT
I've just upgraded to openssh-ldap-5.5p1-8.fc14.x86_64

Ok, so which file has the right settings?

/etc/ldap.conf works, but has a few warnings:

[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -s test
debug1: Reading configuration data /etc/ldap.conf
/etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute
/etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy
/etc/ldap.conf: line 10: Bad configuration option: pam_min_uid
/etc/ldap.conf: line 11: Bad configuration option: pam_max_uid
/etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers
/etc/ldap.conf: line 16: Bad configuration option: tls_cafile
/etc/ldap.conf: line 17: Bad configuration option: pam_password
/etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd
/etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow
/etc/ldap.conf: line 21: Bad configuration option: nss_base_group
debug1: LDAP do connect
debug1: LDAP process user
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv ruben@files
debug1: LDAP do close


If I use /etc/openldap/ldap.conf, the connection is not switched to TLS:
[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f /etc/openldap/ldap.conf -s test
debug1: Reading configuration data /etc/openldap/ldap.conf
debug1: LDAP do connect
debug1: LDAP process user
ldap_search_st(): Confidentiality required
debug1: LDAP do close


Thanks
Comment 7 Jan F. Chadima 2010-05-06 11:50:14 EDT
(In reply to comment #6)
> I've just upgraded to openssh-ldap-5.5p1-8.fc14.x86_64
> 
> Ok, so which file has the right settings?
> 
> /etc/ldap.conf works, but has a few warnings:
> 
> [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -s test
> debug1: Reading configuration data /etc/ldap.conf
> /etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute
> /etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy
> /etc/ldap.conf: line 10: Bad configuration option: pam_min_uid
> /etc/ldap.conf: line 11: Bad configuration option: pam_max_uid
> /etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers
> /etc/ldap.conf: line 16: Bad configuration option: tls_cafile
> /etc/ldap.conf: line 17: Bad configuration option: pam_password
> /etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd
> /etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow
> /etc/ldap.conf: line 21: Bad configuration option: nss_base_group
> debug1: LDAP do connect
> debug1: LDAP process user
> ssh-rsa

this is OK

> AAAAB3NzaC1yc2EAAAADAQABAAACAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv
> ruben@files
> debug1: LDAP do close
> 
> 
> If I use /etc/openldap/ldap.conf, the connection is not switched to TLS:
> [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f
> /etc/openldap/ldap.conf -s test
> debug1: Reading configuration data /etc/openldap/ldap.conf
> debug1: LDAP do connect
> debug1: LDAP process user
> ldap_search_st(): Confidentiality required
> debug1: LDAP do close
> 
do please /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/openldap/ldap.conf -s test
(add 2 more -v) 

> 
> Thanks
Comment 8 Jan F. Chadima 2010-05-06 11:52:19 EDT
> /etc/ldap.conf: line 16: Bad configuration option: tls_cafile
what means tls_cafile it's typo or it's a new brand of configuration?
Comment 9 Ruben Kerkhof 2010-05-06 12:40:19 EDT
(In reply to comment #7)

Ok, here's the output:

ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/openldap/ldap.conf -s test
debug1: Reading configuration data /etc/openldap/ldap.conf
debug3: === Configuration ===
debug3: URI ldap://ldap.priv.tilaa.nl
debug3: Host ldap.priv.tilaa.nl
debug3: Port 389
debug3: SSL No
debug3: Ldap_Version 3
debug3: Timelimit 10
debug3: Bind_Timelimit 10
debug3: Base dc=tilaa,dc=nl
debug3: BindDN 
debug3: BindPW 
debug3: Scope Sub
debug3: Deref Never
debug3: Referrals Yes
debug3: Restart Yes
debug3: Bind_Policy Hard
debug3: SSLPath <UNDEFINED>
debug3: TLS_CheckPeer Hard
debug3: TLS_CaCertFile /etc/openldap/cacerts/ca.pem
debug3: TLS_CaCertDir /etc/openldap/cacerts
debug3: TLS_Ciphers <UNDEFINED>
debug3: TLS_Cert <UNDEFINED>
debug3: TLS_Key <UNDEFINED>
debug3: TLS_RandFile <UNDEFINED>
debug3: Logdir <UNDEFINED>
debug3: Debug 0
debug3: SSH_Filter 
debug3: === *** ===
debug1: LDAP do connect
debug3: Set TLS CA cert file /etc/openldap/cacerts/ca.pem 
debug3: Set TLS CA cert dir /etc/openldap/cacerts 
debug3: Set TLS check peer to 1 
debug3: LDAP initialize ldap://ldap.priv.tilaa.nl
debug3: LDAP set version to 3
debug3: LDAP set rebind proc
debug3: LDAP set deref to 0
debug3: LDAP set timelimit to 10
debug3: LDAP set opt network timeout to 10.0
debug3: LDAP set referrals to 1
debug3: LDAP set restart to 1
debug3: LDAP simple bind ()
debug3: LDAP result in time
debug3: LDAP parse result OK
debug2: LDAP do connect OK
debug1: LDAP process user
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=test))
ldap_search_st(): Confidentiality required
debug1: LDAP do close
debug2: LDAP do close OK

