RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 455350 - [FEAT] OpenSSH to support centralized management of SSH keys
Summary: [FEAT] OpenSSH to support centralized management of SSH keys
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh
Version: 6.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jan F. Chadima
QA Contact: Brian Brock
URL:
Whiteboard:
: 529062 (view as bug list)
Depends On:
Blocks: 215741 655920
TreeView+ depends on / blocked
 
Reported: 2008-07-14 22:58 UTC by Daniel Riek
Modified: 2018-11-14 20:36 UTC (History)
15 users (show)

Fixed In Version: openssh-5.3p1-47.el6
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:30:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0598 0 normal SHIPPED_LIVE openssh bug fix and enhancement update 2011-05-19 09:37:32 UTC

Description Daniel Riek 2008-07-14 22:58:19 UTC 
Copying this RHEL5 RFE to RHEL6, in order to track for that release.

The requested changes have not been accepted upstream, so the request is to
either try to help getting them accepted upstream or to find an alternate
solution for the problem of dynamic ssh-key distribution (and removal) for
(large) centrally managed environments.

+++ This bug was initially created as a clone of Bug #215741 +++

Description of problem:

When a user is disabled (ie locked) on the ldap server (because they are
terminated, etc...) and they have access to their ssh private key, they will
still be able to login to any server in the organization that contains their ssh
public key. This can be considered an security breach by an auditing team.

With the ability to lookup ssh keys over LDAP, the directory server will have
the ability to not send the public key to the user logging in, even if they have
the correct private key.

Additional info:

A patch enabling this is available here: http://dev.inversepath.com/trac/openssh-lpk
Comment 1 Reed Loden 2009-04-06 10:05:27 UTC 
The patch has moved to http://code.google.com/p/openssh-lpk/
Comment 3 Steve Grubb 2009-11-18 15:25:51 UTC 
*** Bug 529062 has been marked as a duplicate of this bug. ***
Comment 4 Jan F. Chadima 2009-11-20 10:26:36 UTC 
The more correct patch to sshd is posted to mindrot bugzilla as #1663
Comment 5 Siddharth Nagar 2010-03-11 15:41:31 UTC 
Deferring to 6.1
Comment 6 Jan F. Chadima 2010-06-07 10:21:59 UTC 
The patched version is successfuly tested and deployed in fedora.
Comment 17 Denise Dumas 2011-02-08 19:59:19 UTC 
This is in Modified but I'm not seeing it in the openssh errata. You need to get the brew build updates and add it. This should have happened by the 6.1 code freeze, which was last Friday Feb 4.
Comment 21 Miroslav Vadkerti 2011-03-10 12:06:04 UTC 
I was manually able to use this feature and it works. Testing was done only using ldap server without TLS. I'm currently creating a RHTS test that will automatize the testing and will also test the feature in more depth.

The problem is the documentation because it is in many places misleading and it is scattered in 3 files:
/usr/share/doc/openssh-ldap-5.5p1/lpk-user-example.txt
/usr/share/doc/openssh-ldap-5.5p1/README.lpk
/usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys

I recommend to have one file which will contain step to step up-to-date guide how to set up openssh for getting public keys from ldap server and some basic information maybe. Sections describing LPK should be wiped, for example this from lpk-user-example.txt:
Add the following config to /etc/ssh/ssh_config
UseLPK yes
LpkServers ldap://myhost.mydomain.com
LpkUserDN  ou=People,dc=mydomain,dc=com

The man page for ssh-ldap-helper is misleading as it says it can be used in sshd_config. This is not true, ssh-wrapper should be used instead in the latest version. The man page should mention that this tool is great for manual testing (not the oposite as it does now).

ssh-ldap-helper run without parameters should return the help and not end without a message.

The man page for ssh-ldap.conf was generated incorrectly and is missing new lines:
http://pastebin.test.redhat.com/43497

Both man pages should be reviewed by some other senior developer and then also by the documentation team.

Moving to assigned as the documentation for this nice feature needs improvements.
Comment 22 Miroslav Vadkerti 2011-03-11 08:11:30 UTC 
Great the new package openssh-5.3p1-46.el5 now comes with a nice HOWTO in one file. The howto is understandable but needs to be reviewed by the documentation team to fix any gramatical issues. I'm contacting them to get this done.

The man page for ssh-ldap-helper is corrected now.

The ssh-ldap.conf is still broken (no newlines) and needs to be fixed so the bug stays in assigned.
Comment 26 errata-xmlrpc 2011-05-19 13:30:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0598.html
Comment 27 Barrow Kwan 2012-05-07 21:44:36 UTC 
I am trying to get this working with our Active Directory but has problem with the ldap_searching string.

I am wondering if this can be made configurable in the /etc/ssh/ldap.conf


In the openssh-5.3p1-ldap.patch file,  if we can make this changeable in /etc/ssh/ldap.conf, that will be very helpful.

right now I have to change this

+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"

to


+#define LDAPSEARCH_FORMAT "(&(objectclass=user)(uid=%s)%s)"


thanks
Note You need to log in before you can comment on or make changes to this bug.