Attachment #1850 for bug #1663





/* return 1 if user allows given key */
static int
user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	const char *reason;
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;
	Key *found;
	char *fp;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

	if (!f) {
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);


			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	if (!found_key)
		debug2("key not found");

	return ret;
}

/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

 	if (f) {
 		found_key = user_search_key_in_file (f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

#ifdef WITH_PUBKEY_AGENT

#define WHITESPACE " \t\r\n"

/* return 1 if user allows given key */
static int
user_key_via_agent_allowed2(struct passwd *pw, Key *key)
{
	FILE *f;
	int found_key = 0;
	char *pubkey_agent_string = NULL;
	char *tmp_pubkey_agent_string = NULL;
	char *progname;
	char *cp;
	struct passwd *runas_pw;
	struct stat st;

	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
		return -1;

	/* get the run as identity from config */
	runas_pw = (options.pubkey_agent_runas == NULL)? pw
	    : getpwnam (options.pubkey_agent_runas);
	if (!runas_pw) {
		error("%s: getpwnam(\"%s\"): %s", __func__,
		    options.pubkey_agent_runas, strerror(errno));
		return 0;
	}

	/* Temporarily use the specified uid. */
	if (runas_pw->pw_uid != 0)
		temporarily_use_uid(runas_pw);

	pubkey_agent_string = percent_expand(options.pubkey_agent,
	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);

	/* Test whether agent can be modified by non root user */
	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);

	debug3("%s: checking program '%s'", __func__, progname);

	if (stat (progname, &st) < 0) {
		error("%s: stat(\"%s\"): %s", __func__,
		    progname, strerror(errno));
		goto go_away;
	}

	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
		error("bad ownership or modes for pubkey agent \"%s\"",
		    progname);
		goto go_away;
	}

	if (!S_ISREG(st.st_mode)) {
		error("pubkey agent \"%s\" is not a regular file",
		    progname);
		goto go_away;
	}

	/*
	 * Descend the path, checking that each component is a
	 * root-owned directory with strict permissions.
	 */
	do {
		if ((cp = strrchr(progname, '/')) == NULL)
			break;
		else 
			*cp = '\0';
	
		debug3("%s: checking component '%s'", __func__, progname);

		if (stat(progname, &st) != 0) {
			error("%s: stat(\"%s\"): %s", __func__,
			    progname, strerror(errno));
			goto go_away;
		}
		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
			error("bad ownership or modes for pubkey agent path component \"%s\"",
			    progname);
			goto go_away;
		}
		if (!S_ISDIR(st.st_mode)) {
			error("pubkey agent path component \"%s\" is not a directory",
			    progname);
			goto go_away;
		}
	} while (0);

	/* open the pipe and read the keys */
	f = popen (pubkey_agent_string, "r");
	if (!f) {
		error("%s: popen (\"%s\", \"r\"): %s", __func__,
		    pubkey_agent_string, strerror (errno));
		goto go_away;
	}

	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
	pclose (f);

go_away:
	if (tmp_pubkey_agent_string)
		xfree (tmp_pubkey_agent_string);
	if (pubkey_agent_string)
		xfree (pubkey_agent_string);

	if (runas_pw->pw_uid != 0)
		restore_uid();
	return found_key;
}
#endif

/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	int success;
	char *file;

#ifdef WITH_PUBKEY_AGENT
	success = user_key_via_agent_allowed2(pw, key);
	if (success >= 0)
		return success;
#endif

	if (auth_key_is_revoked(key))
		return 0;
	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))

Lines 1-5 Link Here

(-)openssh-5.5p1/config.h.in.pka (-5 / +89 lines)
1	/* config.h.in. Generated from configure.ac by autoheader. */	1	/* config.h.in. Generated from configure.ac by autoheader. */
2		2
		3	/* Define if building universal (internal helper macro) */
		4	#undef AC_APPLE_UNIVERSAL_BUILD
		5
3	/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address	6	/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
4	*/	7	*/
5	#undef AIX_GETNAMEINFO_HACK	8	#undef AIX_GETNAMEINFO_HACK
Lines 536-541 Link Here
536	/* Define to 1 if you have the <lastlog.h> header file. */	539	/* Define to 1 if you have the <lastlog.h> header file. */
537	#undef HAVE_LASTLOG_H	540	#undef HAVE_LASTLOG_H
538		541
		542	/* Define to 1 if you have the <lber.h> header file. */
		543	#undef HAVE_LBER_H
		544
		545	/* Define to 1 if you have the `ldapssl_init' function. */
		546	#undef HAVE_LDAPSSL_INIT
		547
		548	/* Define to 1 if you have the `ldap_controls_free' function. */
		549	#undef HAVE_LDAP_CONTROLS_FREE
		550
		551	/* Define to 1 if you have the `ldap_get_lderrno' function. */
		552	#undef HAVE_LDAP_GET_LDERRNO
		553
		554	/* Define to 1 if you have the `ldap_get_option' function. */
		555	#undef HAVE_LDAP_GET_OPTION
		556
		557	/* Define to 1 if you have the <ldap.h> header file. */
		558	#undef HAVE_LDAP_H
		559
		560	/* Define to 1 if you have the `ldap_init' function. */
		561	#undef HAVE_LDAP_INIT
		562
		563	/* Define to 1 if you have the `ldap_initialize' function. */
		564	#undef HAVE_LDAP_INITIALIZE
		565
		566	/* Define to 1 if you have the `ldap_memfree' function. */
		567	#undef HAVE_LDAP_MEMFREE
		568
		569	/* Define to 1 if you have the `ldap_parse_result' function. */
		570	#undef HAVE_LDAP_PARSE_RESULT
		571
		572	/* Define to 1 if you have the `ldap_pvt_tls_set_option' function. */
		573	#undef HAVE_LDAP_PVT_TLS_SET_OPTION
		574
		575	/* Define to 1 if you have the `ldap_set_lderrno' function. */
		576	#undef HAVE_LDAP_SET_LDERRNO
		577
		578	/* Define to 1 if you have the `ldap_set_option' function. */
		579	#undef HAVE_LDAP_SET_OPTION
		580
		581	/* Define to 1 if you have the `ldap_set_rebind_proc' function. */
		582	#undef HAVE_LDAP_SET_REBIND_PROC
		583
		584	/* Define to 1 if you have the <ldap_ssl.h> header file. */
		585	#undef HAVE_LDAP_SSL_H
		586
		587	/* Define to 1 if you have the `ldap_start_tls_s' function. */
		588	#undef HAVE_LDAP_START_TLS_S
		589
		590	/* Define to 1 if you have the <libaudit.h> header file. */
		591	#undef HAVE_LIBAUDIT_H
		592
539	/* Define to 1 if you have the `bsm' library (-lbsm). */	593	/* Define to 1 if you have the `bsm' library (-lbsm). */
540	#undef HAVE_LIBBSM	594	#undef HAVE_LIBBSM
541		595
Lines 575-580 Link Here
575	/* Define to 1 if you have the <limits.h> header file. */	629	/* Define to 1 if you have the <limits.h> header file. */
576	#undef HAVE_LIMITS_H	630	#undef HAVE_LIMITS_H
577		631
		632	/* Define if you want Linux audit support. */
		633	#undef HAVE_LINUX_AUDIT
		634
578	/* Define to 1 if you have the <linux/if_tun.h> header file. */	635	/* Define to 1 if you have the <linux/if_tun.h> header file. */
579	#undef HAVE_LINUX_IF_TUN_H	636	#undef HAVE_LINUX_IF_TUN_H
580		637
Lines 771-776 Link Here
771	/* Define to 1 if you have the `setgroups' function. */	828	/* Define to 1 if you have the `setgroups' function. */
772	#undef HAVE_SETGROUPS	829	#undef HAVE_SETGROUPS
773		830
		831	/* Define to 1 if you have the `setkeycreatecon' function. */
		832	#undef HAVE_SETKEYCREATECON
		833
774	/* Define to 1 if you have the `setlogin' function. */	834	/* Define to 1 if you have the `setlogin' function. */
775	#undef HAVE_SETLOGIN	835	#undef HAVE_SETLOGIN
776		836
Lines 921-933 Link Here
921	/* define if you have struct sockaddr_in6 data type */	981	/* define if you have struct sockaddr_in6 data type */
922	#undef HAVE_STRUCT_SOCKADDR_IN6	982	#undef HAVE_STRUCT_SOCKADDR_IN6
923		983
924	/* Define to 1 if `sin6_scope_id' is member of `struct sockaddr_in6'. */	984	/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */
925	#undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID	985	#undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID
926		986
927	/* define if you have struct sockaddr_storage data type */	987	/* define if you have struct sockaddr_storage data type */
928	#undef HAVE_STRUCT_SOCKADDR_STORAGE	988	#undef HAVE_STRUCT_SOCKADDR_STORAGE
929		989
930	/* Define to 1 if `st_blksize' is member of `struct stat'. */	990	/* Define to 1 if `st_blksize' is a member of `struct stat'. */
931	#undef HAVE_STRUCT_STAT_ST_BLKSIZE	991	#undef HAVE_STRUCT_STAT_ST_BLKSIZE
932		992
933	/* Define to 1 if the system has the type `struct timespec'. */	993	/* Define to 1 if the system has the type `struct timespec'. */
Lines 1191-1196 Link Here
1191	/* Define if pututxline updates lastlog too */	1251	/* Define if pututxline updates lastlog too */
1192	#undef LASTLOG_WRITE_PUTUTXLINE	1252	#undef LASTLOG_WRITE_PUTUTXLINE
1193		1253
		1254	/* number arguments of ldap_set_rebind_proc */
		1255	#undef LDAP_SET_REBIND_PROC_ARGS
		1256
1194	/* Define if you want TCP Wrappers support */	1257	/* Define if you want TCP Wrappers support */
1195	#undef LIBWRAP	1258	#undef LIBWRAP
1196		1259
Lines 1274-1279 Link Here
1274	/* Define to the one symbol short name of this package. */	1337	/* Define to the one symbol short name of this package. */
1275	#undef PACKAGE_TARNAME	1338	#undef PACKAGE_TARNAME
1276		1339
		1340	/* Define to the home page for this package. */
		1341	#undef PACKAGE_URL
		1342
1277	/* Define to the version of this package. */	1343	/* Define to the version of this package. */
1278	#undef PACKAGE_VERSION	1344	#undef PACKAGE_VERSION
1279		1345
Lines 1360-1365 Link Here
1360	/* Prepend the address family to IP tunnel traffic */	1426	/* Prepend the address family to IP tunnel traffic */
1361	#undef SSH_TUN_PREPEND_AF	1427	#undef SSH_TUN_PREPEND_AF
1362		1428
		1429	/* Define to your vendor patch level, if it has been modified from the
		1430	upstream source release. */
		1431	#undef SSH_VENDOR_PATCHLEVEL
		1432
1363	/* Define to 1 if you have the ANSI C header files. */	1433	/* Define to 1 if you have the ANSI C header files. */
1364	#undef STDC_HEADERS	1434	#undef STDC_HEADERS
1365		1435
Lines 1418-1429 Link Here
1418	/* Define if you want IRIX project management */	1488	/* Define if you want IRIX project management */
1419	#undef WITH_IRIX_PROJECT	1489	#undef WITH_IRIX_PROJECT
1420		1490
		1491	/* Enable LDAP pubkey support */
		1492	#undef WITH_LDAP_PUBKEY
		1493
		1494	/* Enable pubkey agent support */
		1495	#undef WITH_PUBKEY_AGENT
		1496
1421	/* Define if you want SELinux support. */	1497	/* Define if you want SELinux support. */
1422	#undef WITH_SELINUX	1498	#undef WITH_SELINUX
1423		1499
1424	/* Define to 1 if your processor stores words with the most significant byte	1500	/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
1425	first (like Motorola and SPARC, unlike Intel and VAX). */	1501	significant byte first (like Motorola and SPARC, unlike Intel). */
1426	#undef WORDS_BIGENDIAN	1502	#if defined AC_APPLE_UNIVERSAL_BUILD
		1503	# if defined __BIG_ENDIAN__
		1504	# define WORDS_BIGENDIAN 1
		1505	# endif
		1506	#else
		1507	# ifndef WORDS_BIGENDIAN
		1508	# undef WORDS_BIGENDIAN
		1509	# endif
		1510	#endif
1427		1511
1428	/* Define if xauth is found in your path */	1512	/* Define if xauth is found in your path */
1429	#undef XAUTH_PATH	1513	#undef XAUTH_PATH




	esac ]
)

# Check whether user wants pubkey agent support
PKA_MSG="no"
AC_ARG_WITH(pka,
	[  --with-pka      Enable pubkey agent support],
	[
		if test "x$withval" != "xno" ; then
			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
			PKA_MSG="yes"
		fi
	]
)

# Check whether user wants LDAP support
LDAP_MSG="no"
INSTALL_SSH_LDAP_HELPER=""
AC_ARG_WITH(ldap,
	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
	[
		if test "x$withval" != "xno" ; then

			INSTALL_SSH_LDAP_HELPER="yes"
			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"

			if test "x$withval" != "xyes" ; then
				CPPFLAGS="$CPPFLAGS -I${withval}/include"
				LDFLAGS="$LDFLAGS -L${withval}/lib"
			fi

			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
			LDAP_MSG="yes"

			AC_CHECK_HEADERS(lber.h)
			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
			AC_CHECK_HEADERS(ldap_ssl.h)

			AC_ARG_WITH(ldap-lib,
				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])

			if test -z "$with_ldap_lib"; then
				with_ldap_lib=auto
			fi

			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
			fi

			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
			fi

			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
				if test -z "$found_ldap_lib"; then
					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
				fi
				if test -z "$found_ldap_lib"; then
					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
				fi
				if test -z "$found_ldap_lib"; then
					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
				fi
			fi

			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
			fi

			if test -z "$found_ldap_lib"; then
				AC_MSG_ERROR(could not locate a valid LDAP library)
			fi

			AC_MSG_CHECKING([for working LDAP support])
			AC_TRY_COMPILE(
				[#include <sys/types.h>
				 #include <ldap.h>],
				[(void)ldap_init(0, 0);],
				[AC_MSG_RESULT(yes)],
				[
				    AC_MSG_RESULT(no) 
					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
				])
			AC_CHECK_FUNCS( \
				ldap_init \
				ldap_get_lderrno \
				ldap_set_lderrno \
				ldap_parse_result \
				ldap_memfree \
				ldap_controls_free \
				ldap_set_option \
				ldap_get_option \
				ldapssl_init \
				ldap_start_tls_s \
				ldap_pvt_tls_set_option \
				ldap_initialize \
			)
			AC_CHECK_FUNCS(ldap_set_rebind_proc,
				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
				AC_TRY_COMPILE(
					[#include <lber.h>
					#include <ldap.h>],
					[ldap_set_rebind_proc(0, 0, 0);],
					[ac_cv_ldap_set_rebind_proc=3],
					[ac_cv_ldap_set_rebind_proc=2])
				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
			)
		fi
	]
)
AC_SUBST(INSTALL_SSH_LDAP_HELPER)

dnl    Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
	arc4random \

echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "                      LDAP support: $LDAP_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"




/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "ldapincludes.h"
#include "log.h"
#include "xmalloc.h"
#include "ldapconf.h"
#include "ldapmisc.h"
#include "ldapbody.h"
#include <stdio.h>
#include <unistd.h>

#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
#define PUBKEYATTR "sshPublicKey"
#define LDAP_LOGFILE	"%s/ldap.%d"

static FILE *logfile = NULL;
static LDAP *ld;

static char *attrs[] = {
    PUBKEYATTR,
    NULL
};

void
ldap_checkconfig (void)
{
#ifdef HAVE_LDAP_INITIALIZE
		if (options.host == NULL && options.uri == NULL)
#else
		if (options.host == NULL)
#endif
		    fatal ("missing  \"host\" in config file");
}

#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
static int
_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
{
	struct timeval timeout;
	int rc;
#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
	LDAPMessage *result;
#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */

	debug2 ("Doing LDAP rebind to %s", options.binddn);
	if (options.ssl == SSL_START_TLS) {
		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
			error ("ldap_starttls_s: %s", ldap_err2string (rc));
			return LDAP_OPERATIONS_ERROR;
		}
	}

#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
#else
	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));

	timeout.tv_sec = options.bind_timelimit;
	timeout.tv_usec = 0;
	result = NULL;
	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
		ldap_msgfree (result);
		return LDAP_OPERATIONS_ERROR;
	}
	debug3 ("LDAP rebind to %s succesfull", options.binddn);
	return rc;
#endif
}
#else

static int
_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
{
	if (freeit)
	    return LDAP_SUCCESS;

	*whop = strdup (options.binddn);
	*credp = strdup (options.bindpw);
	*methodp = LDAP_AUTH_SIMPLE;
	debug2 ("Doing LDAP rebind for %s", *whop);
	return LDAP_SUCCESS;
}
#endif

void
ldap_do_connect(void)
{
	int rc, msgid, ld_errno = 0;
	struct timeval timeout;
#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
	int parserc;
	LDAPMessage *result;
	LDAPControl **controls;
	int reconnect = 0;
#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */

	debug ("LDAP do connect");

retry:
	if (reconnect) {
		debug3 ("Reconnecting with ld_errno %d", ld_errno);
		if (options.bind_policy == 0 ||
		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
			reconnect > 5)
			    fatal ("Cannot connect to LDAP server");
	
		if (reconnect > 1)
			sleep (reconnect - 1);

		if (ld != NULL) {
			ldap_unbind (ld);
			ld = NULL;
		}
		logit("reconnecting to LDAP server...");
	}

	if (ld == NULL) {
		int rc;
		struct timeval tv;

#ifdef HAVE_LDAP_SET_OPTION
		if (options.debug > 0) {
#ifdef LBER_OPT_LOG_PRINT_FILE
			if (options.logdir) {
				char *logfilename;
				int logfilenamelen;

				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
				logfilename = xmalloc (logfilenamelen);
				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
				logfilename[logfilenamelen - 1] = 0;
				if ((logfile = fopen (logfilename, "a")) == NULL)
				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
				debug3 ("LDAP debug into %s", logfilename);
				xfree (logfilename);
				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
			}
#endif
			if (options.debug) {
#ifdef LBER_OPT_DEBUG_LEVEL
				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
#endif /* LBER_OPT_DEBUG_LEVEL */
#ifdef LDAP_OPT_DEBUG_LEVEL
				ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
#endif /* LDAP_OPT_DEBUG_LEVEL */
				debug3 ("Set LDAP debug to %d", options.debug);
			}
		}
#endif /* HAVE_LDAP_SET_OPTION */

		ld = NULL;
#ifdef HAVE_LDAPSSL_INIT
		if (options.host != NULL) {
			if (options.ssl_on == SSL_LDAPS) {
				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
				debug3 ("LDAPssl client init");
			}

			if (options.ssl_on != SSL_OFF) {
				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
				    fatal ("ldapssl_init failed");
				debug3 ("LDAPssl init");
			}
		}
#endif /* HAVE_LDAPSSL_INIT */

		/* continue with opening */
		if (ld == NULL) {
#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
			/* Some global TLS-specific options need to be set before we create our
			 * session context, so we set them here. */

#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
			/* rand file */
			if (options.tls_randfile != NULL) {
				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
				    options.tls_randfile)) != LDAP_SUCCESS)
					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
					    ldap_err2string (rc));
				debug3 ("Set TLS random file %s", options.tls_randfile);
			}
#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */

			/* ca cert file */
			if (options.tls_cacertfile != NULL) {
				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
				    options.tls_cacertfile)) != LDAP_SUCCESS)
					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
					    ldap_err2string (rc));
				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
			}

