Red Hat Bugzilla – Bug 455350
[FEAT] OpenSSH to support centralized management of SSH keys
Last modified: 2012-05-07 17:44:36 EDT
Copying this RHEL5 RFE to RHEL6, in order to track for that release.
The requested changes have not been accepted upstream, so the request is to
either try to help getting them accepted upstream or to find an alternate
solution for the problem of dynamic ssh-key distribution (and removal) for
(large) centrally managed environments.
+++ This bug was initially created as a clone of Bug #215741 +++
Description of problem:
When a user is disabled (ie locked) on the ldap server (because they are
terminated, etc...) and they have access to their ssh private key, they will
still be able to login to any server in the organization that contains their ssh
public key. This can be considered an security breach by an auditing team.
With the ability to lookup ssh keys over LDAP, the directory server will have
the ability to not send the public key to the user logging in, even if they have
the correct private key.
A patch enabling this is available here: http://dev.inversepath.com/trac/openssh-lpk
The patch has moved to http://code.google.com/p/openssh-lpk/
*** Bug 529062 has been marked as a duplicate of this bug. ***
The more correct patch to sshd is posted to mindrot bugzilla as #1663
Deferring to 6.1
The patched version is successfuly tested and deployed in fedora.
This is in Modified but I'm not seeing it in the openssh errata. You need to get the brew build updates and add it. This should have happened by the 6.1 code freeze, which was last Friday Feb 4.
I was manually able to use this feature and it works. Testing was done only using ldap server without TLS. I'm currently creating a RHTS test that will automatize the testing and will also test the feature in more depth.
The problem is the documentation because it is in many places misleading and it is scattered in 3 files:
I recommend to have one file which will contain step to step up-to-date guide how to set up openssh for getting public keys from ldap server and some basic information maybe. Sections describing LPK should be wiped, for example this from lpk-user-example.txt:
Add the following config to /etc/ssh/ssh_config
The man page for ssh-ldap-helper is misleading as it says it can be used in sshd_config. This is not true, ssh-wrapper should be used instead in the latest version. The man page should mention that this tool is great for manual testing (not the oposite as it does now).
ssh-ldap-helper run without parameters should return the help and not end without a message.
The man page for ssh-ldap.conf was generated incorrectly and is missing new lines:
Both man pages should be reviewed by some other senior developer and then also by the documentation team.
Moving to assigned as the documentation for this nice feature needs improvements.
Great the new package openssh-5.3p1-46.el5 now comes with a nice HOWTO in one file. The howto is understandable but needs to be reviewed by the documentation team to fix any gramatical issues. I'm contacting them to get this done.
The man page for ssh-ldap-helper is corrected now.
The ssh-ldap.conf is still broken (no newlines) and needs to be fixed so the bug stays in assigned.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
I am trying to get this working with our Active Directory but has problem with the ldap_searching string.
I am wondering if this can be made configurable in the /etc/ssh/ldap.conf
In the openssh-5.3p1-ldap.patch file, if we can make this changeable in /etc/ssh/ldap.conf, that will be very helpful.
right now I have to change this
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
+#define LDAPSEARCH_FORMAT "(&(objectclass=user)(uid=%s)%s)"