Bug 729772

Summary: sshd and ssh-ldap-helper seems to not agree on how the later should be invoked
Product: [Fedora] Fedora Reporter: Tyson Whitehead <twhitehead>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: jchadima, mattias.ellert, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-11 15:34:08 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Tyson Whitehead 2011-08-10 15:09:18 EDT
Description of problem:

The documentation is conflicting regarding the following sshd_config options

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper

Specifically, the README.lpk file in the openssh-ldap file says the first should be used, while the sshd_config man pages says the second should be used (and that the the user name is always passed as the first argument).

In reality neither of them work as it seems both programs expect their own version.  Setting AuthorizedKeysCommand the first way (as README.lpk says) results in

error: user_key_via_command_allowed2: stat("/usr/libexec/openssh/ssh-ldap-helper -s %u"): No such file or directory

showing up in /var/log/secure.  Setting it the second way (as sshd_config says) results in 

ssh-ldap-helper[4140]: fatal: illegal extra parameter <username>

showing up in /var/log/messages.  It would seems that one component (sshd or ssh-ldap-helper) was changed at some point without the other being updated too.


Version-Release number of selected component (if applicable): 5.5p1-25.fc14.2

How reproducible: always

Steps to Reproduce:
1.  Install the openssh-ldap package
2.  Setup as specified in the README.lpk (will produce the second error)
3.  Change AuthorizedKeysCommand to just the command (will produce first error)
  
Actual results: error messages in log files

Expected results: no error messages and login with key should work

Additional info:

Manually running "/usr/libexec/openssh/ssh-ldap-helper -d -s <user>" can be used to verify that /etc/ssh/ldap.conf is setup correctly by retrieving a user's key.
Comment 1 Jan F. Chadima 2011-08-11 15:34:08 EDT
Yes, you are true there is a bug. The man page change and the helper application appears in F16. So you can grab it from there (the shell script and the man page).