			/* ca cert directory */
			if (options.tls_cacertdir != NULL) {
				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
				    options.tls_cacertdir)) != LDAP_SUCCESS)
					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
					    ldap_err2string (rc));
				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
			}

			/* require cert? */
			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
			    &options.tls_checkpeer)) != LDAP_SUCCESS)
				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
				    ldap_err2string (rc));
			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);

			/* set cipher suite, certificate and private key: */
			if (options.tls_ciphers != NULL) {
				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
				    options.tls_ciphers)) != LDAP_SUCCESS)
					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
					    ldap_err2string (rc));
				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
			}

			/* cert file */
			if (options.tls_cert != NULL) {
				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
				    options.tls_cert)) != LDAP_SUCCESS)
					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
					    ldap_err2string (rc));
				debug3 ("Set TLS cert file %s ", options.tls_cert);
			}

			/* key file */
			if (options.tls_key != NULL) {
				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
				    options.tls_key)) != LDAP_SUCCESS)
					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
					    ldap_err2string (rc));
				debug3 ("Set TLS key file %s ", options.tls_key);
			}
#endif
#ifdef HAVE_LDAP_INITIALIZE
			if (options.uri != NULL) {
				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
					fatal ("ldap_initialize %s", ldap_err2string (rc));
				debug3 ("LDAP initialize %s", options.uri);
			}
	}
#endif /* HAVE_LDAP_INTITIALIZE */

		/* continue with opening */
		if ((ld == NULL) && (options.host != NULL)) {
#ifdef HAVE_LDAP_INIT
			if ((ld = ldap_init (options.host, options.port)) == NULL)
			    fatal ("ldap_init failed");
			debug3 ("LDAP init %s:%d", options.host, options.port);
#else
			if ((ld = ldap_open (options.host, options.port)) == NULL)
			    fatal ("ldap_open failed");
			debug3 ("LDAP open %s:%d", options.host, options.port);
#endif /* HAVE_LDAP_INIT */
		}

		if (ld == NULL)
			fatal ("no way to open ldap");

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
		if (options.ssl == SSL_LDAPS) {
			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
		}
#endif /* LDAP_OPT_X_TLS */

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
		    &options.ldap_version);
#else
		ld->ld_version = options.ldap_version;
#endif
		debug3 ("LDAP set version to %d", options.ldap_version);

#if LDAP_SET_REBIND_PROC_ARGS == 3
		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
#elif LDAP_SET_REBIND_PROC_ARGS == 2
		ldap_set_rebind_proc (ld, _rebind_proc);
#else
#warning unknown LDAP_SET_REBIND_PROC_ARGS
#endif
		debug3 ("LDAP set rebind proc");

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
#else
		ld->ld_deref = options.deref;
#endif
		debug3 ("LDAP set deref to %d", options.deref);

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
		    &options.timelimit);
#else
		ld->ld_timelimit = options.timelimit;
#endif
		debug3 ("LDAP set timelimit to %d", options.timelimit);

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
		/*
		 * This is a new option in the Netscape SDK which sets 
		 * the TCP connect timeout. For want of a better value,
		 * we use the bind_timelimit to control this.
		 */
		timeout = options.bind_timelimit * 1000;
		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
		debug3 ("LDAP set opt connect timeout to %d", timeout);
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
		tv.tv_sec = options.bind_timelimit;
		tv.tv_usec = 0;
		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
		debug3 ("LDAP set referrals to %d", options.referrals);
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
		debug3 ("LDAP set restart to %d", options.restart);
#endif

#ifdef HAVE_LDAP_START_TLS_S
		if (options.ssl == SSL_START_TLS) {
			int version;

			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
			    == LDAP_SUCCESS) {
				if (version < LDAP_VERSION3) {
					version = LDAP_VERSION3;
					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
					    &version);
					debug3 ("LDAP set version to %d", version);
				}
			}

			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
			debug3 ("LDAP start TLS");
		}
#endif /* HAVE_LDAP_START_TLS_S */
	}

	if ((msgid = ldap_simple_bind (ld, options.binddn,
	    options.bindpw)) == -1) {
		ld_errno = ldap_get_lderrno (ld, 0, 0);

		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
		reconnect++;
		goto retry;
	}
	debug3 ("LDAP simple bind (%s)", options.binddn);

	timeout.tv_sec = options.bind_timelimit;
	timeout.tv_usec = 0;
	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
		ld_errno = ldap_get_lderrno (ld, 0, 0);

		error ("ldap_result %s", ldap_err2string (ld_errno));
		reconnect++;
		goto retry;
	}
	debug3 ("LDAP result in time");

#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
	controls = NULL;
	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
	debug3 ("LDAP parse result OK");

	if (controls != NULL) {
		ldap_controls_free (controls);
	}
#else
	rc = ldap_result2error (session->ld, result, TRUE);
#endif
	if (rc != LDAP_SUCCESS)
	    fatal ("error trying to bind as user \"%s\" (%s)",
		options.binddn, ldap_err2string (rc));

	debug2 ("LDAP do connect OK");
}

void
process_user (const char *user, FILE *output)
{
	LDAPMessage *res, *e;
	char *buffer;
	int bufflen, rc, i;
	struct timeval timeout;

	debug ("LDAP process user");

	/* quick check for attempts to be evil */
	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
		logit ("illegal user name %s not processed", user);
		return;
	}

	/* build  filter for LDAP request */
	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
	if (options.ssh_filter != NULL)
	    bufflen += strlen (options.ssh_filter);
	buffer = xmalloc (bufflen);
	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
	buffer[bufflen - 1] = 0;

	debug3 ("LDAP search scope = %d %s", options.scope, buffer);

	timeout.tv_sec = options.timelimit;
	timeout.tv_usec = 0;
	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
		error ("ldap_search_st(): %s", ldap_err2string (rc));
		xfree (buffer);
		return;
	}

	/* free */
	xfree (buffer);

	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
		int num;
		struct berval **keys;

		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
		num = ldap_count_values_len(keys);
		for (i = 0 ; i < num ; i++) {
			char *cp; //, *options = NULL;

			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
			if (!*cp || *cp == '\n' || *cp == '#')
			    continue;

			/* We have found the desired key. */
			fprintf (output, "%s\n", keys[i]->bv_val);
		}

		ldap_value_free_len(keys);
	}

	ldap_msgfree(res);
	debug2 ("LDAP process user finished");
}

void
ldap_do_close(void)
{
	int rc;

	debug ("LDAP do close");
	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
	    fatal ("ldap_unbind_ext: %s",
                                    ldap_err2string (rc));

	ld = NULL;
	debug2 ("LDAP do close OK");
	return;
}





/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef LDAPBODY_H
#define LDAPBODY_H

#include <stdio.h>

void ldap_checkconfig(void);
void ldap_do_connect(void);
void process_user(const char *, FILE *);
void ldap_do_close(void);

#endif /* LDAPBODY_H */





/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "ldapincludes.h"
#include "ldap-helper.h"
#include "log.h"
#include "misc.h"
#include "xmalloc.h"
#include "ldapconf.h"
#include <unistd.h>
#include <string.h>

/* Keyword tokens. */

typedef enum {
	lBadOption,
	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
	lDeprecated, lUnsupported
} OpCodes;

/* Textual representations of the tokens. */

static struct {
	const char *name;
	OpCodes opcode;
} keywords[] = {
	{ "URI", lURI },
	{ "Base", lBase },
	{ "BindDN", lBindDN },
	{ "BindPW", lBindPW },
	{ "RootBindDN", lRootBindDN },
	{ "Host", lHost },
	{ "Port", lPort },
	{ "Scope", lScope },
	{ "Deref", lDeref },
	{ "TimeLimit", lTimeLimit },
	{ "TimeOut", lTimeLimit },
	{ "Bind_Timelimit", lBind_TimeLimit },
	{ "Network_TimeOut", lBind_TimeLimit },
/*
 * Todo
 * SIZELIMIT
 */
	{ "Ldap_Version", lLdap_Version },
	{ "Version", lLdap_Version },
	{ "Bind_Policy", lBind_Policy },
	{ "SSLPath", lSSLPath },
	{ "SSL", lSSL },
	{ "Referrals", lReferrals },
	{ "Restart", lRestart },
	{ "TLS_CheckPeer", lTLS_CheckPeer },
	{ "TLS_ReqCert", lTLS_CheckPeer },
	{ "TLS_CaCertFile", lTLS_CaCertFile },
	{ "TLS_CaCert", lTLS_CaCertFile },
	{ "TLS_CaCertDir", lTLS_CaCertDir },
	{ "TLS_Ciphers", lTLS_Ciphers },
	{ "TLS_Cipher_Suite", lTLS_Ciphers },
	{ "TLS_Cert", lTLS_Cert },
	{ "TLS_Certificate", lTLS_Cert },
	{ "TLS_Key", lTLS_Key },
	{ "TLS_RandFile", lTLS_RandFile },
/*
 * Todo
 * TLS_CRLCHECK
 * TLS_CRLFILE
 */
	{ "LogDir", lLogDir },
	{ "Debug", lDebug },
	{ "SSH_Filter", lSSH_Filter },
	{ NULL, lBadOption }
};

/* Configuration ptions. */

Options options;

/*
 * Returns the number of the token pointed to by cp or oBadOption.
 */

static OpCodes
parse_token(const char *cp, const char *filename, int linenum)
{
	u_int i;

	for (i = 0; keywords[i].name; i++)
		if (strcasecmp(cp, keywords[i].name) == 0)
			return keywords[i].opcode;

	if (config_warning_config_file) 
	    logit("%s: line %d: Bad configuration option: %s",
		filename, linenum, cp);
	return lBadOption;
}

/*
 * Processes a single option line as used in the configuration files. This
 * only sets those values that have not already been set.
 */
#define WHITESPACE " \t\r\n"

static int
process_config_line(char *line, const char *filename, int linenum)
{
	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
	char *rootbinddn = NULL;
	int opcode, *intptr, value;
	size_t len;

	/* Strip trailing whitespace */
	for (len = strlen(line) - 1; len > 0; len--) {
		if (strchr(WHITESPACE, line[len]) == NULL)
			break;
		line[len] = '\0';
	}

	s = line;
	/* Get the keyword. (Each line is supposed to begin with a keyword). */
	if ((keyword = strdelim(&s)) == NULL)
		return 0;
	/* Ignore leading whitespace. */
	if (*keyword == '\0')
		keyword = strdelim(&s);
	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
		return 0;

	opcode = parse_token(keyword, filename, linenum);

	switch (opcode) {
	case lBadOption:
		/* don't panic, but count bad options */
		return -1;
		/* NOTREACHED */

	case lHost:
		xstringptr = &options.host;
parse_xstring:
		if (!s || *s == '\0')
		    fatal("%s line %d: missing dn",filename,linenum);
		if (*xstringptr == NULL)
		    *xstringptr = xstrdup(s);
		return 0;

	case lURI:
		xstringptr = &options.uri;
		goto parse_xstring;

	case lBase:
		xstringptr = &options.base;
		goto parse_xstring;

	case lBindDN:
		xstringptr = &options.binddn;
		goto parse_xstring;

	case lBindPW:
		charptr = &options.bindpw;
parse_string:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.", filename, linenum);
		if (*charptr == NULL)
			*charptr = xstrdup(arg);
		break;

	case lRootBindDN:
		xstringptr = &rootbinddn;
		goto parse_xstring;

	case lScope:
		intptr = &options.scope;
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
		value = 0;	/* To avoid compiler warning... */
		if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
			value = LDAP_SCOPE_SUBTREE;
		else if (strcasecmp (arg, "one") == 0)
			value = LDAP_SCOPE_ONELEVEL;
		else if (strcasecmp (arg, "base") == 0)
			value = LDAP_SCOPE_BASE;
		else
			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
		if (*intptr == -1)
			*intptr = value;
		break;

	case lDeref:
		intptr = &options.scope;
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
		value = 0;	/* To avoid compiler warning... */
		if (!strcasecmp (arg, "never"))
			value = LDAP_DEREF_NEVER;
		else if (!strcasecmp (arg, "searching"))
			value = LDAP_DEREF_SEARCHING;
		else if (!strcasecmp (arg, "finding"))
			value = LDAP_DEREF_FINDING;
		else if (!strcasecmp (arg, "always"))
			value = LDAP_DEREF_ALWAYS;
		else
			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
		if (*intptr == -1)
			*intptr = value;
		break;

	case lPort:
		intptr = &options.port;
parse_int:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.", filename, linenum);
		if (arg[0] < '0' || arg[0] > '9')
			fatal("%.200s line %d: Bad number.", filename, linenum);

		/* Octal, decimal, or hex format? */
		value = strtol(arg, &endofnumber, 0);
		if (arg == endofnumber)
			fatal("%.200s line %d: Bad number.", filename, linenum);
		if (*intptr == -1)
			*intptr = value;
		break;

	case lTimeLimit:
		intptr = &options.timelimit;
parse_time:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%s line %d: missing time value.",
			    filename, linenum);
		if ((value = convtime(arg)) == -1)
			fatal("%s line %d: invalid time value.",
			    filename, linenum);
		if (*intptr == -1)
			*intptr = value;
		break;

	case lBind_TimeLimit:
		intptr = &options.bind_timelimit;
		goto parse_time;

	case lLdap_Version:
		intptr = &options.ldap_version;
		goto parse_int;

	case lBind_Policy:
		intptr = &options.bind_policy;
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
		value = 0;	/* To avoid compiler warning... */
		if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
			value = 1;
		else if (strcasecmp(arg, "soft") == 0)
			value = 0;
		else
			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
		if (*intptr == -1)
		break;

	case lSSLPath:
		charptr = &options.sslpath;
		goto parse_string;

	case lSSL:
		intptr = &options.ssl;
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
		value = 0;	/* To avoid compiler warning... */
		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
			value = SSL_LDAPS;
		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
			value = SSL_OFF;
		else if (!strcasecmp (arg, "start_tls"))
			value = SSL_START_TLS;
		else
			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
		if (*intptr == -1)
			*intptr = value;
		break;

	case lReferrals:
		intptr = &options.referrals;
parse_flag:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
		value = 0;	/* To avoid compiler warning... */
		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
			value = 1;
		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
			value = 0;
		else
			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
		if (*intptr == -1)
			*intptr = value;
		break;

	case lRestart:
		intptr = &options.restart;
		goto parse_flag;

	case lTLS_CheckPeer:
		intptr = &options.tls_checkpeer;
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
		value = 0;	/* To avoid compiler warning... */
		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
			value = LDAP_OPT_X_TLS_NEVER;
		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
			value = LDAP_OPT_X_TLS_HARD;
		else if (strcasecmp(arg, "demand") == 0)
			value = LDAP_OPT_X_TLS_DEMAND;
		else if (strcasecmp(arg, "allow") == 0)
			value = LDAP_OPT_X_TLS_ALLOW;
		else if (strcasecmp(arg, "try") == 0)
			value = LDAP_OPT_X_TLS_TRY;
		else
			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
		if (*intptr == -1)
		break;

	case lTLS_CaCertFile:
		charptr = &options.tls_cacertfile;
		goto parse_string;

	case lTLS_CaCertDir:
		charptr = &options.tls_cacertdir;
		goto parse_string;

	case lTLS_Ciphers:
		xstringptr = &options.tls_ciphers;
		goto parse_xstring;

	case lTLS_Cert:
		charptr = &options.tls_cert;
		goto parse_string;

	case lTLS_Key:
		charptr = &options.tls_key;
		goto parse_string;

	case lTLS_RandFile:
		charptr = &options.tls_randfile;
		goto parse_string;

	case lLogDir:
		charptr = &options.logdir;
		goto parse_string;

	case lDebug:
		intptr = &options.debug;
		goto parse_int;

	case lSSH_Filter:
		xstringptr = &options.ssh_filter;
		goto parse_xstring;

	case lDeprecated:
		debug("%s line %d: Deprecated option \"%s\"",
		    filename, linenum, keyword);
		return 0;

	case lUnsupported:
		error("%s line %d: Unsupported option \"%s\"",
		    filename, linenum, keyword);
		return 0;

	default:
		fatal("process_config_line: Unimplemented opcode %d", opcode);
	}

	/* Check that there is no garbage at end of line. */
	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
		    filename, linenum, arg);
	}
	return 0;
}

/*
 * Reads the config file and modifies the options accordingly.  Options
 * should already be initialized before this call.  This never returns if
 * there is an error.  If the file does not exist, this returns 0.
 */

void
read_config_file(const char *filename)
{
	FILE *f;
	char line[1024];
	int active, linenum;
	int bad_options = 0;
	struct stat sb;

	if ((f = fopen(filename, "r")) == NULL)
		fatal("fopen %s: %s", filename, strerror(errno));

	if (fstat(fileno(f), &sb) == -1)
		fatal("fstat %s: %s", filename, strerror(errno));
	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
	    (sb.st_mode & 022) != 0))
		fatal("Bad owner or permissions on %s", filename);

	debug("Reading configuration data %.200s", filename);

	/*
	 * Mark that we are now processing the options.  This flag is turned
	 * on/off by Host specifications.
	 */
	active = 1;
	linenum = 0;
	while (fgets(line, sizeof(line), f)) {
		/* Update line number counter. */
		linenum++;
		if (process_config_line(line, filename, linenum) != 0)
			bad_options++;
	}
	fclose(f);
	if ((bad_options > 0) && config_exclusive_config_file) 
		fatal("%s: terminating, %d bad configuration options",
		    filename, bad_options);
}

/*
 * Initializes options to special values that indicate that they have not yet
 * been set.  Read_config_file will only set options with this value. Options
 * are processed in the following order: command line, user config file,
 * system config file.  Last, fill_default_options is called.
 */

void
initialize_options(void)
{
	memset(&options, 'X', sizeof(options));
	options.host = NULL;
	options.uri = NULL;
	options.base = NULL;
	options.binddn = NULL;
	options.bindpw = NULL;
	options.scope = -1;
	options.deref = -1;
	options.port = -1;
	options.timelimit = -1;
	options.bind_timelimit = -1;
	options.ldap_version = -1;
	options.bind_policy = -1;
	options.sslpath = NULL;
	options.ssl = -1;
	options.referrals = -1;
	options.restart = -1;
	options.tls_checkpeer = -1;
	options.tls_cacertfile = NULL;
	options.tls_cacertdir = NULL;
	options.tls_ciphers = NULL;
	options.tls_cert = NULL;
	options.tls_key = NULL;
	options.tls_randfile = NULL;
	options.logdir = NULL;
	options.debug = -1;
	options.ssh_filter = NULL;
}

/*
 * Called after processing other sources of option data, this fills those
 * options for which no value has been specified with their default values.
 */

void
fill_default_options(void)
{
	if (options.uri != NULL) {
		LDAPURLDesc *ludp;

