Bug 589360 – openssh-ldap doesn't accept tls_checkpeer yes

Bug 589360 - openssh-ldap doesn't accept tls_checkpeer yes

Summary:	openssh-ldap doesn't accept tls_checkpeer yes

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	openssh (Show other bugs)
Sub Component:
Version:	14
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Jan F. Chadima
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-05-05 18:56 EDT by Ruben Kerkhof
Modified:	2010-10-17 13:46 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	openssh-5.5p1-10
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-10-17 13:46:17 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Ruben Kerkhof 2010-05-05 18:56:35 EDT

Description of problem:

I'm testing the new ldap public key support. My /etc/ldap.conf contains the following setting:

tls_checkpeer yes

Which, according to nss_ldap(5) is either yes or no

Running the ldap helper shows that this is not valid:

/usr/libexec/openssh/ssh-ldap-helper -v
debug1: Reading configuration data /etc/ldap.conf
/etc/ldap.conf line 17: Bad never/hard/demand/alow/try argument.


Version-Release number of selected component (if applicable):
openssh-ldap-5.5p1-6.fc14.x86_64

Comment 1 Tomas Mraz 2010-05-06 02:57:00 EDT

I think that /etc/openldap/ldap.conf should be used instead of /etc/ldap.conf.
The /etc/ldap.conf belongs to nss_ldap (before the split of pam_ldap) and should not be used anymore.

Comment 2 Jan F. Chadima 2010-05-06 04:58:48 EDT

The tls_checkpeer have this options according to the ldap docummentation newer, hard, demand allow and try
I'll make aliases newer = off and hard = on

Comment 3 Jan F. Chadima 2010-05-06 04:59:21 EDT

The tls_checkpeer have this options according to the ldap docummentation newer, hard, demand allow and try
I'll make aliases newer = off and hard = on

Comment 4 Ruben Kerkhof 2010-05-06 06:44:42 EDT

Hi Jan,

What documentation are you looking at? man ldap.conf(5) doesn't describe the tls_checkpeer setting.

Tomas is probably right, the config file should be /etc/openldap/ldap.conf

If I try that, I get the following output:

[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f /etc/openldap/ldap.conf -s test
debug1: Reading configuration data /etc/openldap/ldap.conf
/etc/openldap/ldap.conf: line 6: Bad configuration option: TLS_CACERT
/etc/openldap/ldap.conf: line 8: Bad configuration option: TLS_REQCERT
debug1: LDAP do connect
debug1: LDAP process user
ldap_search_st(): Confidentiality required
debug1: LDAP do close

Comment 5 Jan F. Chadima 2010-05-06 10:12:43 EDT

Ok, I made the configuration compatibility  aliases TLS_CACERT (tls_cacertfile)  and TLS_REQCERT (tls_checkpeer).

Comment 6 Ruben Kerkhof 2010-05-06 11:46:12 EDT

I've just upgraded to openssh-ldap-5.5p1-8.fc14.x86_64

Ok, so which file has the right settings?

/etc/ldap.conf works, but has a few warnings:

[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -s test
debug1: Reading configuration data /etc/ldap.conf
/etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute
/etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy
/etc/ldap.conf: line 10: Bad configuration option: pam_min_uid
/etc/ldap.conf: line 11: Bad configuration option: pam_max_uid
/etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers
/etc/ldap.conf: line 16: Bad configuration option: tls_cafile
/etc/ldap.conf: line 17: Bad configuration option: pam_password
/etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd
/etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow
/etc/ldap.conf: line 21: Bad configuration option: nss_base_group
debug1: LDAP do connect
debug1: LDAP process user
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv ruben@files
debug1: LDAP do close


If I use /etc/openldap/ldap.conf, the connection is not switched to TLS:
[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f /etc/openldap/ldap.conf -s test
debug1: Reading configuration data /etc/openldap/ldap.conf
debug1: LDAP do connect
debug1: LDAP process user
ldap_search_st(): Confidentiality required
debug1: LDAP do close


