Red Hat Bugzilla – Full Text Bug Listing
|Summary:||sshd and ssh-ldap-helper seems to not agree on how the later should be invoked|
|Product:||[Fedora] Fedora||Reporter:||Tyson Whitehead <twhitehead>|
|Component:||openssh||Assignee:||Jan F. Chadima <jchadima>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||14||CC:||jchadima, mattias.ellert, mgrepl, tmraz|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-08-11 15:34:08 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Tyson Whitehead 2011-08-10 15:09:18 EDT
Description of problem: The documentation is conflicting regarding the following sshd_config options AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper Specifically, the README.lpk file in the openssh-ldap file says the first should be used, while the sshd_config man pages says the second should be used (and that the the user name is always passed as the first argument). In reality neither of them work as it seems both programs expect their own version. Setting AuthorizedKeysCommand the first way (as README.lpk says) results in error: user_key_via_command_allowed2: stat("/usr/libexec/openssh/ssh-ldap-helper -s %u"): No such file or directory showing up in /var/log/secure. Setting it the second way (as sshd_config says) results in ssh-ldap-helper: fatal: illegal extra parameter <username> showing up in /var/log/messages. It would seems that one component (sshd or ssh-ldap-helper) was changed at some point without the other being updated too. Version-Release number of selected component (if applicable): 5.5p1-25.fc14.2 How reproducible: always Steps to Reproduce: 1. Install the openssh-ldap package 2. Setup as specified in the README.lpk (will produce the second error) 3. Change AuthorizedKeysCommand to just the command (will produce first error) Actual results: error messages in log files Expected results: no error messages and login with key should work Additional info: Manually running "/usr/libexec/openssh/ssh-ldap-helper -d -s <user>" can be used to verify that /etc/ssh/ldap.conf is setup correctly by retrieving a user's key.
Comment 1 Jan F. Chadima 2011-08-11 15:34:08 EDT
Yes, you are true there is a bug. The man page change and the helper application appears in F16. So you can grab it from there (the shell script and the man page).