Red Hat Bugzilla – Bug 729772
sshd and ssh-ldap-helper seems to not agree on how the later should be invoked
Last modified: 2011-08-11 15:34:08 EDT
Description of problem:
The documentation is conflicting regarding the following sshd_config options
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
Specifically, the README.lpk file in the openssh-ldap file says the first should be used, while the sshd_config man pages says the second should be used (and that the the user name is always passed as the first argument).
In reality neither of them work as it seems both programs expect their own version. Setting AuthorizedKeysCommand the first way (as README.lpk says) results in
error: user_key_via_command_allowed2: stat("/usr/libexec/openssh/ssh-ldap-helper -s %u"): No such file or directory
showing up in /var/log/secure. Setting it the second way (as sshd_config says) results in
ssh-ldap-helper: fatal: illegal extra parameter <username>
showing up in /var/log/messages. It would seems that one component (sshd or ssh-ldap-helper) was changed at some point without the other being updated too.
Version-Release number of selected component (if applicable): 5.5p1-25.fc14.2
How reproducible: always
Steps to Reproduce:
1. Install the openssh-ldap package
2. Setup as specified in the README.lpk (will produce the second error)
3. Change AuthorizedKeysCommand to just the command (will produce first error)
Actual results: error messages in log files
Expected results: no error messages and login with key should work
Manually running "/usr/libexec/openssh/ssh-ldap-helper -d -s <user>" can be used to verify that /etc/ssh/ldap.conf is setup correctly by retrieving a user's key.
Yes, you are true there is a bug. The man page change and the helper application appears in F16. So you can grab it from there (the shell script and the man page).