Thanks

Comment 7 Jan F. Chadima 2010-05-06 11:50:14 EDT

(In reply to comment #6)
> I've just upgraded to openssh-ldap-5.5p1-8.fc14.x86_64
> 
> Ok, so which file has the right settings?
> 
> /etc/ldap.conf works, but has a few warnings:
> 
> [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -s test
> debug1: Reading configuration data /etc/ldap.conf
> /etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute
> /etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy
> /etc/ldap.conf: line 10: Bad configuration option: pam_min_uid
> /etc/ldap.conf: line 11: Bad configuration option: pam_max_uid
> /etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers
> /etc/ldap.conf: line 16: Bad configuration option: tls_cafile
> /etc/ldap.conf: line 17: Bad configuration option: pam_password
> /etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd
> /etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow
> /etc/ldap.conf: line 21: Bad configuration option: nss_base_group
> debug1: LDAP do connect
> debug1: LDAP process user
> ssh-rsa

this is OK

> AAAAB3NzaC1yc2EAAAADAQABAAACAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv
> ruben@files
> debug1: LDAP do close
> 
> 
> If I use /etc/openldap/ldap.conf, the connection is not switched to TLS:
> [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f
> /etc/openldap/ldap.conf -s test
> debug1: Reading configuration data /etc/openldap/ldap.conf
> debug1: LDAP do connect
> debug1: LDAP process user
> ldap_search_st(): Confidentiality required
> debug1: LDAP do close
> 
do please /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/openldap/ldap.conf -s test
(add 2 more -v) 

> 
> Thanks

Comment 8 Jan F. Chadima 2010-05-06 11:52:19 EDT

> /etc/ldap.conf: line 16: Bad configuration option: tls_cafile
what means tls_cafile it's typo or it's a new brand of configuration?

Comment 9 Ruben Kerkhof 2010-05-06 12:40:19 EDT

(In reply to comment #7)

Ok, here's the output:

ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/openldap/ldap.conf -s test
debug1: Reading configuration data /etc/openldap/ldap.conf
debug3: === Configuration ===
debug3: URI ldap://ldap.priv.tilaa.nl
debug3: Host ldap.priv.tilaa.nl
debug3: Port 389
debug3: SSL No
debug3: Ldap_Version 3
debug3: Timelimit 10
debug3: Bind_Timelimit 10
debug3: Base dc=tilaa,dc=nl
debug3: BindDN 
debug3: BindPW 
debug3: Scope Sub
debug3: Deref Never
debug3: Referrals Yes
debug3: Restart Yes
debug3: Bind_Policy Hard
debug3: SSLPath <UNDEFINED>
debug3: TLS_CheckPeer Hard
debug3: TLS_CaCertFile /etc/openldap/cacerts/ca.pem
debug3: TLS_CaCertDir /etc/openldap/cacerts
debug3: TLS_Ciphers <UNDEFINED>
debug3: TLS_Cert <UNDEFINED>
debug3: TLS_Key <UNDEFINED>
debug3: TLS_RandFile <UNDEFINED>
debug3: Logdir <UNDEFINED>
debug3: Debug 0
debug3: SSH_Filter 
debug3: === *** ===
debug1: LDAP do connect
debug3: Set TLS CA cert file /etc/openldap/cacerts/ca.pem 
debug3: Set TLS CA cert dir /etc/openldap/cacerts 
debug3: Set TLS check peer to 1 
debug3: LDAP initialize ldap://ldap.priv.tilaa.nl
debug3: LDAP set version to 3
debug3: LDAP set rebind proc
debug3: LDAP set deref to 0
debug3: LDAP set timelimit to 10
debug3: LDAP set opt network timeout to 10.0
debug3: LDAP set referrals to 1
debug3: LDAP set restart to 1
debug3: LDAP simple bind ()
debug3: LDAP result in time
debug3: LDAP parse result OK
debug2: LDAP do connect OK
debug1: LDAP process user
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=test))
ldap_search_st(): Confidentiality required
debug1: LDAP do close
debug2: LDAP do close OK