		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
			if (options.ssl == -1) {
				if (strcmp (ludp->lud_scheme, "ldap") == 0)
				    options.ssl = 2;
				if (strcmp (ludp->lud_scheme, "ldapi") == 0)
				    options.ssl = 0;
				else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
				    options.ssl = 1;
			}
			if (options.host == NULL)
			    options.host = xstrdup (ludp->lud_host);
			if (options.port == -1)
			    options.port = ludp->lud_port;

			ldap_free_urldesc (ludp);
		}
	} 
	if (options.ssl == -1)
	    options.ssl = SSL_START_TLS;
	if (options.port == -1)
	    options.port = (options.ssl == 0) ? 389 : 636;
	if (options.uri == NULL) {
		int len;
#define MAXURILEN 4096

		options.uri = xmalloc (MAXURILEN);
		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
		    (options.ssl == 0) ? "" : "s", options.host, options.port);
		options.uri[MAXURILEN - 1] = 0;
		options.uri = xrealloc (options.uri, len + 1, 1);
	}
	if (options.binddn == NULL)
	    options.binddn = "";
	if (options.bindpw == NULL)
	    options.bindpw = "";
	if (options.scope == -1)
	    options.scope = LDAP_SCOPE_SUBTREE;
	if (options.deref == -1)
	    options.deref = LDAP_DEREF_NEVER;
	if (options.timelimit == -1)
	    options.timelimit = 10;
	if (options.bind_timelimit == -1)
	    options.bind_timelimit = 10;
	if (options.ldap_version == -1)
	    options.ldap_version = 3;
	if (options.bind_policy == -1)
	    options.bind_policy = 1;
	if (options.referrals == -1)
	    options.referrals = 1;
	if (options.restart == -1)
	    options.restart = 1;
	if (options.tls_checkpeer == -1)
	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
	if (options.debug == -1)
	    options.debug = 0;
	if (options.ssh_filter == NULL)
	    options.ssh_filter = "";
}

static const char *
lookup_opcode_name(OpCodes code)
{
	u_int i;

	for (i = 0; keywords[i].name != NULL; i++)
	    if (keywords[i].opcode == code)
		return(keywords[i].name);
	return "UNKNOWN";
}

static void
dump_cfg_string(OpCodes code, const char *val)
{
	if (val == NULL)
	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
	else
	    debug3("%s %s", lookup_opcode_name(code), val);
}

static void
dump_cfg_int(OpCodes code, int val)
{
	if (val == -1)
	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
	else
	    debug3("%s %d", lookup_opcode_name(code), val);
}

struct names {
	int value;
	char *name;
};

static void
dump_cfg_namedint(OpCodes code, int val, struct names *names)
{
	u_int i;

	if (val == -1)
	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
	else {
		for (i = 0; names[i].value != -1; i++)
	 	    if (names[i].value == val) {
	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
			    return;
		}
		debug3("%s unknown: %d", lookup_opcode_name(code), val);
	}
}

static struct names _yesnotls[] = {
	{ 0, "No" },
	{ 1, "Yes" },
	{ 2, "Start_TLS" },
	{ -1, NULL }};

static struct names _scope[] = {
	{ LDAP_SCOPE_BASE, "Base" },
	{ LDAP_SCOPE_ONELEVEL, "One" },
	{ LDAP_SCOPE_SUBTREE, "Sub"},
	{ -1, NULL }};

static struct names _deref[] = {
	{ LDAP_DEREF_NEVER, "Never" },
	{ LDAP_DEREF_SEARCHING, "Searching" },
	{ LDAP_DEREF_FINDING, "Finding" },
	{ LDAP_DEREF_ALWAYS, "Always" },
	{ -1, NULL }};

static struct names _yesno[] = {
	{ 0, "No" },
	{ 1, "Yes" },
	{ -1, NULL }};

static struct names _bindpolicy[] = {
	{ 0, "Soft" },
	{ 1, "Hard" },
	{ -1, NULL }};

static struct names _checkpeer[] = {
	{ LDAP_OPT_X_TLS_NEVER, "Never" },
	{ LDAP_OPT_X_TLS_HARD, "Hard" },
	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
	{ LDAP_OPT_X_TLS_TRY, "TRY" },
	{ -1, NULL }};

void
dump_config(void)
{
	dump_cfg_string(lURI, options.uri);
	dump_cfg_string(lHost, options.host);
	dump_cfg_int(lPort, options.port);
	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
	dump_cfg_int(lLdap_Version, options.ldap_version);
	dump_cfg_int(lTimeLimit, options.timelimit);
	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
	dump_cfg_string(lBase, options.base);
	dump_cfg_string(lBindDN, options.binddn);
	dump_cfg_string(lBindPW, options.bindpw);
	dump_cfg_namedint(lScope, options.scope, _scope);
	dump_cfg_namedint(lDeref, options.deref, _deref);
	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
	dump_cfg_namedint(lRestart, options.restart, _yesno);
	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
	dump_cfg_string(lSSLPath, options.sslpath);
	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
	dump_cfg_string(lTLS_Cert, options.tls_cert);
	dump_cfg_string(lTLS_Key, options.tls_key);
	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
	dump_cfg_string(lLogDir, options.logdir);
	dump_cfg_int(lDebug, options.debug);
	dump_cfg_string(lSSH_Filter, options.ssh_filter);
}





/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef LDAPCONF_H
#define LDAPCONF_H

#define SSL_OFF          0
#define SSL_LDAPS        1
#define SSL_START_TLS    2

/* Data structure for representing option data. */

typedef struct {
	char *host;
	char *uri;
	char *base;
	char *binddn;
	char *bindpw;
	int scope;
	int deref;
	int port;
	int timelimit;
	int bind_timelimit;
	int ldap_version;
	int bind_policy;
	char *sslpath;
	int ssl;
	int referrals;
	int restart;
	int tls_checkpeer;
	char *tls_cacertfile;
	char *tls_cacertdir;
	char *tls_ciphers;
	char *tls_cert;
	char *tls_key;
	char *tls_randfile;
	char *logdir;
	int debug;
	char *ssh_filter;
}       Options;

extern Options options;

void read_config_file(const char *);
void initialize_options(void);
void fill_default_options(void);
void dump_config(void);

#endif /* LDAPCONF_H */




# $Id: ldap.conf,v 1.0 2010/03/13 21:41:34 jfch Exp $
#
# This is the example configuration file for the OpenSSH
# LDAP backend
# 
# see ssh-ldap.conf(5)
#

# URI with your LDAP server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# Another way to specify your LDAP server is to provide an
# host name and the port of our LDAP server. Host name
# must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1

# The port.
# Optional: default is 389.
#port 389

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=openssh_keys,dc=example,dc=org

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw TopSecret

# The distinguished name of the search base.
#base dc=example,dc=org

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# SSL setup, may be implied by URI also.
#ssl no
#ssl on
#ssl start_tls

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer hard

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/pki/tls/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key





/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "ldapincludes.h"
#include "log.h"
#include "misc.h"
#include "xmalloc.h"
#include "ldapconf.h"
#include "ldapbody.h"
#include <string.h>
#include <unistd.h>

static int config_debug = 0;
int config_exclusive_config_file = 0;
static char *config_file_name = "/etc/ssh/ldap.conf";
static char *config_single_user = NULL;
static int config_verbose = SYSLOG_LEVEL_VERBOSE;
int config_warning_config_file = 0;
extern char *__progname;

static void
usage(void)
{
	fprintf(stderr, "usage: %s [options]\n",
	    __progname);
	fprintf(stderr, "Options:\n");
	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
	fprintf(stderr, "  -w          Warn on unknown commands int the config file.\n");
	exit(1);
}

/*
 * Main program for the ssh pka ldap agent.
 */

int
main(int ac, char **av)
{
	int opt;
	FILE *outfile = NULL;

	__progname = ssh_get_progname(av[0]);

	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);

	/*
	 * Initialize option structure to indicate that no values have been
	 * set.
	 */
	initialize_options();

	/* Parse command-line arguments. */
	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
		switch (opt) {
		case 'd':
			config_debug = 1;
			break;

		case 'e':
			config_exclusive_config_file = 1;
			config_warning_config_file = 1;
			break;

		case 'f':
			config_file_name = optarg;
			break;

		case 's':
			config_single_user = optarg;
			outfile = fdopen (dup (fileno (stdout)), "w");
			break;

		case 'v':
			config_debug = 1;
			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
			    config_verbose++;
			break;

		case 'w':
			config_warning_config_file = 1;
			break;

		case '?':
		default:
			usage();
			break;
		}
	}

	/* Initialize loging */
	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);

	if (ac != optind)
	    fatal ("illegal extra parameter %s", av[1]);

	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
	if (config_debug == 0)
	    sanitise_stdfd();

	/* Read config file */
	read_config_file(config_file_name);
	fill_default_options();
	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
		debug3 ("=== Configuration ===");
		dump_config();
		debug3 ("=== *** ===");
	}

	ldap_checkconfig();
	ldap_do_connect();

	if (config_single_user) {
		process_user (config_single_user, outfile);
	} else {
		fatal ("Not yet implemented");
/* TODO
 * open unix socket a run the loop on it
 */
	}

	ldap_do_close();
	return 0;
}

/* Ugly hack */
void   *buffer_get_string(Buffer *b, u_int *l) {}
void    buffer_put_string(Buffer *b, const void *f, u_int l) {}





/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef LDAP_HELPER_H
#define LDAP_HELPER_H

extern int config_exclusive_config_file;
extern int config_warning_config_file;

#endif /* LDAP_HELPER_H */




/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef LDAPINCLUDES_H
#define LDAPINCLUDES_H

#include "includes.h"

#ifdef HAVE_LBER_H
#include <lber.h>
#endif
#ifdef HAVE_LDAP_H
#include <ldap.h>
#endif
#ifdef HAVE_LDAP_SSL_H
#include <ldap_ssl.h>
#endif

#endif /* LDAPINCLUDES_H */





#include "ldapincludes.h"
#include "ldapmisc.h"

#ifndef HAVE_LDAP_GET_LDERRNO
int
ldap_get_lderrno (LDAP * ld, char **m, char **s)
{
#ifdef HAVE_LDAP_GET_OPTION
	int rc;
#endif
	int lderrno;

#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
	    return rc;
#else
	lderrno = ld->ld_errno;
#endif

	if (s != NULL) {
#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
		    return rc;
#else
		*s = ld->ld_error;
#endif
	}

	if (m != NULL) {
#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
		    return rc;
#else
		*m = ld->ld_matched;
#endif
	}

	return lderrno;
}
#endif

#ifndef HAVE_LDAP_SET_LDERRNO
int
ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
{
#ifdef HAVE_LDAP_SET_OPTION
	int rc;
#endif

#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
	    return rc;
#else
	ld->ld_errno = lderrno;
#endif

	if (s != NULL) {
#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
		    return rc;
#else
		ld->ld_error = s;
#endif
	}

	if (m != NULL) {
#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
		    return rc;
#else
		ld->ld_matched = m;
#endif
	}

	return LDAP_SUCCESS;
}
#endif





/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
/*
 * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef LDAPMISC_H
#define LDAPMISC_H

#include "ldapincludes.h"

int ldap_get_lderrno (LDAP *, char **, char **);
int ldap_set_lderrno (LDAP *, int, const char *, const char *);

#endif /* LDAPMISC_H */






Post to ML -> User Made Quick Install Doc.
Contribution from John Lane <john@lane.uk.net>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

OpenSSH LDAP keystore Patch
===========================

NOTE: these notes are a transcript of a specific installation
      they work for me, your specifics may be different!
      from John Lane March 17th 2005         john@lane.uk.net

This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
from their LDAP record as an alternative to ~/.ssh/authorized_keys.

(Assuming here that necessary build stuff is in $BUILD)

cd $BUILD/openssh-4.0p1
patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
mkdir -p /var/empty &&
./configure --prefix=/usr --sysconfdir=/etc/ssh \
    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
Now do.
make &&
make install

Add the following config to /etc/ssh/ssh_config
UseLPK yes
LpkServers ldap://myhost.mydomain.com
LpkUserDN  ou=People,dc=mydomain,dc=com

We need to tell sshd about the SSL keys during boot, as root's
environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
Change the startup code from this:
                echo "Starting SSH Server..."
                loadproc /usr/sbin/sshd
                ;;
to this:
                echo "Starting SSH Server..."
                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
                ;;

Re-start the sshd daemon:
/etc/rc.d/init.d/sshd restart

Install the additional LDAP schema
cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema

Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
Add the following to the end of the existing block of schema includes
include         /etc/openldap/schema/openssh.schema

Re-start the LDAP server:
/etc/rc.d/init.d/slapd restart

To add one or more public keys to a user, eg "testuser" :
ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser

append the following to this /tmp/testuser file
objectclass: ldapPublicKey
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key

Then do a modify:
ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
/tmp/testuser -Z
Enter LDAP Password:
modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
And check the modify is ok:
ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
"uid=testuser,ou=People,dc=mydomain,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, People, mydomain.com
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: testuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
shadowLastChange: 12757
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 501
homeDirectory: /home/testuser
userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Now start a ssh session to user "testuser" from usual ssh client (e.g.
puTTY). Login should succeed.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++




SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
RAND_HELPER=$(libexecdir)/ssh-rand-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@


INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@

TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)

LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \

	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
	roaming_common.o roaming_serv.o

MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
MANTYPE		= @MANTYPE@

CONFIGFILES=sshd_config.out ssh_config.out moduli.out

ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)

ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)


	fi
	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
	fi
	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1

	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
		$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
	fi
	-rm -f $(DESTDIR)$(bindir)/slogin
	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1

	else \
		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
	fi
	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
		else \
			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
		fi ; \
	fi

host-key: ssh-keygen$(EXEEXT)
	@if [ -z "$(DESTDIR)" ] ; then \

	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1

tests interop-tests:	$(TARGETS)




#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
#                              useful with PKA-LDAP also
#
# Author: Eric AUGE <eau@phear.org>
# 
# Based on the proposal of : Mark Ruijter
#


# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
	DESC 'MANDATORY: OpenSSH Public key' 
	EQUALITY octetStringMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
	DESC 'MANDATORY: OpenSSH LPK objectclass'
	MUST ( sshPublicKey $ uid ) 
	)




#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
#                              useful with PKA-LDAP also
#
# Author: Eric AUGE <eau@phear.org>
# 
# Schema for Sun Directory Server.
# Based on the original schema, modified by Stefan Fischer.
#

dn: cn=schema

# octetString SYNTAX
attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
	DESC 'MANDATORY: OpenSSH Public key' 
	EQUALITY octetStringMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
	DESC 'MANDATORY: OpenSSH LPK objectclass'
	MUST ( sshPublicKey $ uid ) 
	)




OpenSSH LDAP PUBLIC KEY PATCH 
Copyright (c) 2003 Eric AUGE (eau@phear.org)
All rights reserved.

Rewriten by Jan F. Chadima (jchadima@redhat.com)
Copyright (c) 2010 Red Hat, Inc.
The new PKA-LDAP patch is rewritten from the scratch.
LDAP schema and part of the documentation is based on original
LPK project (http://code.google.com/p/openssh-lpk),
copyright (c) 2003 Eric AUGE
The new openssh configuration is different from the original LPK one.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
   derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

purposes of this patch:

This patch would help to have authentication centralization policy
using ssh public key authentication.
This patch could be an alternative to other "secure" authentication system
working in a similar way (Kerberos, SecurID, etc...), except the fact 
that it's based on OpenSSH and its public key abilities.

>> FYI: <<
'uid': means unix accounts existing on the current server
'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.

example schema:


                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
                ___________      /
               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
              | LDAP Server |    \
	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
	      | titi ,toto  |
	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
               \___________/ \       /
	                       ----- - server4 (uid: eau, rival)  (no group configured)
			             \
				        etc...

- WHAT WE NEED :

  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
  * patched sshd (with this patch ;)
  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
        User entry:
	- attached to the 'ldapPublicKey' objectclass
	- attached to the 'posixAccount' objectclass
	- with a filled 'sshPublicKey' attribute 
	Example:
		dn: uid=eau,ou=users,dc=cuckoos,dc=net
		objectclass: top
		objectclass: person
		objectclass: organizationalPerson
		objectclass: posixAccount
		objectclass: ldapPublicKey
		description: Eric AUGE Account
		userPassword: blah
		cn: Eric AUGE
		sn: Eric AUGE
		uid: eau
		uidNumber: 1034
		gidNumber: 1
		homeDirectory: /export/home/eau
		sshPublicKey: ssh-dss AAAAB3...
		sshPublicKey: ssh-dss AAAAM5...

	Group entry:
	- attached to the 'posixGroup' objectclass
	- with a 'cn' groupname attribute
	- with multiple 'memberUid' attributes filled with usernames allowed in this group
	Example:
		# few members
		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
		objectclass: top
		objectclass: posixGroup
		description: Unix based servers group
		cn: unix
		gidNumber: 1002
		memberUid: eau
		memberUid: user1
		memberUid: user2


- HOW IT WORKS :

  * without patch
  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).

  * with the patch
  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 
  (usually in $HOME/.ssh/authorized_keys)

  2 tokens are added to sshd_config :
  # here is the new patched ldap related tokens
  PubkeyAgent /usr/libexec/openssh/ssh-ldap-helper -s %u
  PubkeyAgentRunAs nobody

  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.

- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY

  * my way (there is plenty :)
  - create ldif file (i.e. users.ldif)
  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
  - my way in 4 steps :
  Example:

  # you add this to the user entry in the LDIF file :
  [...]
  objectclass: posixAccount
  objectclass: ldapPublicKey
  [...]
  sshPubliKey: ssh-dss AAAABDh12DDUR2...
  [...]

  # insert your entry and you're done :)
  ldapadd -D balblabla -w bleh < file.ldif 
  
  all standard options can be present in the 'sshPublicKey' attribute.

- WHY :

  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP 
  as authentication method (like pam_ldap etc..).  
  
  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 
  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
  objectclass within LDAP and part of the group the SSH server is in). 

  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 
  so each user can change it as much as he wants). 

  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).

- RULES :  
  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 
  and the additionnal lpk.schema.

  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 
  (pamldap, nss_ldap, etc..).

  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
  
  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
  to log in 'server5' (i hope you got the idea, my english is bad :).

  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
  server.
  When you want to allow a new user to have access to the server parc, you just add him an account on 
  your servers, you add his public key into his entry on the LDAP server, it's done. 

  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).

  When the user needs to change his passphrase he can do it directly from his workstation by changing 
  his own key set lock passphrase, and all servers are automatically aware.
 
  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
  so he can add/modify/delete himself his public key when needed.

­ FLAWS :
  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 
  of your users in all your server farm be VERY CAREFUL.
  
  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
  as the impersonnated user.

  If LDAP server is down then, no fallback on passwd auth.
  
  the ldap code part has not been well audited yet.

- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
    --- CUT HERE ---
    dn: uid=jdoe,ou=users,dc=foobar,dc=net
    objectclass: top
    objectclass: person
    objectclass: organizationalPerson
    objectclass: posixAccount
    objectclass: ldapPublicKey
    description: My account
    cn: John Doe
    sn: John Doe
    uid: jdoe
    uidNumber: 100
    gidNumber: 100
    homeDirectory: /home/jdoe
    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
    [...]
    --- CUT HERE ---

- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
    --- CUT HERE ---
    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
    objectclass: top
    objectclass: posixGroup
    description: Unix based servers group
    cn: unix
    gidNumber: 1002
    memberUid: jdoe
    memberUid: user1
    memberUid: user2
    [...]
    --- CUT HERE ---

>> FYI: << 
Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry

- COMPILING:
  1. Apply the patch
  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
  3. make
  4. it's done.

- BLA :
  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
  
- TODO :
  Possibility to reuse the ssh-ldap-helper.
  Tune the LDAP part to all possible LDAP configurations.

- DIFFERENCES FROM ORIGINAL lpk
  No LDAP code in sshd.
  Support for various LDAP platforms and configurations.
  LDAP is configured in separate ldap.conf file.

- DOCS/LINK :
  http://pacsec.jp/core05/psj05-barisani-en.pdf
  http://fritz.potsdam.edu/projects/openssh-lpk/
  http://fritz.potsdam.edu/projects/sshgate/
  http://dev.inversepath.com/trac/openssh-lpk
  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )

- CONTRIBUTORS/IDEAS/GREETS :
  - Eric AUGE <eau@phear.org>
  - Andrea Barisani <andrea@inversepath.com>
  - Falk Siemonsmeier.
  - Jacob Rief.
  - Michael Durchgraf.
  - frederic peters.
  - Finlay dobbie.
  - Stefan Fisher.
  - Robin H. Johnson.
  - Adrian Bridgett.

- CONTACT :
    Jan F. Chadima <jchadima@redhat.com>


Lines 129-134 initialize_server_options(ServerOptions Link Here

(-)openssh-5.5p1/servconf.c.pka (+28 lines)
129	options->num_permitted_opens = -1;	129	options->num_permitted_opens = -1;
130	options->adm_forced_command = NULL;	130	options->adm_forced_command = NULL;
131	options->chroot_directory = NULL;	131	options->chroot_directory = NULL;
		132	options->pubkey_agent = NULL;
		133	options->pubkey_agent_runas = NULL;
132	options->zero_knowledge_password_authentication = -1;	134	options->zero_knowledge_password_authentication = -1;
133	options->revoked_keys_file = NULL;	135	options->revoked_keys_file = NULL;
134	options->trusted_user_ca_keys = NULL;	136	options->trusted_user_ca_keys = NULL;
Lines 315-320 typedef enum { Link Here
315	sUsePrivilegeSeparation, sAllowAgentForwarding,	317	sUsePrivilegeSeparation, sAllowAgentForwarding,
316	sZeroKnowledgePasswordAuthentication, sHostCertificate,	318	sZeroKnowledgePasswordAuthentication, sHostCertificate,
317	sRevokedKeys, sTrustedUserCAKeys,	319	sRevokedKeys, sTrustedUserCAKeys,
		320	sPubkeyAgent, sPubkeyAgentRunAs,
318	sDeprecated, sUnsupported	321	sDeprecated, sUnsupported
319	} ServerOpCodes;	322	} ServerOpCodes;
320		323
Lines 437-442 static struct { Link Here
437	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },	440	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
438	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },	441	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
439	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },	442	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
		443	#ifdef WITH_PUBKEY_AGENT
		444	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
		445	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
		446	#else
		447	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
		448	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
		449	#endif
440	{ NULL, sBadOption, 0 }	450	{ NULL, sBadOption, 0 }
441	};	451	};
442		452
Lines 1354-1359 process_server_config_line(ServerOptions Link Here
1354	charptr = &options->revoked_keys_file;	1364	charptr = &options->revoked_keys_file;
1355	goto parse_filename;	1365	goto parse_filename;
1356		1366
		1367	case sPubkeyAgent:
		1368	len = strspn(cp, WHITESPACE);
		1369	if (*activep && options->pubkey_agent == NULL)
		1370	options->pubkey_agent = xstrdup(cp + len);
		1371	return 0;
		1372
		1373	case sPubkeyAgentRunAs:
		1374	charptr = &options->pubkey_agent_runas;
		1375
		1376	arg = strdelim(&cp);
		1377	if (activep && charptr == NULL)
		1378	*charptr = xstrdup(arg);
		1379	break;
		1380
1357	case sDeprecated:	1381	case sDeprecated:
1358	logit("%s line %d: Deprecated option %s",	1382	logit("%s line %d: Deprecated option %s",
1359	filename, linenum, arg);	1383	filename, linenum, arg);
Lines 1447-1452 copy_set_server_options(ServerOptions *d Link Here
1447	M_CP_INTOPT(gss_authentication);	1471	M_CP_INTOPT(gss_authentication);
1448	M_CP_INTOPT(rsa_authentication);	1472	M_CP_INTOPT(rsa_authentication);
1449	M_CP_INTOPT(pubkey_authentication);	1473	M_CP_INTOPT(pubkey_authentication);
		1474	M_CP_STROPT(pubkey_agent);
		1475	M_CP_STROPT(pubkey_agent_runas);
1450	M_CP_INTOPT(kerberos_authentication);	1476	M_CP_INTOPT(kerberos_authentication);
1451	M_CP_INTOPT(hostbased_authentication);	1477	M_CP_INTOPT(hostbased_authentication);
1452	M_CP_INTOPT(kbd_interactive_authentication);	1478	M_CP_INTOPT(kbd_interactive_authentication);
Lines 1692-1697 dump_config(ServerOptions *o) Link Here
1692	dump_cfg_string(sChrootDirectory, o->chroot_directory);	1718	dump_cfg_string(sChrootDirectory, o->chroot_directory);
1693	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);	1719	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1694	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);	1720	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
		1721	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
		1722	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
1695		1723
1696	/* string arguments requiring a lookup */	1724	/* string arguments requiring a lookup */
1697	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1725	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 157-162 typedef struct { Link Here

(-)openssh-5.5p1/servconf.h.pka (+2 lines)
157	char *chroot_directory;	157	char *chroot_directory;
158	char *revoked_keys_file;	158	char *revoked_keys_file;
159	char *trusted_user_ca_keys;	159	char *trusted_user_ca_keys;
		160	char *pubkey_agent;
		161	char *pubkey_agent_runas;
160	} ServerOptions;	162	} ServerOptions;
161		163
162	void initialize_server_options(ServerOptions *);	164	void initialize_server_options(ServerOptions *);




             KbdInteractiveAuthentication, KerberosAuthentication,
             MaxAuthTries, MaxSessions, PasswordAuthentication,
             PermitEmptyPasswords, PermitOpen, PermitRootLogin,
             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
             RhostsRSAAuthentication, RSAAuthentication,
             X11DisplayOffset, X11Forwarding and X11UseLocalHost.

     MaxAuthTries

             this file is not readable, then public key authentication will be
             refused for all users.

     PubkeyAgent
             Specifies which agent is used for lookup of the user's public
             keys. Empty string means to use the authorized_keys file.  By
             default there is no PubkeyAgent set.  Note that this option has
             an effect only with PubkeyAuthentication switched on.

     PubkeyAgentRunAs
             Specifies the user under whose account the PubkeyAgent is run.
             Empty string (the default value) means the user being authorized
             is used.

     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication to-
             gether with successful RSA host authentication is allowed.  The

Lines 623-628 Available keywords are Link Here

(-)openssh-5.5p1/sshd_config.5.pka (+12 lines)
623	.Cm PermitOpen ,	623	.Cm PermitOpen ,
624	.Cm PermitRootLogin ,	624	.Cm PermitRootLogin ,
625	.Cm PubkeyAuthentication ,	625	.Cm PubkeyAuthentication ,
		626	.Cm PubkeyAgent ,
		627	.Cm PubkeyAgentRunAs ,
626	.Cm RhostsRSAAuthentication ,	628	.Cm RhostsRSAAuthentication ,
627	.Cm RSAAuthentication ,	629	.Cm RSAAuthentication ,
628	.Cm X11DisplayOffset ,	630	.Cm X11DisplayOffset ,
Lines 819-824 Specifies a list of revoked public keys. Link Here
819	Keys listed in this file will be refused for public key authentication.	821	Keys listed in this file will be refused for public key authentication.
820	Note that if this file is not readable, then public key authentication will	822	Note that if this file is not readable, then public key authentication will
821	be refused for all users.	823	be refused for all users.
		824	.It Cm PubkeyAgent
		825	Specifies which agent is used for lookup of the user's public
		826	keys. Empty string means to use the authorized_keys file.
		827	By default there is no PubkeyAgent set.
		828	Note that this option has an effect only with PubkeyAuthentication
		829	switched on.
		830	.It Cm PubkeyAgentRunAs
		831	Specifies the user under whose account the PubkeyAgent is run. Empty
		832	string (the default value) means the user being authorized is used.
		833	.Dq
822	.It Cm RhostsRSAAuthentication	834	.It Cm RhostsRSAAuthentication
823	Specifies whether rhosts or /etc/hosts.equiv authentication together	835	Specifies whether rhosts or /etc/hosts.equiv authentication together
824	with successful RSA host authentication is allowed.	836	with successful RSA host authentication is allowed.

Lines 45-50 SyslogFacility AUTHPRIV Link Here

(-)openssh-5.5p1/sshd_config.pka (+2 lines)
45	#RSAAuthentication yes	45	#RSAAuthentication yes
46	#PubkeyAuthentication yes	46	#PubkeyAuthentication yes
47	#AuthorizedKeysFile .ssh/authorized_keys	47	#AuthorizedKeysFile .ssh/authorized_keys
		48	#PubkeyAgent none
		49	#PubkeyAgentRunAs nobody
48		50
49	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	51	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
50	#RhostsRSAAuthentication no	52	#RhostsRSAAuthentication no




.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
.\"
.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: may 12 2010 $
.Dt SSH-LDAP.CONF 5
.Os
.Sh NAME
.Nm ssh-ldap.conf
.Nd configuration file for ssh-ldap-helper
.Sh SYNOPSIS
.Nm /etc/ssh/ldap.conf
.Sh DESCRIPTION
.Xr ssh-ldap-helper 8
reads configuration data from
.Pa /etc/ssh/ldap.conf
(or the file specified with
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
and empty lines are interpreted as comments.
.Pp
The value starts with the first non-blank character after 
the keyword's name, and terminates at the end of the line, 
or at the last sequence of blanks before the end of the line.
Quoting values that contain blanks 
may be incorrect, as the quotes would become part of the value.
The possible keywords and their meanings are as follows (note that
keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
.It Cm URI
The argument(s) are in the form
.Pa ldap[si]://[name[:port]]
and specify the URI(s) of an LDAP server(s) to which the
.Xr ssh-ldap-helper 8 
should connect. The URI scheme may be any of
.Dq ldap ,
.Dq ldaps 
or
.Dq ldapi ,
which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
over IPC (UNIX domain sockets), respectively.
Each server's name can be specified as a
domain-style name or an IP address literal.  Optionally, the
server's name can followed by a ':' and the port number the LDAP
server is listening on.  If no port number is provided, the default
port for the scheme is used (389 for ldap://, 636 for ldaps://).
For LDAP over IPC, name is the name of the socket, and no port
is required, nor allowed; note that directory separators must be 
URL-encoded, like any other characters that are special to URLs; 
A space separated list of URIs may be provided.
There is no default.
.It Cm Base
Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
The base must be specified as a DN in LDAP format.
There is no default.
.It Cm BindDN
Specifies the default BIND DN to use when connecting to the ldap server.
The bind DN must be specified as a Distinguished Name in LDAP format.
There is no default.
.It Cm BindPW
Specifies the default password to use when connecting to the ldap server via
.Cm BindDN .
There is no default.
.It Cm RootBindDN
Intentionaly does nothing. Recognized for compatibility reasons.
.It Cm Host
The argument(s) specifies the name(s) of an LDAP server(s) to which the
.Xr ssh-ldap-helper 8
should connect.  Each server's name can be specified as a
domain-style name or an IP address and optionally followed by a ':' and
the port number the ldap server is listening on.  A space-separated
list of hosts may be provided.
There is no default.
.Cm Host
is deprecated in favor of
.Cm URI .
.It Cm Port
Specifies the default port used when connecting to LDAP servers(s).
The port may be specified as a number.
The default port is 389 for ldap:// or 636 for ldaps:// respectively.
.Cm Port
is deprecated in favor of
.Cm URI .
.It Cm Scope
Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
There are three options (values) that can be assigned to the
.Cm Scope parameter:
.Dq base ,
.Dq one
and
.Dq subtree .
Alias for the subtree is
.Dq sub .
The value
.Dq base
is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
The value
.Dq one
is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
The value
.Dq subtree
is used to indicate searching of all entries at all levels under and including the specified base DN.
The default is
.Dq subtree .
.It Cm Deref
Specifies how alias dereferencing is done when performing a search. There are four
possible values that can be assigned to the
.Cm Deref
parameter:
.Dq never ,
.Dq searching ,
.Dq finding ,
and
.Dq always .
The value
.Dq never
means that the aliases are never dereferenced.
The value
.Dq searching
means that the aliases are dereferenced in subordinates of the base object, but
not in locating the base object of the search.
The value
.Dq finding
means that the aliases are only dereferenced when locating the base object of the search.
The value
.Dq always
means that the aliases are dereferenced both in searching and in locating the base object
of the search.
The default is
.Dq never .
.It Cm TimeLimit
Specifies a time limit (in seconds) to use when performing searches.
The number should be a non-negative integer. A
.Cm TimeLimit
of zero (0) specifies that the search time is unlimited. Please note that the server
may still apply any server-side limit on the duration of a search operation.
The default value is 10.
.It Cm TimeOut
Is an aliast to
.Cm TimeLimit .
.It Cm Bind_TimeLimit
Specifies the timeout (in seconds) after which the poll(2)/select(2)
following a connect(2) returns in case of no activity.
The default value is 10.
.It Cm Network_TimeOut
Is an alias to
.Cm Bind_TimeLimit .
.It Cm Ldap_Version
Specifies what version of the LDAP protocol should be used.
The allowed values are 2 or 3. The default is 3.
.It Cm Version
Is an alias to
.Cm Ldap_Version .
.It Cm Bind_Policy
Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
.Dq hard
and
.Dq soft.
.Dq hard has 2 aliases
.Dq hard_open
and
.Dq hard_init .
The value
.Dq hard
means that reconects that the
.Xr ssh-ldap-helper 8
tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
The value
.Dq soft
means that
.Xr ssh-ldap-helper 8
fails immediately when it cannot connect to the LDAP seerver.
The deault is
.Dq hard .
.It Cm SSLPath
Specifies the path to the X.509 certificate database.
There is no default.
.It Cm SSL
Specifies whether to use SSL/TLS or not.
There are three allowed values:
.Dq yes ,
.Dq no
and
.Dq start_tls
Both
.Dq true
and
.Dq on
are the aliases for
.Dq yes .
.Dq false
and
.Dq off
are the aliases for
.Dq no .
If
.Dqstart_tls
is specified then StartTLS is used rather than raw LDAP over SSL.
The default for ldap:// is
.Dq start_tls ,
for ldaps://
.Dq yes
and
.Dq no
for the ldapi:// .
In case of host based configuration the default is
.Dq start_tls .
.It Cm Referrals
Specifies if the client should automatically follow referrals returned
by LDAP servers.
The value can be or
.Dq yes
or
.Dq no .
.Dq true
and
.Dq on
are the aliases for
.Dq yes .
.Dq false
and
.Dq off
are the aliases for
.Dq no .
The default is yes.
.It Cm Restart
Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
The value can be or
.Dq yes
or
.Dq no .
.Dq true
and
.Dq on
are the aliases for
.Dq yes .
.Dq false
and
.Dq off
are the aliases for
.Dq no .
The default is yes.
.It Cm TLS_CheckPeer
Specifies what checks to perform on server certificates in a TLS session,
if any. The value
can be specified as one of the following keywords:
.Dq never ,
.Dq hard ,
.Dq demand ,
.Dq allow
and
.Dq try .
.Dq true ,
.Dq on
and
.Dq yes
are aliases for
.Dq hard .
.Dq false ,
.Dq off
and
.Dq no
are the aliases for
.Dq never .
The value
.Dq never
means that the client will not request or check any server certificate.
The value
.Dq allow
means that the server certificate is requested. If no certificate is provided,
the session proceeds normally. If a bad certificate is provided, it will
be ignored and the session proceeds normally.
The value
.Dq try
means that the server certificate is requested. If no certificate is provided,
the session proceeds normally. If a bad certificate is provided,
the session is immediately terminated.
The value
.Dq demand
means that the server certificate is requested. If no
certificate is provided, or a bad certificate is provided, the session
is immediately terminated.
The value
.Dq hard
is the same as
.Dq demand .
It requires an SSL connection. In the case of the plain conection the
session is immediately terminated.
The default is
.Dq hard .
.It Cm TLS_ReqCert
Is an alias for 
.Cm TLS_CheckPeer .
.It Cm TLS_CACertFile
Specifies the file that contains certificates for all of the Certificate
Authorities the client will recognize.
There is no default.
.It Cm TLS_CACert
Is an alias for
.Cm TLS_CACertFile .
.It Cm TLS_CACertDIR
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. The
.Cm TLS_CACert
is always used before
.Cm TLS_CACertDir .
The specified directory must be managed with the OpenSSL c_rehash utility.
There is no default.
.It Cm TLS_Ciphers
Specifies acceptable cipher suite and preference order.
The value should be a cipher specification for OpenSSL,
e.g.,
.Dq HIGH:MEDIUM:+SSLv2 .
The default is
.Dq ALL .
.It Cm TLS_Cipher_Suite
Is an alias for
.Cm TLS_Ciphers .
.It Cm TLS_Cert
Specifies the file that contains the client certificate.
There is no default.
.It Cm TLS_Certificate
Is an alias for
.Cm TLS_Cert .
.It Cm TLS_Key
Specifies the file that contains the private key that matches the certificate
stored in the
.Cm TLS_Cert
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
There is no default.
.It Cm TLS_RandFile
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
There is no default.
.It Cm LogDir
Specifies the directory used for logging by the LDAP client library.
There is no default.
.It Cm Debug
Specifies the debug level used for logging by the LDAP client library.
There is no default.
.It Cm SSH_Filter
Specifies the user filter applied on the LDAP serch.
The default is no filter.
.Sh FILES
.Bl -tag -width Ds
.It Pa  /etc/ssh/ldap.conf
Ldap configuration file for
.Xr ssh-ldap-helper 8 .
.Sh "SEE ALSO"
.Xr ldap.conf 5 ,
.Xr ssh-ldap-helper 8
.Sh HISTORY
.Nm
first appeared in
OpenSSH 5.5 + PKA-LDAP .
.Sh AUTHORS
.An Jan F. Chadima Aq jchadima@redhat.com




.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
.\"
.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: April 29 2010 $
.Dt SSH-LDAP-HELPER 8
.Os
.Sh NAME
.Nm ssh-ldap-helper
.Nd sshd helper program for ldap support
.Sh SYNOPSIS
.Nm ssh-ldap-helper
.Op Fl devw
.Op Fl f Ar file
.Op Fl s Ar user
.Sh DESCRIPTION
.Nm
is used by
.Xr sshd 1
to access keys provided by an LDAP.
.Nm
is disabled by default and can only be enabled in the
sshd configuration file
.Pa /etc/ssh/sshd_config
by setting
.Cm PubkeyAgent
to
.Dq /usr/libexec/ssh-ldap-helper -s %u .
.Pp
.Nm
is not intended to be invoked by the user, but from
.Xr sshd 8 .
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl d
Set the debug mode; 
.Nm
prints all logs to stderr instead of syslog.
.It Fl e
Implies \-w;
.Nm
halts if it encounters an unknown item in the ldap.conf file.
.It Fl f
.Nm
uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
.It Fl s
.Nm
prints out the user's keys to stdout and exits.
.It Fl v
Implies \-d;
increases verbosity.
.It Fl w
.Nm
writes warnings about unknown items in the ldap.conf configuration file.