And for reference, the output of 
[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/ldap.conf -s test
debug1: Reading configuration data /etc/ldap.conf
/etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute
/etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy
/etc/ldap.conf: line 10: Bad configuration option: pam_min_uid
/etc/ldap.conf: line 11: Bad configuration option: pam_max_uid
/etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers
/etc/ldap.conf: line 17: Bad configuration option: pam_password
/etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd
/etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow
/etc/ldap.conf: line 21: Bad configuration option: nss_base_group
debug3: === Configuration ===
debug3: URI ldap://ldap.priv.tilaa.nl
debug3: Host ldap.priv.tilaa.nl
debug3: Port 389
debug3: SSL Start_TLS
debug3: Ldap_Version 3
debug3: Timelimit 10
debug3: Bind_Timelimit 20
debug3: Base dc=tilaa,dc=nl
debug3: BindDN 
debug3: BindPW 
debug3: Scope Sub
debug3: Deref Never
debug3: Referrals Yes
debug3: Restart Yes
debug3: Bind_Policy Hard
debug3: SSLPath <UNDEFINED>
debug3: TLS_CheckPeer Hard
debug3: TLS_CaCertFile /etc/openldap/cacerts/ca.pem
debug3: TLS_CaCertDir /etc/openldap/cacerts
debug3: TLS_Ciphers <UNDEFINED>
debug3: TLS_Cert <UNDEFINED>
debug3: TLS_Key <UNDEFINED>
debug3: TLS_RandFile <UNDEFINED>
debug3: Logdir <UNDEFINED>
debug3: Debug 0
debug3: SSH_Filter 
debug3: === *** ===
debug1: LDAP do connect
debug3: Set TLS CA cert file /etc/openldap/cacerts/ca.pem 
debug3: Set TLS CA cert dir /etc/openldap/cacerts 
debug3: Set TLS check peer to 1 
debug3: LDAP initialize ldap://ldap.priv.tilaa.nl
debug3: LDAP set version to 3
debug3: LDAP set rebind proc
debug3: LDAP set deref to 0
debug3: LDAP set timelimit to 10
debug3: LDAP set opt network timeout to 20.0
debug3: LDAP set referrals to 1
debug3: LDAP set restart to 1
debug3: LDAP start TLS
debug3: LDAP simple bind ()
debug3: LDAP result in time
debug3: LDAP parse result OK
debug2: LDAP do connect OK
debug1: LDAP process user
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=test))
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv ruben@files
debug2: LDAP process user finished
debug1: LDAP do close
debug2: LDAP do close OK

In this case, start_tls is used.

(In reply to comment #8)
You're right, it's a typo. We've been using this setting for 2 years now, but it's probably redundant because I also have tls_cacertdir.

Btw, the following
Comment 10 Ruben Kerkhof 2010-05-13 12:34:27 EDT
I've got ldap public key lookups working now with openssh-ldap-5.5p1-9.fc14.x86_64, thanks!

File-based lookups (authorized_keys) stopped working though. Is it possible to fall back to file-based keys when there's no key in ldap?

3 further comments:
- man ssh-ldap-helper(8) refers to ssh_ldap.conf(5), but the manpage is ssh-ldap.conf(5) with a dash
- The PubkeyAgent section in sshd_config(5) is misformatted
- An example config file in /etc/ssh would be nice.

Thanks again!

Ruben
Comment 11 Jan F. Chadima 2010-05-14 03:51:44 EDT
(In reply to comment #10)
> 
> File-based lookups (authorized_keys) stopped working though. Is it possible to
> fall back to file-based keys when there's no key in ldap?
I will investigate it.
> 
> 3 further comments:
> - man ssh-ldap-helper(8) refers to ssh_ldap.conf(5), but the manpage is
> ssh-ldap.conf(5) with a dash
> - The PubkeyAgent section in sshd_config(5) is misformatted
> - An example config file in /etc/ssh would be nice.
All solved in openssh-5.5p1-10
Comment 12 Bug Zapper 2010-07-30 07:33:24 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping