Bug 671892

Summary: AuthorizedKeysCommand doesn't work
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jchadima, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-17 03:50:31 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Ruben Kerkhof 2011-01-22 11:04:44 EST
sshd fails to lookup authorized keys in ldap

/etc/ssh/sshd_config contains:
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-helper -s %u"

user_key_via_command_allowed2 does a stat on the AuthorizedKeysCommand, but of course the path 
/usr/libexec/openssh/ssh-ldap-helper -s %u doesn't exist.

An option would be to adjust ssh-ldap-helper to accept the username as the first argument, and make AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper
Comment 1 Ruben Kerkhof 2011-02-19 06:34:51 EST
Hi Jan,

This does happen on rawhide as well.

Would you mind taking a look, this is preventing me from upgrading all my machines from F-13 to F-14
Comment 2 Jan F. Chadima 2011-02-25 06:19:14 EST
please test openssh-5.8p1-10.fc16.1
and modify the configuration according to HOWTO.ldap-keys
and report the result please
Comment 3 Ruben Kerkhof 2011-02-25 10:40:26 EST
Yes, this works, thanks.

Using a shellscript as a wrapper feels a bit hackish though. I take it you're going to modify ssh-ldap-helper to just accept the user without the -s so the wrapper isn't needed?
Comment 4 Jan F. Chadima 2011-02-28 04:29:38 EST
the ssh-ldap-helper have another possible parameters. IMHO the wrapper is pretty fine solution.
Comment 5 Ruben Kerkhof 2011-02-28 08:14:40 EST
Ok, fair enough.

HOWTO.ldap-keys says you have to use:
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper

But I could only get it working by quoting the command:
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
Comment 6 Jan F. Chadima 2011-03-17 03:50:31 EDT
everything is repaired in current rawhide