.Sh SEE ALSO
.Xr sshd 8 ,
.Xr sshd_config 5 ,
.Xr ssh-ldap.conf 5 ,
.Sh HISTORY
.Nm
first appeared in
OpenSSH 5.5 + PKA-LDAP .
.Sh AUTHORS
.An Jan F. Chadima Aq jchadima@redhat.com

Return to bug 1663

Lines 186-212 done: Link Here

(-)openssh-5.5p1/auth2-pubkey.c.pka (-16 / +142 lines)
186		186
187	/* return 1 if user allows given key */	187	/* return 1 if user allows given key */
188	static int	188	static int
189	user_key_allowed2(struct passwd pw, Key key, char *file)	189	user_search_key_in_file(FILE f, char file, Key* key, struct passwd *pw)
190	{	190	{
191	char line[SSH_MAX_PUBKEY_BYTES];	191	char line[SSH_MAX_PUBKEY_BYTES];
192	const char *reason;	192	const char *reason;
193	int found_key = 0;	193	int found_key = 0;
194	FILE *f;
195	u_long linenum = 0;	194	u_long linenum = 0;
196	Key *found;	195	Key *found;
197	char *fp;	196	char *fp;
198		197
199	/* Temporarily use the user's uid. */
200	temporarily_use_uid(pw);
201
202	debug("trying public key file %s", file);
203	f = auth_openkeyfile(file, pw, options.strict_modes);
204
205	if (!f) {
206	restore_uid();
207	return 0;
208	}
209
210	found_key = 0;	198	found_key = 0;
211	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);	199	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
212		200
Lines 281-288 user_key_allowed2(struct passwd *pw, Key Link Here
281	break;	269	break;
282	}	270	}
283	}	271	}
284	restore_uid();
285	fclose(f);
286	key_free(found);	272	key_free(found);
287	if (!found_key)	273	if (!found_key)
288	debug2("key not found");	274	debug2("key not found");
Lines 329-341 user_cert_trusted_ca(struct passwd *pw, Link Here
329	return ret;	315	return ret;
330	}	316	}
331		317
332	/* check whether given key is in .ssh/authorized_keys* */	318	/* return 1 if user allows given key */
		319	static int
		320	user_key_allowed2(struct passwd pw, Key key, char *file)
		321	{
		322	FILE *f;
		323	int found_key = 0;
		324
		325	/* Temporarily use the user's uid. */
		326	temporarily_use_uid(pw);
		327
		328	debug("trying public key file %s", file);
		329	f = auth_openkeyfile(file, pw, options.strict_modes);
		330
		331	if (f) {
		332	found_key = user_search_key_in_file (f, file, key, pw);
		333	fclose(f);
		334	}
		335
		336	restore_uid();
		337	return found_key;
		338	}
		339
		340	#ifdef WITH_PUBKEY_AGENT
		341
		342	#define WHITESPACE " \t\r\n"
		343
		344	/* return 1 if user allows given key */
		345	static int
		346	user_key_via_agent_allowed2(struct passwd pw, Key key)
		347	{
		348	FILE *f;
		349	int found_key = 0;
		350	char *pubkey_agent_string = NULL;
		351	char *tmp_pubkey_agent_string = NULL;
		352	char *progname;
		353	char *cp;
		354	struct passwd *runas_pw;
		355	struct stat st;
		356
		357	if (options.pubkey_agent == NULL \|\| options.pubkey_agent[0] != '/')
		358	return -1;
		359
		360	/* get the run as identity from config */
		361	runas_pw = (options.pubkey_agent_runas == NULL)? pw
		362	: getpwnam (options.pubkey_agent_runas);
		363	if (!runas_pw) {
		364	error("%s: getpwnam(\"%s\"): %s", __func__,
		365	options.pubkey_agent_runas, strerror(errno));
		366	return 0;
		367	}
		368
		369	/* Temporarily use the specified uid. */
		370	if (runas_pw->pw_uid != 0)
		371	temporarily_use_uid(runas_pw);
		372
		373	pubkey_agent_string = percent_expand(options.pubkey_agent,
		374	"h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
		375
		376	/* Test whether agent can be modified by non root user */
		377	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
		378	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
		379
		380	debug3("%s: checking program '%s'", __func__, progname);
		381
		382	if (stat (progname, &st) < 0) {
383	error("%s: stat(\"%s\"): %s", __func__,
384	progname, strerror(errno));
385	goto go_away;
386	}
387
388	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
389	error("bad ownership or modes for pubkey agent \"%s\"",
390	progname);
391	goto go_away;
392	}
393
394	if (!S_ISREG(st.st_mode)) {
395	error("pubkey agent \"%s\" is not a regular file",
396	progname);
397	goto go_away;
398	}
399
400	/*
401	* Descend the path, checking that each component is a
402	* root-owned directory with strict permissions.
403	*/
404	do {
405	if ((cp = strrchr(progname, '/')) == NULL)
406	break;
407	else
408	*cp = '\0';
409
410	debug3("%s: checking component '%s'", __func__, progname);
411
412	if (stat(progname, &st) != 0) {
413	error("%s: stat(\"%s\"): %s", __func__,
414	progname, strerror(errno));
415	goto go_away;
416	}
417	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
418	error("bad ownership or modes for pubkey agent path component \"%s\"",
419	progname);
420	goto go_away;
421	}
422	if (!S_ISDIR(st.st_mode)) {
423	error("pubkey agent path component \"%s\" is not a directory",
424	progname);
425	goto go_away;
426	}
427	} while (0);
428
429	/* open the pipe and read the keys */
430	f = popen (pubkey_agent_string, "r");
431	if (!f) {
432	error("%s: popen (\"%s\", \"r\"): %s", __func__,
433	pubkey_agent_string, strerror (errno));
434	goto go_away;
435	}
436
437	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
438	pclose (f);
439
440	go_away:
441	if (tmp_pubkey_agent_string)
442	xfree (tmp_pubkey_agent_string);
443	if (pubkey_agent_string)
444	xfree (pubkey_agent_string);
445
446	if (runas_pw->pw_uid != 0)
447	restore_uid();
448	return found_key;
449	}
450	#endif
451
452	/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
333	int	453	int
334	user_key_allowed(struct passwd pw, Key key)	454	user_key_allowed(struct passwd pw, Key key)
335	{	455	{
336	int success;	456	int success;
337	char *file;	457	char *file;
338		458
		459	#ifdef WITH_PUBKEY_AGENT
		460	success = user_key_via_agent_allowed2(pw, key);
		461	if (success >= 0)
		462	return success;
		463	#endif
		464
339	if (auth_key_is_revoked(key))	465	if (auth_key_is_revoked(key))
340	return 0;	466	return 0;
341	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))	467	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))

Lines 1346-1351 AC_ARG_WITH(audit, Link Here

(-)openssh-5.5p1/configure.ac.pka (+114 lines)
1346	esac ]	1346	esac ]
1347	)	1347	)
1348		1348
		1349	# Check whether user wants pubkey agent support
		1350	PKA_MSG="no"
		1351	AC_ARG_WITH(pka,
		1352	[ --with-pka Enable pubkey agent support],
		1353	[
		1354	if test "x$withval" != "xno" ; then
		1355	AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
		1356	PKA_MSG="yes"
		1357	fi
		1358	]
		1359	)
		1360
		1361	# Check whether user wants LDAP support
		1362	LDAP_MSG="no"
		1363	INSTALL_SSH_LDAP_HELPER=""
		1364	AC_ARG_WITH(ldap,
		1365	[ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
		1366	[
		1367	if test "x$withval" != "xno" ; then
		1368
		1369	INSTALL_SSH_LDAP_HELPER="yes"
		1370	CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
		1371
		1372	if test "x$withval" != "xyes" ; then
		1373	CPPFLAGS="$CPPFLAGS -I${withval}/include"
		1374	LDFLAGS="$LDFLAGS -L${withval}/lib"
		1375	fi
		1376
		1377	AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
		1378	LDAP_MSG="yes"
		1379
		1380	AC_CHECK_HEADERS(lber.h)
		1381	AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
		1382	AC_CHECK_HEADERS(ldap_ssl.h)
		1383
		1384	AC_ARG_WITH(ldap-lib,
		1385	[ --with-ldap-lib=type select ldap library [auto\|netscape5\|netscape4\|netscape3\|umich\|openldap]])
		1386
		1387	if test -z "$with_ldap_lib"; then
		1388	with_ldap_lib=auto
		1389	fi
		1390
		1391	if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
		1392	AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
		1393	AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
		1394	fi
		1395
		1396	if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
		1397	AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
		1398	fi
		1399
		1400	if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
		1401	AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
		1402	if test -z "$found_ldap_lib"; then
		1403	AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
		1404	fi
		1405	if test -z "$found_ldap_lib"; then
		1406	AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
		1407	fi
		1408	if test -z "$found_ldap_lib"; then
		1409	AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
		1410	fi
		1411	fi
		1412
1413	if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
1414	AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
1415	fi
1416
1417	if test -z "$found_ldap_lib"; then
1418	AC_MSG_ERROR(could not locate a valid LDAP library)
1419	fi
1420
1421	AC_MSG_CHECKING([for working LDAP support])
1422	AC_TRY_COMPILE(
1423	[#include <sys/types.h>
1424	#include <ldap.h>],
1425	[(void)ldap_init(0, 0);],
1426	[AC_MSG_RESULT(yes)],
1427	[
1428	AC_MSG_RESULT(no)
1429	AC_MSG_ERROR([ Incomplete or missing ldap libraries ])
1430	])
1431	AC_CHECK_FUNCS( \
1432	ldap_init \
1433	ldap_get_lderrno \
1434	ldap_set_lderrno \
1435	ldap_parse_result \
1436	ldap_memfree \
1437	ldap_controls_free \
1438	ldap_set_option \
1439	ldap_get_option \
1440	ldapssl_init \
1441	ldap_start_tls_s \
1442	ldap_pvt_tls_set_option \
1443	ldap_initialize \
1444	)
1445	AC_CHECK_FUNCS(ldap_set_rebind_proc,
1446	AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
1447	AC_TRY_COMPILE(
1448	[#include <lber.h>
1449	#include <ldap.h>],
1450	[ldap_set_rebind_proc(0, 0, 0);],
1451	[ac_cv_ldap_set_rebind_proc=3],
1452	[ac_cv_ldap_set_rebind_proc=2])
1453	AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
1454	AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
1455	)
1456	fi
1457	]
1458	)
1459	AC_SUBST(INSTALL_SSH_LDAP_HELPER)
1460
1349	dnl Checks for library functions. Please keep in alphabetical order	1461	dnl Checks for library functions. Please keep in alphabetical order
1350	AC_CHECK_FUNCS( \	1462	AC_CHECK_FUNCS( \
1351	arc4random \	1463	arc4random \
Lines 4202-4207 echo " Linux audit support Link Here
4202	echo " Smartcard support: $SCARD_MSG"	4314	echo " Smartcard support: $SCARD_MSG"
4203	echo " S/KEY support: $SKEY_MSG"	4315	echo " S/KEY support: $SKEY_MSG"
4204	echo " TCP Wrappers support: $TCPW_MSG"	4316	echo " TCP Wrappers support: $TCPW_MSG"
		4317	echo " PKA support: $PKA_MSG"
		4318	echo " LDAP support: $LDAP_MSG"
4205	echo " MD5 password support: $MD5_MSG"	4319	echo " MD5 password support: $MD5_MSG"
4206	echo " libedit support: $LIBEDIT_MSG"	4320	echo " libedit support: $LIBEDIT_MSG"
4207	echo " Solaris process contract support: $SPC_MSG"	4321	echo " Solaris process contract support: $SPC_MSG"

Line 0 Link Here

(-)openssh-5.5p1/ldapbody.c.pka (+494 lines)
		1	/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
		2	/*
		3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
		4	*
		5	* Redistribution and use in source and binary forms, with or without
		6	* modification, are permitted provided that the following conditions
		7	* are met:
		8	* 1. Redistributions of source code must retain the above copyright
		9	* notice, this list of conditions and the following disclaimer.
		10	* 2. Redistributions in binary form must reproduce the above copyright
		11	* notice, this list of conditions and the following disclaimer in the
		12	* documentation and/or other materials provided with the distribution.
		13	*
		14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		24	*/
		25
		26	#include "ldapincludes.h"
		27	#include "log.h"
		28	#include "xmalloc.h"
		29	#include "ldapconf.h"
		30	#include "ldapmisc.h"
		31	#include "ldapbody.h"
		32	#include <stdio.h>
		33	#include <unistd.h>
		34
		35	#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
		36	#define PUBKEYATTR "sshPublicKey"
		37	#define LDAP_LOGFILE "%s/ldap.%d"
		38
		39	static FILE *logfile = NULL;
		40	static LDAP *ld;
		41
		42	static char *attrs[] = {
		43	PUBKEYATTR,
		44	NULL
		45	};
		46
		47	void
		48	ldap_checkconfig (void)
		49	{
		50	#ifdef HAVE_LDAP_INITIALIZE
		51	if (options.host == NULL && options.uri == NULL)
		52	#else
		53	if (options.host == NULL)
		54	#endif
		55	fatal ("missing \"host\" in config file");
		56	}
		57
		58	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
		59	static int
		60	_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
		61	{
		62	struct timeval timeout;
		63	int rc;
		64	#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
65	LDAPMessage *result;
66	#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
67
68	debug2 ("Doing LDAP rebind to %s", options.binddn);
69	if (options.ssl == SSL_START_TLS) {
70	if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
71	error ("ldap_starttls_s: %s", ldap_err2string (rc));
72	return LDAP_OPERATIONS_ERROR;
73	}
74	}
75
76	#if !defined(HAVE_LDAP_PARSE_RESULT) \|\| !defined(HAVE_LDAP_CONTROLS_FREE)
77	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
78	#else
79	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
80	fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
81
82	timeout.tv_sec = options.bind_timelimit;
83	timeout.tv_usec = 0;
84	result = NULL;
85	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
86	error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
87	ldap_msgfree (result);
88	return LDAP_OPERATIONS_ERROR;
89	}
90	debug3 ("LDAP rebind to %s succesfull", options.binddn);
91	return rc;
92	#endif
93	}
94	#else
95
96	static int
97	_rebind_proc (LDAP * ld, char whop, char credp, int *methodp, int freeit)
98	{
99	if (freeit)
100	return LDAP_SUCCESS;
101
102	*whop = strdup (options.binddn);
103	*credp = strdup (options.bindpw);
104	*methodp = LDAP_AUTH_SIMPLE;
105	debug2 ("Doing LDAP rebind for %s", *whop);
106	return LDAP_SUCCESS;
107	}
108	#endif
109
110	void
111	ldap_do_connect(void)
112	{
113	int rc, msgid, ld_errno = 0;
114	struct timeval timeout;
115	#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
116	int parserc;
117	LDAPMessage *result;
118	LDAPControl **controls;
119	int reconnect = 0;
120	#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
121
122	debug ("LDAP do connect");
123
124	retry:
125	if (reconnect) {
126	debug3 ("Reconnecting with ld_errno %d", ld_errno);
127	if (options.bind_policy == 0 \|\|
128	(ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) \|\|
129	reconnect > 5)
130	fatal ("Cannot connect to LDAP server");
131
132	if (reconnect > 1)
133	sleep (reconnect - 1);
134
135	if (ld != NULL) {
136	ldap_unbind (ld);
137	ld = NULL;
138	}
139	logit("reconnecting to LDAP server...");
140	}
141
142	if (ld == NULL) {
143	int rc;
144	struct timeval tv;
145
146	#ifdef HAVE_LDAP_SET_OPTION
147	if (options.debug > 0) {
148	#ifdef LBER_OPT_LOG_PRINT_FILE
149	if (options.logdir) {
150	char *logfilename;
151	int logfilenamelen;
152
153	logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
154	logfilename = xmalloc (logfilenamelen);
155	snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
156	logfilename[logfilenamelen - 1] = 0;
157	if ((logfile = fopen (logfilename, "a")) == NULL)
158	fatal ("cannot append to %s: %s", logfilename, strerror (errno));
159	debug3 ("LDAP debug into %s", logfilename);
160	xfree (logfilename);
161	ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
162	}
163	#endif
164	if (options.debug) {
165	#ifdef LBER_OPT_DEBUG_LEVEL
166	ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
167	#endif /* LBER_OPT_DEBUG_LEVEL */
168	#ifdef LDAP_OPT_DEBUG_LEVEL
169	ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
170	#endif /* LDAP_OPT_DEBUG_LEVEL */
171	debug3 ("Set LDAP debug to %d", options.debug);
172	}
173	}
174	#endif /* HAVE_LDAP_SET_OPTION */
175
176	ld = NULL;
177	#ifdef HAVE_LDAPSSL_INIT
178	if (options.host != NULL) {
179	if (options.ssl_on == SSL_LDAPS) {
180	if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
181	fatal ("ldapssl_client_init %s", ldap_err2string (rc));
182	debug3 ("LDAPssl client init");
183	}
184
185	if (options.ssl_on != SSL_OFF) {
186	if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
187	fatal ("ldapssl_init failed");
188	debug3 ("LDAPssl init");
189	}
190	}
191	#endif /* HAVE_LDAPSSL_INIT */
192
193	/* continue with opening */
194	if (ld == NULL) {
195	#if defined (HAVE_LDAP_START_TLS_S) \|\| (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
196	/* Some global TLS-specific options need to be set before we create our
197	* session context, so we set them here. */
198
199	#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
200	/* rand file */
201	if (options.tls_randfile != NULL) {
202	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
203	options.tls_randfile)) != LDAP_SUCCESS)
204	fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
205	ldap_err2string (rc));
206	debug3 ("Set TLS random file %s", options.tls_randfile);
207	}
208	#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
209
210	/* ca cert file */
211	if (options.tls_cacertfile != NULL) {
212	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
213	options.tls_cacertfile)) != LDAP_SUCCESS)
214	error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
215	ldap_err2string (rc));
216	debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
217	}
218
219	/* ca cert directory */
220	if (options.tls_cacertdir != NULL) {
221	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
222	options.tls_cacertdir)) != LDAP_SUCCESS)
223	fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
224	ldap_err2string (rc));
225	debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
226	}
227
228	/* require cert? */
229	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
230	&options.tls_checkpeer)) != LDAP_SUCCESS)
231	fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
232	ldap_err2string (rc));
233	debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
234
235	/* set cipher suite, certificate and private key: */
236	if (options.tls_ciphers != NULL) {
237	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
238	options.tls_ciphers)) != LDAP_SUCCESS)
239	fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
240	ldap_err2string (rc));
241	debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
242	}
243
244	/* cert file */
245	if (options.tls_cert != NULL) {
246	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
247	options.tls_cert)) != LDAP_SUCCESS)
248	fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
249	ldap_err2string (rc));
250	debug3 ("Set TLS cert file %s ", options.tls_cert);
251	}
252
253	/* key file */
254	if (options.tls_key != NULL) {
255	if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
256	options.tls_key)) != LDAP_SUCCESS)
257	fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
258	ldap_err2string (rc));
259	debug3 ("Set TLS key file %s ", options.tls_key);
260	}
261	#endif
262	#ifdef HAVE_LDAP_INITIALIZE
263	if (options.uri != NULL) {
264	if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
265	fatal ("ldap_initialize %s", ldap_err2string (rc));
266	debug3 ("LDAP initialize %s", options.uri);
267	}
268	}
269	#endif /* HAVE_LDAP_INTITIALIZE */
270
271	/* continue with opening */
272	if ((ld == NULL) && (options.host != NULL)) {
273	#ifdef HAVE_LDAP_INIT
274	if ((ld = ldap_init (options.host, options.port)) == NULL)
275	fatal ("ldap_init failed");
276	debug3 ("LDAP init %s:%d", options.host, options.port);
277	#else
278	if ((ld = ldap_open (options.host, options.port)) == NULL)
279	fatal ("ldap_open failed");
280	debug3 ("LDAP open %s:%d", options.host, options.port);
281	#endif /* HAVE_LDAP_INIT */
282	}
283
284	if (ld == NULL)
285	fatal ("no way to open ldap");
286
287	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
288	if (options.ssl == SSL_LDAPS) {
289	if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
290	fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
291	debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
292	}
293	#endif /* LDAP_OPT_X_TLS */
294
295	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
296	(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
297	&options.ldap_version);
298	#else
299	ld->ld_version = options.ldap_version;
300	#endif
301	debug3 ("LDAP set version to %d", options.ldap_version);
302
303	#if LDAP_SET_REBIND_PROC_ARGS == 3
304	ldap_set_rebind_proc (ld, _rebind_proc, NULL);
305	#elif LDAP_SET_REBIND_PROC_ARGS == 2
306	ldap_set_rebind_proc (ld, _rebind_proc);
307	#else
308	#warning unknown LDAP_SET_REBIND_PROC_ARGS
309	#endif
310	debug3 ("LDAP set rebind proc");
311
312	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
313	(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
314	#else
315	ld->ld_deref = options.deref;
316	#endif
317	debug3 ("LDAP set deref to %d", options.deref);
318
319	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
320	(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
321	&options.timelimit);
322	#else
323	ld->ld_timelimit = options.timelimit;
324	#endif
325	debug3 ("LDAP set timelimit to %d", options.timelimit);
326
327	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
328	/*
329	* This is a new option in the Netscape SDK which sets
330	* the TCP connect timeout. For want of a better value,
331	* we use the bind_timelimit to control this.
332	*/
333	timeout = options.bind_timelimit * 1000;
334	(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
335	debug3 ("LDAP set opt connect timeout to %d", timeout);
336	#endif
337
338	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
339	tv.tv_sec = options.bind_timelimit;
340	tv.tv_usec = 0;
341	(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
342	debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
343	#endif
344
345	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
346	(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
347	options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
348	debug3 ("LDAP set referrals to %d", options.referrals);
349	#endif
350
351	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
352	(void) ldap_set_option (ld, LDAP_OPT_RESTART,
353	options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
354	debug3 ("LDAP set restart to %d", options.restart);
355	#endif
356
357	#ifdef HAVE_LDAP_START_TLS_S
358	if (options.ssl == SSL_START_TLS) {
359	int version;
360
361	if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
362	== LDAP_SUCCESS) {
363	if (version < LDAP_VERSION3) {
364	version = LDAP_VERSION3;
365	(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
366	&version);
367	debug3 ("LDAP set version to %d", version);
368	}
369	}
370
371	if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
372	fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
373	debug3 ("LDAP start TLS");
374	}
375	#endif /* HAVE_LDAP_START_TLS_S */
376	}
377
378	if ((msgid = ldap_simple_bind (ld, options.binddn,
379	options.bindpw)) == -1) {
380	ld_errno = ldap_get_lderrno (ld, 0, 0);
381
382	error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
383	reconnect++;
384	goto retry;
385	}
386	debug3 ("LDAP simple bind (%s)", options.binddn);
387
388	timeout.tv_sec = options.bind_timelimit;
389	timeout.tv_usec = 0;
390	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
391	ld_errno = ldap_get_lderrno (ld, 0, 0);
392
393	error ("ldap_result %s", ldap_err2string (ld_errno));
394	reconnect++;
395	goto retry;
396	}
397	debug3 ("LDAP result in time");
398
399	#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
400	controls = NULL;
401	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
402	fatal ("ldap_parse_result %s", ldap_err2string (parserc));
403	debug3 ("LDAP parse result OK");
404
405	if (controls != NULL) {
406	ldap_controls_free (controls);
407	}
408	#else
409	rc = ldap_result2error (session->ld, result, TRUE);
410	#endif
411	if (rc != LDAP_SUCCESS)
412	fatal ("error trying to bind as user \"%s\" (%s)",
413	options.binddn, ldap_err2string (rc));
414
415	debug2 ("LDAP do connect OK");
416	}
417
418	void
419	process_user (const char user, FILE output)
420	{
421	LDAPMessage res, e;
422	char *buffer;
423	int bufflen, rc, i;
424	struct timeval timeout;
425
426	debug ("LDAP process user");
427
428	/* quick check for attempts to be evil */
429	if ((strchr(user, '(') != NULL) \|\| (strchr(user, ')') != NULL) \|\|
430	(strchr(user, '*') != NULL) \|\| (strchr(user, '\\') != NULL)) {
431	logit ("illegal user name %s not processed", user);
432	return;
433	}
434
435	/* build filter for LDAP request */
436	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
437	if (options.ssh_filter != NULL)
438	bufflen += strlen (options.ssh_filter);
439	buffer = xmalloc (bufflen);
440	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
441	buffer[bufflen - 1] = 0;
442
443	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
444
445	timeout.tv_sec = options.timelimit;
446	timeout.tv_usec = 0;
447	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
448	error ("ldap_search_st(): %s", ldap_err2string (rc));
449	xfree (buffer);
450	return;
451	}
452
453	/* free */
454	xfree (buffer);
455
456	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
457	int num;
458	struct berval **keys;
459
460	keys = ldap_get_values_len(ld, e, PUBKEYATTR);
461	num = ldap_count_values_len(keys);
462	for (i = 0 ; i < num ; i++) {
463	char cp; //, options = NULL;
464
465	for (cp = keys[i]->bv_val; cp == ' ' \|\| cp == '\t'; cp++);
466	if (!cp \|\| cp == '\n' \|\| *cp == '#')
467	continue;
468
469	/* We have found the desired key. */
470	fprintf (output, "%s\n", keys[i]->bv_val);
471	}
472
473	ldap_value_free_len(keys);
474	}
475
476	ldap_msgfree(res);
477	debug2 ("LDAP process user finished");
478	}
479
480	void
481	ldap_do_close(void)
482	{
483	int rc;
484
485	debug ("LDAP do close");
486	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
487	fatal ("ldap_unbind_ext: %s",
488	ldap_err2string (rc));
489
490	ld = NULL;
491	debug2 ("LDAP do close OK");
492	return;
493	}
494

