Bug 671892 - AuthorizedKeysCommand doesn't work
AuthorizedKeysCommand doesn't work
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2011-01-22 11:04 EST by Ruben Kerkhof
Modified: 2011-03-17 03:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-03-17 03:50:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ruben Kerkhof 2011-01-22 11:04:44 EST
sshd fails to lookup authorized keys in ldap

/etc/ssh/sshd_config contains:
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-helper -s %u"

user_key_via_command_allowed2 does a stat on the AuthorizedKeysCommand, but of course the path 
/usr/libexec/openssh/ssh-ldap-helper -s %u doesn't exist.

An option would be to adjust ssh-ldap-helper to accept the username as the first argument, and make AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper
Comment 1 Ruben Kerkhof 2011-02-19 06:34:51 EST
Hi Jan,

This does happen on rawhide as well.

Would you mind taking a look, this is preventing me from upgrading all my machines from F-13 to F-14
Comment 2 Jan F. Chadima 2011-02-25 06:19:14 EST
please test openssh-5.8p1-10.fc16.1
and modify the configuration according to HOWTO.ldap-keys
and report the result please
Comment 3 Ruben Kerkhof 2011-02-25 10:40:26 EST
Yes, this works, thanks.

Using a shellscript as a wrapper feels a bit hackish though. I take it you're going to modify ssh-ldap-helper to just accept the user without the -s so the wrapper isn't needed?
Comment 4 Jan F. Chadima 2011-02-28 04:29:38 EST
the ssh-ldap-helper have another possible parameters. IMHO the wrapper is pretty fine solution.
Comment 5 Ruben Kerkhof 2011-02-28 08:14:40 EST
Ok, fair enough.

HOWTO.ldap-keys says you have to use:
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper

But I could only get it working by quoting the command:
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
Comment 6 Jan F. Chadima 2011-03-17 03:50:31 EDT
everything is repaired in current rawhide

Note You need to log in before you can comment on or make changes to this bug.