And for reference, the output of 
[ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/ldap.conf -s test
debug1: Reading configuration data /etc/ldap.conf
/etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute
/etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy
/etc/ldap.conf: line 10: Bad configuration option: pam_min_uid
/etc/ldap.conf: line 11: Bad configuration option: pam_max_uid
/etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers
/etc/ldap.conf: line 17: Bad configuration option: pam_password
/etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd
/etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow
/etc/ldap.conf: line 21: Bad configuration option: nss_base_group
debug3: === Configuration ===
debug3: URI ldap://ldap.priv.tilaa.nl
debug3: Host ldap.priv.tilaa.nl
debug3: Port 389
debug3: SSL Start_TLS
debug3: Ldap_Version 3
debug3: Timelimit 10
debug3: Bind_Timelimit 20
debug3: Base dc=tilaa,dc=nl
debug3: BindDN 
debug3: BindPW 
debug3: Scope Sub
debug3: Deref Never
debug3: Referrals Yes
debug3: Restart Yes
debug3: Bind_Policy Hard
debug3: SSLPath <UNDEFINED>
debug3: TLS_CheckPeer Hard
debug3: TLS_CaCertFile /etc/openldap/cacerts/ca.pem
debug3: TLS_CaCertDir /etc/openldap/cacerts
debug3: TLS_Ciphers <UNDEFINED>
debug3: TLS_Cert <UNDEFINED>
debug3: TLS_Key <UNDEFINED>
debug3: TLS_RandFile <UNDEFINED>
debug3: Logdir <UNDEFINED>
debug3: Debug 0
debug3: SSH_Filter 
debug3: === *** ===
debug1: LDAP do connect
debug3: Set TLS CA cert file /etc/openldap/cacerts/ca.pem 
debug3: Set TLS CA cert dir /etc/openldap/cacerts 
debug3: Set TLS check peer to 1 
debug3: LDAP initialize ldap://ldap.priv.tilaa.nl
debug3: LDAP set version to 3
debug3: LDAP set rebind proc
debug3: LDAP set deref to 0
debug3: LDAP set timelimit to 10
debug3: LDAP set opt network timeout to 20.0
debug3: LDAP set referrals to 1
debug3: LDAP set restart to 1
debug3: LDAP start TLS
debug3: LDAP simple bind ()
debug3: LDAP result in time
debug3: LDAP parse result OK
debug2: LDAP do connect OK
debug1: LDAP process user
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=test))
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv ruben@files
debug2: LDAP process user finished
debug1: LDAP do close
debug2: LDAP do close OK

In this case, start_tls is used.

(In reply to comment #8)
You're right, it's a typo. We've been using this setting for 2 years now, but it's probably redundant because I also have tls_cacertdir.

Btw, the following

Comment 10 Ruben Kerkhof 2010-05-13 12:34:27 EDT

I've got ldap public key lookups working now with openssh-ldap-5.5p1-9.fc14.x86_64, thanks!

File-based lookups (authorized_keys) stopped working though. Is it possible to fall back to file-based keys when there's no key in ldap?

3 further comments:
- man ssh-ldap-helper(8) refers to ssh_ldap.conf(5), but the manpage is ssh-ldap.conf(5) with a dash
- The PubkeyAgent section in sshd_config(5) is misformatted
- An example config file in /etc/ssh would be nice.

Thanks again!

Ruben

Comment 11 Jan F. Chadima 2010-05-14 03:51:44 EDT

(In reply to comment #10)
> 
> File-based lookups (authorized_keys) stopped working though. Is it possible to
> fall back to file-based keys when there's no key in ldap?
I will investigate it.
> 
> 3 further comments:
> - man ssh-ldap-helper(8) refers to ssh_ldap.conf(5), but the manpage is
> ssh-ldap.conf(5) with a dash
> - The PubkeyAgent section in sshd_config(5) is misformatted
> - An example config file in /etc/ssh would be nice.
All solved in openssh-5.5p1-10

Comment 12 Bug Zapper 2010-07-30 07:33:24 EDT

This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.