Line 0 Link Here

(-)openssh-5.5p1/ldapbody.h.pka (+37 lines)
	1	/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
	2	/*
	3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#ifndef LDAPBODY_H
	27	#define LDAPBODY_H
	28
	29	#include <stdio.h>
	30
	31	void ldap_checkconfig(void);
	32	void ldap_do_connect(void);
	33	void process_user(const char , FILE );
	34	void ldap_do_close(void);
	35
	36	#endif /* LDAPBODY_H */
	37

Line 0 Link Here

(-)openssh-5.5p1/ldapconf.c.pka (+682 lines)
		1	/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
		2	/*
		3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
		4	*
		5	* Redistribution and use in source and binary forms, with or without
		6	* modification, are permitted provided that the following conditions
		7	* are met:
		8	* 1. Redistributions of source code must retain the above copyright
		9	* notice, this list of conditions and the following disclaimer.
		10	* 2. Redistributions in binary form must reproduce the above copyright
		11	* notice, this list of conditions and the following disclaimer in the
		12	* documentation and/or other materials provided with the distribution.
		13	*
		14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		24	*/
		25
		26	#include "ldapincludes.h"
		27	#include "ldap-helper.h"
		28	#include "log.h"
		29	#include "misc.h"
		30	#include "xmalloc.h"
		31	#include "ldapconf.h"
		32	#include <unistd.h>
		33	#include <string.h>
		34
		35	/* Keyword tokens. */
		36
		37	typedef enum {
		38	lBadOption,
		39	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
		40	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
		41	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
		42	lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
		43	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
		44	lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
		45	lDeprecated, lUnsupported
		46	} OpCodes;
		47
		48	/* Textual representations of the tokens. */
		49
		50	static struct {
		51	const char *name;
		52	OpCodes opcode;
		53	} keywords[] = {
		54	{ "URI", lURI },
		55	{ "Base", lBase },
		56	{ "BindDN", lBindDN },
		57	{ "BindPW", lBindPW },
		58	{ "RootBindDN", lRootBindDN },
		59	{ "Host", lHost },
		60	{ "Port", lPort },
		61	{ "Scope", lScope },
		62	{ "Deref", lDeref },
		63	{ "TimeLimit", lTimeLimit },
		64	{ "TimeOut", lTimeLimit },
65	{ "Bind_Timelimit", lBind_TimeLimit },
66	{ "Network_TimeOut", lBind_TimeLimit },
67	/*
68	* Todo
69	* SIZELIMIT
70	*/
71	{ "Ldap_Version", lLdap_Version },
72	{ "Version", lLdap_Version },
73	{ "Bind_Policy", lBind_Policy },
74	{ "SSLPath", lSSLPath },
75	{ "SSL", lSSL },
76	{ "Referrals", lReferrals },
77	{ "Restart", lRestart },
78	{ "TLS_CheckPeer", lTLS_CheckPeer },
79	{ "TLS_ReqCert", lTLS_CheckPeer },
80	{ "TLS_CaCertFile", lTLS_CaCertFile },
81	{ "TLS_CaCert", lTLS_CaCertFile },
82	{ "TLS_CaCertDir", lTLS_CaCertDir },
83	{ "TLS_Ciphers", lTLS_Ciphers },
84	{ "TLS_Cipher_Suite", lTLS_Ciphers },
85	{ "TLS_Cert", lTLS_Cert },
86	{ "TLS_Certificate", lTLS_Cert },
87	{ "TLS_Key", lTLS_Key },
88	{ "TLS_RandFile", lTLS_RandFile },
89	/*
90	* Todo
91	* TLS_CRLCHECK
92	* TLS_CRLFILE
93	*/
94	{ "LogDir", lLogDir },
95	{ "Debug", lDebug },
96	{ "SSH_Filter", lSSH_Filter },
97	{ NULL, lBadOption }
98	};
99
100	/* Configuration ptions. */
101
102	Options options;
103
104	/*
105	* Returns the number of the token pointed to by cp or oBadOption.
106	*/
107
108	static OpCodes
109	parse_token(const char cp, const char filename, int linenum)
110	{
111	u_int i;
112
113	for (i = 0; keywords[i].name; i++)
114	if (strcasecmp(cp, keywords[i].name) == 0)
115	return keywords[i].opcode;
116
117	if (config_warning_config_file)
118	logit("%s: line %d: Bad configuration option: %s",
119	filename, linenum, cp);
120	return lBadOption;
121	}
122
123	/*
124	* Processes a single option line as used in the configuration files. This
125	* only sets those values that have not already been set.
126	*/
127	#define WHITESPACE " \t\r\n"
128
129	static int
130	process_config_line(char line, const char filename, int linenum)
131	{
132	char s, charptr, xstringptr, endofnumber, keyword, arg;
133	char *rootbinddn = NULL;
134	int opcode, *intptr, value;
135	size_t len;
136
137	/* Strip trailing whitespace */
138	for (len = strlen(line) - 1; len > 0; len--) {
139	if (strchr(WHITESPACE, line[len]) == NULL)
140	break;
141	line[len] = '\0';
142	}
143
144	s = line;
145	/* Get the keyword. (Each line is supposed to begin with a keyword). */
146	if ((keyword = strdelim(&s)) == NULL)
147	return 0;
148	/* Ignore leading whitespace. */
149	if (*keyword == '\0')
150	keyword = strdelim(&s);
151	if (keyword == NULL \|\| !keyword \|\| keyword == '\n' \|\| *keyword == '#')
152	return 0;
153
154	opcode = parse_token(keyword, filename, linenum);
155
156	switch (opcode) {
157	case lBadOption:
158	/* don't panic, but count bad options */
159	return -1;
160	/* NOTREACHED */
161
162	case lHost:
163	xstringptr = &options.host;
164	parse_xstring:
165	if (!s \|\| *s == '\0')
166	fatal("%s line %d: missing dn",filename,linenum);
167	if (*xstringptr == NULL)
168	*xstringptr = xstrdup(s);
169	return 0;
170
171	case lURI:
172	xstringptr = &options.uri;
173	goto parse_xstring;
174
175	case lBase:
176	xstringptr = &options.base;
177	goto parse_xstring;
178
179	case lBindDN:
180	xstringptr = &options.binddn;
181	goto parse_xstring;
182
183	case lBindPW:
184	charptr = &options.bindpw;
185	parse_string:
186	arg = strdelim(&s);
187	if (!arg \|\| *arg == '\0')
188	fatal("%.200s line %d: Missing argument.", filename, linenum);
189	if (*charptr == NULL)
190	*charptr = xstrdup(arg);
191	break;
192
193	case lRootBindDN:
194	xstringptr = &rootbinddn;
195	goto parse_xstring;
196
197	case lScope:
198	intptr = &options.scope;
199	arg = strdelim(&s);
200	if (!arg \|\| *arg == '\0')
201	fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
202	value = 0; /* To avoid compiler warning... */
203	if (strcasecmp (arg, "sub") == 0 \|\| strcasecmp (arg, "subtree") == 0)
204	value = LDAP_SCOPE_SUBTREE;
205	else if (strcasecmp (arg, "one") == 0)
206	value = LDAP_SCOPE_ONELEVEL;
207	else if (strcasecmp (arg, "base") == 0)
208	value = LDAP_SCOPE_BASE;
209	else
210	fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
211	if (*intptr == -1)
212	*intptr = value;
213	break;
214
215	case lDeref:
216	intptr = &options.scope;
217	arg = strdelim(&s);
218	if (!arg \|\| *arg == '\0')
219	fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
220	value = 0; /* To avoid compiler warning... */
221	if (!strcasecmp (arg, "never"))
222	value = LDAP_DEREF_NEVER;
223	else if (!strcasecmp (arg, "searching"))
224	value = LDAP_DEREF_SEARCHING;
225	else if (!strcasecmp (arg, "finding"))
226	value = LDAP_DEREF_FINDING;
227	else if (!strcasecmp (arg, "always"))
228	value = LDAP_DEREF_ALWAYS;
229	else
230	fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
231	if (*intptr == -1)
232	*intptr = value;
233	break;
234
235	case lPort:
236	intptr = &options.port;
237	parse_int:
238	arg = strdelim(&s);
239	if (!arg \|\| *arg == '\0')
240	fatal("%.200s line %d: Missing argument.", filename, linenum);
241	if (arg[0] < '0' \|\| arg[0] > '9')
242	fatal("%.200s line %d: Bad number.", filename, linenum);
243
244	/* Octal, decimal, or hex format? */
245	value = strtol(arg, &endofnumber, 0);
246	if (arg == endofnumber)
247	fatal("%.200s line %d: Bad number.", filename, linenum);
248	if (*intptr == -1)
249	*intptr = value;
250	break;
251
252	case lTimeLimit:
253	intptr = &options.timelimit;
254	parse_time:
255	arg = strdelim(&s);
256	if (!arg \|\| *arg == '\0')
257	fatal("%s line %d: missing time value.",
258	filename, linenum);
259	if ((value = convtime(arg)) == -1)
260	fatal("%s line %d: invalid time value.",
261	filename, linenum);
262	if (*intptr == -1)
263	*intptr = value;
264	break;
265
266	case lBind_TimeLimit:
267	intptr = &options.bind_timelimit;
268	goto parse_time;
269
270	case lLdap_Version:
271	intptr = &options.ldap_version;
272	goto parse_int;
273
274	case lBind_Policy:
275	intptr = &options.bind_policy;
276	arg = strdelim(&s);
277	if (!arg \|\| *arg == '\0')
278	fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
279	value = 0; /* To avoid compiler warning... */
280	if (strcasecmp(arg, "hard") == 0 \|\| strcasecmp(arg, "hard_open") == 0 \|\| strcasecmp(arg, "hard_init") == 0)
281	value = 1;
282	else if (strcasecmp(arg, "soft") == 0)
283	value = 0;
284	else
285	fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
286	if (*intptr == -1)
287	break;
288
289	case lSSLPath:
290	charptr = &options.sslpath;
291	goto parse_string;
292
293	case lSSL:
294	intptr = &options.ssl;
295	arg = strdelim(&s);
296	if (!arg \|\| *arg == '\0')
297	fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
298	value = 0; /* To avoid compiler warning... */
299	if (strcasecmp(arg, "yes") == 0 \|\| strcasecmp(arg, "true") == 0 \|\| strcasecmp(arg, "on") == 0)
300	value = SSL_LDAPS;
301	else if (strcasecmp(arg, "no") == 0 \|\| strcasecmp(arg, "false") == 0 \|\| strcasecmp(arg, "off") == 0)
302	value = SSL_OFF;
303	else if (!strcasecmp (arg, "start_tls"))
304	value = SSL_START_TLS;
305	else
306	fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
307	if (*intptr == -1)
308	*intptr = value;
309	break;
310
311	case lReferrals:
312	intptr = &options.referrals;
313	parse_flag:
314	arg = strdelim(&s);
315	if (!arg \|\| *arg == '\0')
316	fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
317	value = 0; /* To avoid compiler warning... */
318	if (strcasecmp(arg, "yes") == 0 \|\| strcasecmp(arg, "true") == 0 \|\| strcasecmp(arg, "on") == 0)
319	value = 1;
320	else if (strcasecmp(arg, "no") == 0 \|\| strcasecmp(arg, "false") == 0 \|\| strcasecmp(arg, "off") == 0)
321	value = 0;
322	else
323	fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
324	if (*intptr == -1)
325	*intptr = value;
326	break;
327
328	case lRestart:
329	intptr = &options.restart;
330	goto parse_flag;
331
332	case lTLS_CheckPeer:
333	intptr = &options.tls_checkpeer;
334	arg = strdelim(&s);
335	if (!arg \|\| *arg == '\0')
336	fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
337	value = 0; /* To avoid compiler warning... */
338	if (strcasecmp(arg, "never") == 0 \|\| strcasecmp(arg, "no") == 0 \|\| strcasecmp(arg, "false") == 0 \|\| strcasecmp(arg, "off") == 0)
339	value = LDAP_OPT_X_TLS_NEVER;
340	else if (strcasecmp(arg, "hard") == 0 \|\| strcasecmp(arg, "yes") == 0 \|\| strcasecmp(arg, "true") == 0 \|\| strcasecmp(arg, "on") == 0)
341	value = LDAP_OPT_X_TLS_HARD;
342	else if (strcasecmp(arg, "demand") == 0)
343	value = LDAP_OPT_X_TLS_DEMAND;
344	else if (strcasecmp(arg, "allow") == 0)
345	value = LDAP_OPT_X_TLS_ALLOW;
346	else if (strcasecmp(arg, "try") == 0)
347	value = LDAP_OPT_X_TLS_TRY;
348	else
349	fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
350	if (*intptr == -1)
351	break;
352
353	case lTLS_CaCertFile:
354	charptr = &options.tls_cacertfile;
355	goto parse_string;
356
357	case lTLS_CaCertDir:
358	charptr = &options.tls_cacertdir;
359	goto parse_string;
360
361	case lTLS_Ciphers:
362	xstringptr = &options.tls_ciphers;
363	goto parse_xstring;
364
365	case lTLS_Cert:
366	charptr = &options.tls_cert;
367	goto parse_string;
368
369	case lTLS_Key:
370	charptr = &options.tls_key;
371	goto parse_string;
372
373	case lTLS_RandFile:
374	charptr = &options.tls_randfile;
375	goto parse_string;
376
377	case lLogDir:
378	charptr = &options.logdir;
379	goto parse_string;
380
381	case lDebug:
382	intptr = &options.debug;
383	goto parse_int;
384
385	case lSSH_Filter:
386	xstringptr = &options.ssh_filter;
387	goto parse_xstring;
388
389	case lDeprecated:
390	debug("%s line %d: Deprecated option \"%s\"",
391	filename, linenum, keyword);
392	return 0;
393
394	case lUnsupported:
395	error("%s line %d: Unsupported option \"%s\"",
396	filename, linenum, keyword);
397	return 0;
398
399	default:
400	fatal("process_config_line: Unimplemented opcode %d", opcode);
401	}
402
403	/* Check that there is no garbage at end of line. */
404	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
405	fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
406	filename, linenum, arg);
407	}
408	return 0;
409	}
410
411	/*
412	* Reads the config file and modifies the options accordingly. Options
413	* should already be initialized before this call. This never returns if
414	* there is an error. If the file does not exist, this returns 0.
415	*/
416
417	void
418	read_config_file(const char *filename)
419	{
420	FILE *f;
421	char line[1024];
422	int active, linenum;
423	int bad_options = 0;
424	struct stat sb;
425
426	if ((f = fopen(filename, "r")) == NULL)
427	fatal("fopen %s: %s", filename, strerror(errno));
428
429	if (fstat(fileno(f), &sb) == -1)
430	fatal("fstat %s: %s", filename, strerror(errno));
431	if (((sb.st_uid != 0 && sb.st_uid != getuid()) \|\|
432	(sb.st_mode & 022) != 0))
433	fatal("Bad owner or permissions on %s", filename);
434
435	debug("Reading configuration data %.200s", filename);
436
437	/*
438	* Mark that we are now processing the options. This flag is turned
439	* on/off by Host specifications.
440	*/
441	active = 1;
442	linenum = 0;
443	while (fgets(line, sizeof(line), f)) {
444	/* Update line number counter. */
445	linenum++;
446	if (process_config_line(line, filename, linenum) != 0)
447	bad_options++;
448	}
449	fclose(f);
450	if ((bad_options > 0) && config_exclusive_config_file)
451	fatal("%s: terminating, %d bad configuration options",
452	filename, bad_options);
453	}
454
455	/*
456	* Initializes options to special values that indicate that they have not yet
457	* been set. Read_config_file will only set options with this value. Options
458	* are processed in the following order: command line, user config file,
459	* system config file. Last, fill_default_options is called.
460	*/
461
462	void
463	initialize_options(void)
464	{
465	memset(&options, 'X', sizeof(options));
466	options.host = NULL;
467	options.uri = NULL;
468	options.base = NULL;
469	options.binddn = NULL;
470	options.bindpw = NULL;
471	options.scope = -1;
472	options.deref = -1;
473	options.port = -1;
474	options.timelimit = -1;
475	options.bind_timelimit = -1;
476	options.ldap_version = -1;
477	options.bind_policy = -1;
478	options.sslpath = NULL;
479	options.ssl = -1;
480	options.referrals = -1;
481	options.restart = -1;
482	options.tls_checkpeer = -1;
483	options.tls_cacertfile = NULL;
484	options.tls_cacertdir = NULL;
485	options.tls_ciphers = NULL;
486	options.tls_cert = NULL;
487	options.tls_key = NULL;
488	options.tls_randfile = NULL;
489	options.logdir = NULL;
490	options.debug = -1;
491	options.ssh_filter = NULL;
492	}
493
494	/*
495	* Called after processing other sources of option data, this fills those
496	* options for which no value has been specified with their default values.
497	*/
498
499	void
500	fill_default_options(void)
501	{
502	if (options.uri != NULL) {
503	LDAPURLDesc *ludp;
504
505	if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
506	if (options.ssl == -1) {
507	if (strcmp (ludp->lud_scheme, "ldap") == 0)
508	options.ssl = 2;
509	if (strcmp (ludp->lud_scheme, "ldapi") == 0)
510	options.ssl = 0;
511	else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
512	options.ssl = 1;
513	}
514	if (options.host == NULL)
515	options.host = xstrdup (ludp->lud_host);
516	if (options.port == -1)
517	options.port = ludp->lud_port;
518
519	ldap_free_urldesc (ludp);
520	}
521	}
522	if (options.ssl == -1)
523	options.ssl = SSL_START_TLS;
524	if (options.port == -1)
525	options.port = (options.ssl == 0) ? 389 : 636;
526	if (options.uri == NULL) {
527	int len;
528	#define MAXURILEN 4096
529
530	options.uri = xmalloc (MAXURILEN);
531	len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
532	(options.ssl == 0) ? "" : "s", options.host, options.port);
533	options.uri[MAXURILEN - 1] = 0;
534	options.uri = xrealloc (options.uri, len + 1, 1);
535	}
536	if (options.binddn == NULL)
537	options.binddn = "";
538	if (options.bindpw == NULL)
539	options.bindpw = "";
540	if (options.scope == -1)
541	options.scope = LDAP_SCOPE_SUBTREE;
542	if (options.deref == -1)
543	options.deref = LDAP_DEREF_NEVER;
544	if (options.timelimit == -1)
545	options.timelimit = 10;
546	if (options.bind_timelimit == -1)
547	options.bind_timelimit = 10;
548	if (options.ldap_version == -1)
549	options.ldap_version = 3;
550	if (options.bind_policy == -1)
551	options.bind_policy = 1;
552	if (options.referrals == -1)
553	options.referrals = 1;
554	if (options.restart == -1)
555	options.restart = 1;
556	if (options.tls_checkpeer == -1)
557	options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
558	if (options.debug == -1)
559	options.debug = 0;
560	if (options.ssh_filter == NULL)
561	options.ssh_filter = "";
562	}
563
564	static const char *
565	lookup_opcode_name(OpCodes code)
566	{
567	u_int i;
568
569	for (i = 0; keywords[i].name != NULL; i++)
570	if (keywords[i].opcode == code)
571	return(keywords[i].name);
572	return "UNKNOWN";
573	}
574
575	static void
576	dump_cfg_string(OpCodes code, const char *val)
577	{
578	if (val == NULL)
579	debug3("%s <UNDEFINED>", lookup_opcode_name(code));
580	else
581	debug3("%s %s", lookup_opcode_name(code), val);
582	}
583
584	static void
585	dump_cfg_int(OpCodes code, int val)
586	{
587	if (val == -1)
588	debug3("%s <UNDEFINED>", lookup_opcode_name(code));
589	else
590	debug3("%s %d", lookup_opcode_name(code), val);
591	}
592
593	struct names {
594	int value;
595	char *name;
596	};
597
598	static void
599	dump_cfg_namedint(OpCodes code, int val, struct names *names)
600	{
601	u_int i;
602
603	if (val == -1)
604	debug3("%s <UNDEFINED>", lookup_opcode_name(code));
605	else {
606	for (i = 0; names[i].value != -1; i++)
607	if (names[i].value == val) {
608	debug3("%s %s", lookup_opcode_name(code), names[i].name);
609	return;
610	}
611	debug3("%s unknown: %d", lookup_opcode_name(code), val);
612	}
613	}
614
615	static struct names _yesnotls[] = {
616	{ 0, "No" },
617	{ 1, "Yes" },
618	{ 2, "Start_TLS" },
619	{ -1, NULL }};
620
621	static struct names _scope[] = {
622	{ LDAP_SCOPE_BASE, "Base" },
623	{ LDAP_SCOPE_ONELEVEL, "One" },
624	{ LDAP_SCOPE_SUBTREE, "Sub"},
625	{ -1, NULL }};
626
627	static struct names _deref[] = {
628	{ LDAP_DEREF_NEVER, "Never" },
629	{ LDAP_DEREF_SEARCHING, "Searching" },
630	{ LDAP_DEREF_FINDING, "Finding" },
631	{ LDAP_DEREF_ALWAYS, "Always" },
632	{ -1, NULL }};
633
634	static struct names _yesno[] = {
635	{ 0, "No" },
636	{ 1, "Yes" },
637	{ -1, NULL }};
638
639	static struct names _bindpolicy[] = {
640	{ 0, "Soft" },
641	{ 1, "Hard" },
642	{ -1, NULL }};
643
644	static struct names _checkpeer[] = {
645	{ LDAP_OPT_X_TLS_NEVER, "Never" },
646	{ LDAP_OPT_X_TLS_HARD, "Hard" },
647	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
648	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
649	{ LDAP_OPT_X_TLS_TRY, "TRY" },
650	{ -1, NULL }};
651
652	void
653	dump_config(void)
654	{
655	dump_cfg_string(lURI, options.uri);
656	dump_cfg_string(lHost, options.host);
657	dump_cfg_int(lPort, options.port);
658	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
659	dump_cfg_int(lLdap_Version, options.ldap_version);
660	dump_cfg_int(lTimeLimit, options.timelimit);
661	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
662	dump_cfg_string(lBase, options.base);
663	dump_cfg_string(lBindDN, options.binddn);
664	dump_cfg_string(lBindPW, options.bindpw);
665	dump_cfg_namedint(lScope, options.scope, _scope);
666	dump_cfg_namedint(lDeref, options.deref, _deref);
667	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
668	dump_cfg_namedint(lRestart, options.restart, _yesno);
669	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
670	dump_cfg_string(lSSLPath, options.sslpath);
671	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
672	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
673	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
674	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
675	dump_cfg_string(lTLS_Cert, options.tls_cert);
676	dump_cfg_string(lTLS_Key, options.tls_key);
677	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
678	dump_cfg_string(lLogDir, options.logdir);
679	dump_cfg_int(lDebug, options.debug);
680	dump_cfg_string(lSSH_Filter, options.ssh_filter);
681	}
682

