Bug 729772 - sshd and ssh-ldap-helper seems to not agree on how the later should be invoked
Summary: sshd and ssh-ldap-helper seems to not agree on how the later should be invoked
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 14
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Jan F. Chadima
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-10 19:09 UTC by Tyson Whitehead
Modified: 2011-08-11 19:34 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-08-11 19:34:08 UTC

Attachments (Terms of Use)

Description Tyson Whitehead 2011-08-10 19:09:18 UTC
Description of problem:

The documentation is conflicting regarding the following sshd_config options

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper

Specifically, the README.lpk file in the openssh-ldap file says the first should be used, while the sshd_config man pages says the second should be used (and that the the user name is always passed as the first argument).

In reality neither of them work as it seems both programs expect their own version.  Setting AuthorizedKeysCommand the first way (as README.lpk says) results in

error: user_key_via_command_allowed2: stat("/usr/libexec/openssh/ssh-ldap-helper -s %u"): No such file or directory

showing up in /var/log/secure.  Setting it the second way (as sshd_config says) results in 

ssh-ldap-helper[4140]: fatal: illegal extra parameter <username>

showing up in /var/log/messages.  It would seems that one component (sshd or ssh-ldap-helper) was changed at some point without the other being updated too.

Version-Release number of selected component (if applicable): 5.5p1-25.fc14.2

How reproducible: always

Steps to Reproduce:
1.  Install the openssh-ldap package
2.  Setup as specified in the README.lpk (will produce the second error)
3.  Change AuthorizedKeysCommand to just the command (will produce first error)
Actual results: error messages in log files

Expected results: no error messages and login with key should work

Additional info:

Manually running "/usr/libexec/openssh/ssh-ldap-helper -d -s <user>" can be used to verify that /etc/ssh/ldap.conf is setup correctly by retrieving a user's key.

Comment 1 Jan F. Chadima 2011-08-11 19:34:08 UTC
Yes, you are true there is a bug. The man page change and the helper application appears in F16. So you can grab it from there (the shell script and the man page).

Note You need to log in before you can comment on or make changes to this bug.