Bug 671892

Summary: AuthorizedKeysCommand doesn't work
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jchadima, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-17 07:50:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ruben Kerkhof 2011-01-22 16:04:44 UTC
sshd fails to lookup authorized keys in ldap

/etc/ssh/sshd_config contains:
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-helper -s %u"

user_key_via_command_allowed2 does a stat on the AuthorizedKeysCommand, but of course the path 
/usr/libexec/openssh/ssh-ldap-helper -s %u doesn't exist.

An option would be to adjust ssh-ldap-helper to accept the username as the first argument, and make AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper

Comment 1 Ruben Kerkhof 2011-02-19 11:34:51 UTC
Hi Jan,

This does happen on rawhide as well.

Would you mind taking a look, this is preventing me from upgrading all my machines from F-13 to F-14

Comment 2 Jan F. Chadima 2011-02-25 11:19:14 UTC
please test openssh-5.8p1-10.fc16.1
and modify the configuration according to HOWTO.ldap-keys
and report the result please

Comment 3 Ruben Kerkhof 2011-02-25 15:40:26 UTC
Yes, this works, thanks.

Using a shellscript as a wrapper feels a bit hackish though. I take it you're going to modify ssh-ldap-helper to just accept the user without the -s so the wrapper isn't needed?

Comment 4 Jan F. Chadima 2011-02-28 09:29:38 UTC
the ssh-ldap-helper have another possible parameters. IMHO the wrapper is pretty fine solution.

Comment 5 Ruben Kerkhof 2011-02-28 13:14:40 UTC
Ok, fair enough.

HOWTO.ldap-keys says you have to use:
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper

But I could only get it working by quoting the command:
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"

Comment 6 Jan F. Chadima 2011-03-17 07:50:31 UTC
everything is repaired in current rawhide