Line 0 Link Here

(-)openssh-5.5p1/ldapconf.h.pka (+71 lines)
		1	/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
		2	/*
		3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
		4	*
		5	* Redistribution and use in source and binary forms, with or without
		6	* modification, are permitted provided that the following conditions
		7	* are met:
		8	* 1. Redistributions of source code must retain the above copyright
		9	* notice, this list of conditions and the following disclaimer.
		10	* 2. Redistributions in binary form must reproduce the above copyright
		11	* notice, this list of conditions and the following disclaimer in the
		12	* documentation and/or other materials provided with the distribution.
		13	*
		14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		24	*/
		25
		26	#ifndef LDAPCONF_H
		27	#define LDAPCONF_H
		28
		29	#define SSL_OFF 0
		30	#define SSL_LDAPS 1
		31	#define SSL_START_TLS 2
		32
		33	/* Data structure for representing option data. */
		34
		35	typedef struct {
		36	char *host;
		37	char *uri;
		38	char *base;
		39	char *binddn;
		40	char *bindpw;
		41	int scope;
		42	int deref;
		43	int port;
		44	int timelimit;
		45	int bind_timelimit;
		46	int ldap_version;
		47	int bind_policy;
		48	char *sslpath;
		49	int ssl;
		50	int referrals;
		51	int restart;
		52	int tls_checkpeer;
		53	char *tls_cacertfile;
		54	char *tls_cacertdir;
		55	char *tls_ciphers;
		56	char *tls_cert;
		57	char *tls_key;
		58	char *tls_randfile;
		59	char *logdir;
		60	int debug;
		61	char *ssh_filter;
		62	} Options;
		63
		64	extern Options options;
65
66	void read_config_file(const char *);
67	void initialize_options(void);
68	void fill_default_options(void);
69	void dump_config(void);
70
71	#endif /* LDAPCONF_H */

Line 0 Link Here

(-)openssh-5.5p1/ldap.conf.pka (+88 lines)
		1	# $Id: ldap.conf,v 1.0 2010/03/13 21:41:34 jfch Exp $
		2	#
		3	# This is the example configuration file for the OpenSSH
		4	# LDAP backend
		5	#
		6	# see ssh-ldap.conf(5)
		7	#
		8
		9	# URI with your LDAP server name. This allows to use
		10	# Unix Domain Sockets to connect to a local LDAP Server.
		11	#uri ldap://127.0.0.1/
		12	#uri ldaps://127.0.0.1/
		13	#uri ldapi://%2fvar%2frun%2fldapi_sock/
		14	# Note: %2f encodes the '/' used as directory separator
		15
		16	# Another way to specify your LDAP server is to provide an
		17	# host name and the port of our LDAP server. Host name
		18	# must be resolvable without using LDAP.
		19	# Multiple hosts may be specified, each separated by a
		20	# space. How long nss_ldap takes to failover depends on
		21	# whether your LDAP client library supports configurable
		22	# network or connect timeouts (see bind_timelimit).
		23	#host 127.0.0.1
		24
		25	# The port.
		26	# Optional: default is 389.
		27	#port 389
		28
		29	# The distinguished name to bind to the server with.
		30	# Optional: default is to bind anonymously.
		31	#binddn cn=openssh_keys,dc=example,dc=org
		32
		33	# The credentials to bind with.
		34	# Optional: default is no credential.
		35	#bindpw TopSecret
		36
		37	# The distinguished name of the search base.
		38	#base dc=example,dc=org
		39
		40	# The LDAP version to use (defaults to 3
		41	# if supported by client library)
		42	#ldap_version 3
		43
		44	# The search scope.
		45	#scope sub
		46	#scope one
		47	#scope base
		48
		49	# Search timelimit
		50	#timelimit 30
		51
		52	# Bind/connect timelimit
		53	#bind_timelimit 30
		54
		55	# Reconnect policy: hard (default) will retry connecting to
		56	# the software with exponential backoff, soft will fail
		57	# immediately.
		58	#bind_policy hard
		59
		60	# SSL setup, may be implied by URI also.
		61	#ssl no
		62	#ssl on
		63	#ssl start_tls
		64
65	# OpenLDAP SSL options
66	# Require and verify server certificate (yes/no)
67	# Default is to use libldap's default behavior, which can be configured in
68	# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
69	# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
70	#tls_checkpeer hard
71
72	# CA certificates for server certificate verification
73	# At least one of these are required if tls_checkpeer is "yes"
74	#tls_cacertfile /etc/ssl/ca.cert
75	#tls_cacertdir /etc/pki/tls/certs
76
77	# Seed the PRNG if /dev/urandom is not provided
78	#tls_randfile /var/run/egd-pool
79
80	# SSL cipher suite
81	# See man ciphers for syntax
82	#tls_ciphers TLSv1
83
84	# Client certificate and key
85	# Use these, if your server requires client authentication.
86	#tls_cert
87	#tls_key
88

Line 0 Link Here

(-)openssh-5.5p1/ldap-helper.c.pka (+154 lines)
		1	/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
		2	/*
		3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
		4	*
		5	* Redistribution and use in source and binary forms, with or without
		6	* modification, are permitted provided that the following conditions
		7	* are met:
		8	* 1. Redistributions of source code must retain the above copyright
		9	* notice, this list of conditions and the following disclaimer.
		10	* 2. Redistributions in binary form must reproduce the above copyright
		11	* notice, this list of conditions and the following disclaimer in the
		12	* documentation and/or other materials provided with the distribution.
		13	*
		14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		24	*/
		25
		26	#include "ldapincludes.h"
		27	#include "log.h"
		28	#include "misc.h"
		29	#include "xmalloc.h"
		30	#include "ldapconf.h"
		31	#include "ldapbody.h"
		32	#include <string.h>
		33	#include <unistd.h>
		34
		35	static int config_debug = 0;
		36	int config_exclusive_config_file = 0;
		37	static char *config_file_name = "/etc/ssh/ldap.conf";
		38	static char *config_single_user = NULL;
		39	static int config_verbose = SYSLOG_LEVEL_VERBOSE;
		40	int config_warning_config_file = 0;
		41	extern char *__progname;
		42
		43	static void
		44	usage(void)
		45	{
		46	fprintf(stderr, "usage: %s [options]\n",
		47	__progname);
		48	fprintf(stderr, "Options:\n");
		49	fprintf(stderr, " -d Output the log messages to stderr.\n");
		50	fprintf(stderr, " -e Check the config file for unknown commands.\n");
		51	fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
		52	fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
		53	fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
		54	fprintf(stderr, " -w Warn on unknown commands int the config file.\n");
		55	exit(1);
		56	}
		57
		58	/*
		59	* Main program for the ssh pka ldap agent.
		60	*/
		61
		62	int
		63	main(int ac, char **av)
		64	{
65	int opt;
66	FILE *outfile = NULL;
67
68	__progname = ssh_get_progname(av[0]);
69
70	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
71
72	/*
73	* Initialize option structure to indicate that no values have been
74	* set.
75	*/
76	initialize_options();
77
78	/* Parse command-line arguments. */
79	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
80	switch (opt) {
81	case 'd':
82	config_debug = 1;
83	break;
84
85	case 'e':
86	config_exclusive_config_file = 1;
87	config_warning_config_file = 1;
88	break;
89
90	case 'f':
91	config_file_name = optarg;
92	break;
93
94	case 's':
95	config_single_user = optarg;
96	outfile = fdopen (dup (fileno (stdout)), "w");
97	break;
98
99	case 'v':
100	config_debug = 1;
101	if (config_verbose < SYSLOG_LEVEL_DEBUG3)
102	config_verbose++;
103	break;
104
105	case 'w':
106	config_warning_config_file = 1;
107	break;
108
109	case '?':
110	default:
111	usage();
112	break;
113	}
114	}
115
116	/* Initialize loging */
117	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
118
119	if (ac != optind)
120	fatal ("illegal extra parameter %s", av[1]);
121
122	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
123	if (config_debug == 0)
124	sanitise_stdfd();
125
126	/* Read config file */
127	read_config_file(config_file_name);
128	fill_default_options();
129	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
130	debug3 ("=== Configuration ===");
131	dump_config();
132	debug3 ("=== *** ===");
133	}
134
135	ldap_checkconfig();
136	ldap_do_connect();
137
138	if (config_single_user) {
139	process_user (config_single_user, outfile);
140	} else {
141	fatal ("Not yet implemented");
142	/* TODO
143	* open unix socket a run the loop on it
144	*/
145	}
146
147	ldap_do_close();
148	return 0;
149	}
150
151	/* Ugly hack */
152	void buffer_get_string(Buffer b, u_int *l) {}
153	void buffer_put_string(Buffer b, const void f, u_int l) {}
154

Line 0 Link Here

(-)openssh-5.5p1/ldap-helper.h.pka (+32 lines)
	1	/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
	2	/*
	3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#ifndef LDAP_HELPER_H
	27	#define LDAP_HELPER_H
	28
	29	extern int config_exclusive_config_file;
	30	extern int config_warning_config_file;
	31
	32	#endif /* LDAP_HELPER_H */

Line 0 Link Here

(-)openssh-5.5p1/ldapincludes.h.pka (+41 lines)
	1	/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
	2	/*
	3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#ifndef LDAPINCLUDES_H
	27	#define LDAPINCLUDES_H
	28
	29	#include "includes.h"
	30
	31	#ifdef HAVE_LBER_H
	32	#include <lber.h>
	33	#endif
	34	#ifdef HAVE_LDAP_H
	35	#include <ldap.h>
	36	#endif
	37	#ifdef HAVE_LDAP_SSL_H
	38	#include <ldap_ssl.h>
	39	#endif
	40
	41	#endif /* LDAPINCLUDES_H */

Line 0 Link Here

(-)openssh-5.5p1/ldapmisc.c.pka (+79 lines)
		1
		2	#include "ldapincludes.h"
		3	#include "ldapmisc.h"
		4
		5	#ifndef HAVE_LDAP_GET_LDERRNO
		6	int
		7	ldap_get_lderrno (LDAP * ld, char m, char s)
		8	{
		9	#ifdef HAVE_LDAP_GET_OPTION
		10	int rc;
		11	#endif
		12	int lderrno;
		13
		14	#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
		15	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
		16	return rc;
		17	#else
		18	lderrno = ld->ld_errno;
		19	#endif
		20
		21	if (s != NULL) {
		22	#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
		23	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
		24	return rc;
		25	#else
		26	*s = ld->ld_error;
		27	#endif
		28	}
		29
		30	if (m != NULL) {
		31	#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
		32	if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
		33	return rc;
		34	#else
		35	*m = ld->ld_matched;
		36	#endif
		37	}
		38
		39	return lderrno;
		40	}
		41	#endif
		42
		43	#ifndef HAVE_LDAP_SET_LDERRNO
		44	int
		45	ldap_set_lderrno (LDAP * ld, int lderrno, const char m, const char s)
		46	{
		47	#ifdef HAVE_LDAP_SET_OPTION
		48	int rc;
		49	#endif
		50
		51	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
		52	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
		53	return rc;
		54	#else
		55	ld->ld_errno = lderrno;
		56	#endif
		57
		58	if (s != NULL) {
		59	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
		60	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
		61	return rc;
		62	#else
		63	ld->ld_error = s;
		64	#endif
65	}
66
67	if (m != NULL) {
68	#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
69	if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
70	return rc;
71	#else
72	ld->ld_matched = m;
73	#endif
74	}
75
76	return LDAP_SUCCESS;
77	}
78	#endif
79

Line 0 Link Here

(-)openssh-5.5p1/ldapmisc.h.pka (+35 lines)
	1	/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
	2	/*
	3	* Copyright (c) 2009 Jan F. Chadima. All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*/
	25
	26	#ifndef LDAPMISC_H
	27	#define LDAPMISC_H
	28
	29	#include "ldapincludes.h"
	30
	31	int ldap_get_lderrno (LDAP , char , char *);
	32	int ldap_set_lderrno (LDAP , int, const char , const char *);
	33
	34	#endif /* LDAPMISC_H */
	35

Line 0 Link Here

(-)openssh-5.5p1/lpk-user-example.txt.pka (+117 lines)
		1
		2	Post to ML -> User Made Quick Install Doc.
		3	Contribution from John Lane <john@lane.uk.net>
		4
		5	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
		6
		7	OpenSSH LDAP keystore Patch
		8	===========================
		9
		10	NOTE: these notes are a transcript of a specific installation
		11	they work for me, your specifics may be different!
		12	from John Lane March 17th 2005 john@lane.uk.net
		13
		14	This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
		15	from their LDAP record as an alternative to ~/.ssh/authorized_keys.
		16
		17	(Assuming here that necessary build stuff is in $BUILD)
		18
		19	cd $BUILD/openssh-4.0p1
		20	patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
		21	mkdir -p /var/empty &&
		22	./configure --prefix=/usr --sysconfdir=/etc/ssh \
		23	--libexecdir=/usr/sbin --with-md5-passwords --with-pam \
		24	--with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
		25	Now do.
		26	make &&
		27	make install
		28
		29	Add the following config to /etc/ssh/ssh_config
		30	UseLPK yes
		31	LpkServers ldap://myhost.mydomain.com
		32	LpkUserDN ou=People,dc=mydomain,dc=com
		33
		34	We need to tell sshd about the SSL keys during boot, as root's
		35	environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
		36	Change the startup code from this:
		37	echo "Starting SSH Server..."
		38	loadproc /usr/sbin/sshd
		39	;;
		40	to this:
		41	echo "Starting SSH Server..."
		42	LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
		43	;;
		44
		45	Re-start the sshd daemon:
		46	/etc/rc.d/init.d/sshd restart
		47
		48	Install the additional LDAP schema
		49	cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema
		50
		51	Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
		52	Add the following to the end of the existing block of schema includes
		53	include /etc/openldap/schema/openssh.schema
		54
		55	Re-start the LDAP server:
		56	/etc/rc.d/init.d/slapd restart
		57
		58	To add one or more public keys to a user, eg "testuser" :
		59	ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
		60	"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
		61
		62	append the following to this /tmp/testuser file
		63	objectclass: ldapPublicKey
		64	sshPublicKey: ssh-rsa
65	AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
66	qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
67	7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
68
69	Then do a modify:
70	ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
71	/tmp/testuser -Z
72	Enter LDAP Password:
73	modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
74	And check the modify is ok:
75	ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
76	"uid=testuser,ou=People,dc=mydomain,dc=com"
77	Enter LDAP Password:
78	# extended LDIF
79	#
80	# LDAPv3
81	# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
82	# filter: (objectclass=*)
83	# requesting: ALL
84	#
85
86	# testuser, People, mydomain.com
87	dn: uid=testuser,ou=People,dc=mydomain,dc=com
88	uid: testuser
89	cn: testuser
90	objectClass: account
91	objectClass: posixAccount
92	objectClass: top
93	objectClass: shadowAccount
94	objectClass: ldapPublicKey
95	shadowLastChange: 12757
96	shadowMax: 99999
97	shadowWarning: 7
98	loginShell: /bin/bash
99	uidNumber: 9999
100	gidNumber: 501
101	homeDirectory: /home/testuser
102	userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
103	sshPublicKey: ssh-rsa
104	AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
105	8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
106
107	# search result
108	search: 3
109	result: 0 Success
110
111	# numResponses: 2
112	# numEntries: 1
113
114	Now start a ssh session to user "testuser" from usual ssh client (e.g.
115	puTTY). Login should succeed.
116
117	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Lines 26-31 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas Link Here

(-)openssh-5.5p1/Makefile.in.pka (-3 / +23 lines)
26	SFTP_SERVER=$(libexecdir)/sftp-server	26	SFTP_SERVER=$(libexecdir)/sftp-server
27	SSH_KEYSIGN=$(libexecdir)/ssh-keysign	27	SSH_KEYSIGN=$(libexecdir)/ssh-keysign
28	SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper	28	SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
		29	SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
29	RAND_HELPER=$(libexecdir)/ssh-rand-helper	30	RAND_HELPER=$(libexecdir)/ssh-rand-helper
30	PRIVSEP_PATH=@PRIVSEP_PATH@	31	PRIVSEP_PATH=@PRIVSEP_PATH@
31	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@	32	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Lines 61-68 EXEEXT=@EXEEXT@ Link Here
61		62
62	INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@	63	INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
63	INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@	64	INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
		65	INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
64		66
65	TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)	67	TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
66		68
67	LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \	69	LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
68	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \	70	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Lines 93-100 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here
93	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \	95	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
94	roaming_common.o roaming_serv.o	96	roaming_common.o roaming_serv.o
95		97
96	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	98	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
97	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5	99	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
98	MANTYPE = @MANTYPE@	100	MANTYPE = @MANTYPE@
99		101
100	CONFIGFILES=sshd_config.out ssh_config.out moduli.out	102	CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Lines 162-167 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss Link Here
162	ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o	164	ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
163	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)	165	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
164		166
		167	ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
		168	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
		169
165	ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o	170	ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
166	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)	171	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
167		172
Lines 266-271 install-files: Link Here
266	fi	271	fi
267	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)	272	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
268	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)	273	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
		274	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
		275	$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
		276	fi
269	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)	277	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
270	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)	278	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
271	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1	279	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Lines 285-290 install-files: Link Here
285	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8	293	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
286	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8	294	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
287	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8	295	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
		296	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
		297	$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
		298	$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
		299	fi
288	-rm -f $(DESTDIR)$(bindir)/slogin	300	-rm -f $(DESTDIR)$(bindir)/slogin
289	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin	301	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
290	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1	302	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Lines 321-326 install-sysconf: Link Here
321	else \	333	else \
322	echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \	334	echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
323	fi	335	fi
		336	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
		337	if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
		338	$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
		339	else \
		340	echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
		341	fi ; \
		342	fi
324		343
325	host-key: ssh-keygen$(EXEEXT)	344	host-key: ssh-keygen$(EXEEXT)
326	@if [ -z "$(DESTDIR)" ] ; then \	345	@if [ -z "$(DESTDIR)" ] ; then \
Lines 384-389 uninstall: Link Here
384	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8	403	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
385	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8	404	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
386	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8	405	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
		406	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
387	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1	407	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
388		408
389	tests interop-tests: $(TARGETS)	409	tests interop-tests: $(TARGETS)

Line 0 Link Here

(-)openssh-5.5p1/openssh-lpk-openldap.schema.pka (+21 lines)
	1	#
	2	# LDAP Public Key Patch schema for use with openssh-ldappubkey
	3	# useful with PKA-LDAP also
	4	#
	5	# Author: Eric AUGE <eau@phear.org>
	6	#
	7	# Based on the proposal of : Mark Ruijter
	8	#
	9
	10
	11	# octetString SYNTAX
	12	attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
	13	DESC 'MANDATORY: OpenSSH Public key'
	14	EQUALITY octetStringMatch
	15	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
	16
	17	# printableString SYNTAX yes\|no
	18	objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
	19	DESC 'MANDATORY: OpenSSH LPK objectclass'
	20	MUST ( sshPublicKey $ uid )
	21	)

Line 0 Link Here

(-)openssh-5.5p1/openssh-lpk-sun.schema.pka (+23 lines)
	1	#
	2	# LDAP Public Key Patch schema for use with openssh-ldappubkey
	3	# useful with PKA-LDAP also
	4	#
	5	# Author: Eric AUGE <eau@phear.org>
	6	#
	7	# Schema for Sun Directory Server.
	8	# Based on the original schema, modified by Stefan Fischer.
	9	#
	10
	11	dn: cn=schema
	12
	13	# octetString SYNTAX
	14	attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
	15	DESC 'MANDATORY: OpenSSH Public key'
	16	EQUALITY octetStringMatch
	17	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
	18
	19	# printableString SYNTAX yes\|no
	20	objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
	21	DESC 'MANDATORY: OpenSSH LPK objectclass'
	22	MUST ( sshPublicKey $ uid )
	23	)

Line 0 Link Here

(-)openssh-5.5p1/README.lpk.pka (+274 lines)
		1	OpenSSH LDAP PUBLIC KEY PATCH
		2	Copyright (c) 2003 Eric AUGE (eau@phear.org)
		3	All rights reserved.
		4
		5	Rewriten by Jan F. Chadima (jchadima@redhat.com)
		6	Copyright (c) 2010 Red Hat, Inc.
		7	The new PKA-LDAP patch is rewritten from the scratch.
		8	LDAP schema and part of the documentation is based on original
		9	LPK project (http://code.google.com/p/openssh-lpk),
		10	copyright (c) 2003 Eric AUGE
		11	The new openssh configuration is different from the original LPK one.
		12
		13	Redistribution and use in source and binary forms, with or without
		14	modification, are permitted provided that the following conditions
		15	are met:
		16	1. Redistributions of source code must retain the above copyright
		17	notice, this list of conditions and the following disclaimer.
		18	2. Redistributions in binary form must reproduce the above copyright
		19	notice, this list of conditions and the following disclaimer in the
		20	documentation and/or other materials provided with the distribution.
		21	3. The name of the author may not be used to endorse or promote products
		22	derived from this software without specific prior written permission.
		23
		24	THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		25	IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		26	OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		27	IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		28	INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		29	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		30	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		31	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		32	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		33	THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		34
		35	purposes of this patch:
		36
		37	This patch would help to have authentication centralization policy
		38	using ssh public key authentication.
		39	This patch could be an alternative to other "secure" authentication system
		40	working in a similar way (Kerberos, SecurID, etc...), except the fact
		41	that it's based on OpenSSH and its public key abilities.
		42
		43	>> FYI: <<
		44	'uid': means unix accounts existing on the current server
		45	'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
		46
		47	example schema:
		48
		49
		50	server1 (uid: eau,rival,toto) (ServerGroup: unix)
		51	___________ /
		52	/ \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
		53	\| LDAP Server \| \
		54	\| eau ,rival \| server2 (uid: rival, eau) (ServerGroup: unix)
		55	\| titi ,toto \|
		56	\| userx,.... \| server5 (uid: eau) (ServerGroup: mail)
		57	\___________/ \ /
		58	----- - server4 (uid: eau, rival) (no group configured)
		59	\
		60	etc...
		61
		62	- WHAT WE NEED :
		63
		64	* configured LDAP server somewhere on the network (i.e. OpenLDAP)
65	* patched sshd (with this patch ;)
66	* LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
67	User entry:
68	- attached to the 'ldapPublicKey' objectclass
69	- attached to the 'posixAccount' objectclass
70	- with a filled 'sshPublicKey' attribute
71	Example:
72	dn: uid=eau,ou=users,dc=cuckoos,dc=net
73	objectclass: top
74	objectclass: person
75	objectclass: organizationalPerson
76	objectclass: posixAccount
77	objectclass: ldapPublicKey
78	description: Eric AUGE Account
79	userPassword: blah
80	cn: Eric AUGE
81	sn: Eric AUGE
82	uid: eau
83	uidNumber: 1034
84	gidNumber: 1
85	homeDirectory: /export/home/eau
86	sshPublicKey: ssh-dss AAAAB3...
87	sshPublicKey: ssh-dss AAAAM5...
88
89	Group entry:
90	- attached to the 'posixGroup' objectclass
91	- with a 'cn' groupname attribute
92	- with multiple 'memberUid' attributes filled with usernames allowed in this group
93	Example:
94	# few members
95	dn: cn=unix,ou=groups,dc=cuckoos,dc=net
96	objectclass: top
97	objectclass: posixGroup
98	description: Unix based servers group
99	cn: unix
100	gidNumber: 1002
101	memberUid: eau
102	memberUid: user1
103	memberUid: user2
104
105
106	- HOW IT WORKS :
107
108	* without patch
109	If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
110	and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
111
112	* with the patch
113	If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
114	It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem.
115	(usually in $HOME/.ssh/authorized_keys)
116
117	2 tokens are added to sshd_config :
118	# here is the new patched ldap related tokens
119	PubkeyAgent /usr/libexec/openssh/ssh-ldap-helper -s %u
120	PubkeyAgentRunAs nobody
121
122	The LDAP configuratin is read from common /etc/ldap.conf configuration file.
123	There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
124
125	- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
126
127	* my way (there is plenty :)
128	- create ldif file (i.e. users.ldif)
129	- cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
130	- my way in 4 steps :
131	Example:
132
133	# you add this to the user entry in the LDIF file :
134	[...]
135	objectclass: posixAccount
136	objectclass: ldapPublicKey
137	[...]
138	sshPubliKey: ssh-dss AAAABDh12DDUR2...
139	[...]
140
141	# insert your entry and you're done :)
142	ldapadd -D balblabla -w bleh < file.ldif
143
144	all standard options can be present in the 'sshPublicKey' attribute.
145
146	- WHY :
147
148	Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP
149	as authentication method (like pam_ldap etc..).
150
151	After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get
152	public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
153	objectclass within LDAP and part of the group the SSH server is in).
154
155	Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase
156	so each user can change it as much as he wants).
157
158	Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
159
160	- RULES :
161	Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema.
162	and the additionnal lpk.schema.
163
164	This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication
165	(pamldap, nss_ldap, etc..).
166
167	This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
168
169	Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
170	'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
171	If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
172	to log in 'server5' (i hope you got the idea, my english is bad :).
173
174	Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
175	server.
176	When you want to allow a new user to have access to the server parc, you just add him an account on
177	your servers, you add his public key into his entry on the LDAP server, it's done.
178
179	Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
180
181	When the user needs to change his passphrase he can do it directly from his workstation by changing
182	his own key set lock passphrase, and all servers are automatically aware.
183
184	With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
185	so he can add/modify/delete himself his public key when needed.
186
187	FLAWS :
188	LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
189	allow write to users dn, somebody could replace someuser's public key by its own and impersonate some
190	of your users in all your server farm be VERY CAREFUL.
191
192	MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
193	as the impersonnated user.
194
195	If LDAP server is down then, no fallback on passwd auth.
196
197	the ldap code part has not been well audited yet.
198
199	- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
200	--- CUT HERE ---
201	dn: uid=jdoe,ou=users,dc=foobar,dc=net
202	objectclass: top
203	objectclass: person
204	objectclass: organizationalPerson
205	objectclass: posixAccount
206	objectclass: ldapPublicKey
207	description: My account
208	cn: John Doe
209	sn: John Doe
210	uid: jdoe
211	uidNumber: 100
212	gidNumber: 100
213	homeDirectory: /home/jdoe
214	sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
215	[...]
216	--- CUT HERE ---
217
218	- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
219	--- CUT HERE ---
220	dn: cn=unix,ou=groups,dc=cuckoos,dc=net
221	objectclass: top
222	objectclass: posixGroup
223	description: Unix based servers group
224	cn: unix
225	gidNumber: 1002
226	memberUid: jdoe
227	memberUid: user1
228	memberUid: user2
229	[...]
230	--- CUT HERE ---
231
232	>> FYI: <<
233	Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
234
235	- COMPILING:
236	1. Apply the patch
237	2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
238	3. make
239	4. it's done.
240
241	- BLA :
242	I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome.
243
244	- TODO :
245	Possibility to reuse the ssh-ldap-helper.
246	Tune the LDAP part to all possible LDAP configurations.
247
248	- DIFFERENCES FROM ORIGINAL lpk
249	No LDAP code in sshd.
250	Support for various LDAP platforms and configurations.
251	LDAP is configured in separate ldap.conf file.
252
253	- DOCS/LINK :
254	http://pacsec.jp/core05/psj05-barisani-en.pdf
255	http://fritz.potsdam.edu/projects/openssh-lpk/
256	http://fritz.potsdam.edu/projects/sshgate/
257	http://dev.inversepath.com/trac/openssh-lpk
258	http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
259
260	- CONTRIBUTORS/IDEAS/GREETS :
261	- Eric AUGE <eau@phear.org>
262	- Andrea Barisani <andrea@inversepath.com>
263	- Falk Siemonsmeier.
264	- Jacob Rief.
265	- Michael Durchgraf.
266	- frederic peters.
267	- Finlay dobbie.
268	- Stefan Fisher.
269	- Robin H. Johnson.
270	- Adrian Bridgett.
271
272	- CONTACT :
273	Jan F. Chadima <jchadima@redhat.com>
274

Lines 352-358 DESCRIPTION Link Here

(-)openssh-5.5p1/sshd_config.0.pka (-1 / +13 lines)
352	KbdInteractiveAuthentication, KerberosAuthentication,	352	KbdInteractiveAuthentication, KerberosAuthentication,
353	MaxAuthTries, MaxSessions, PasswordAuthentication,	353	MaxAuthTries, MaxSessions, PasswordAuthentication,
354	PermitEmptyPasswords, PermitOpen, PermitRootLogin,	354	PermitEmptyPasswords, PermitOpen, PermitRootLogin,
355	PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,	355	PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
		356	RhostsRSAAuthentication, RSAAuthentication,
356	X11DisplayOffset, X11Forwarding and X11UseLocalHost.	357	X11DisplayOffset, X11Forwarding and X11UseLocalHost.
357		358
358	MaxAuthTries	359	MaxAuthTries
Lines 467-472 DESCRIPTION Link Here
467	this file is not readable, then public key authentication will be	468	this file is not readable, then public key authentication will be
468	refused for all users.	469	refused for all users.
469		470
		471	PubkeyAgent
		472	Specifies which agent is used for lookup of the user's public
		473	keys. Empty string means to use the authorized_keys file. By
		474	default there is no PubkeyAgent set. Note that this option has
		475	an effect only with PubkeyAuthentication switched on.
		476
		477	PubkeyAgentRunAs
		478	Specifies the user under whose account the PubkeyAgent is run.
		479	Empty string (the default value) means the user being authorized
		480	is used.
		481
470	RhostsRSAAuthentication	482	RhostsRSAAuthentication
471	Specifies whether rhosts or /etc/hosts.equiv authentication to-	483	Specifies whether rhosts or /etc/hosts.equiv authentication to-
472	gether with successful RSA host authentication is allowed. The	484	gether with successful RSA host authentication is allowed. The

Line 0 Link Here

(-)openssh-5.5p1/ssh-ldap.conf.5.pka (+373 lines)
		1	.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
		2	.\"
		3	.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: may 12 2010 $
		18	.Dt SSH-LDAP.CONF 5
		19	.Os
		20	.Sh NAME
		21	.Nm ssh-ldap.conf
		22	.Nd configuration file for ssh-ldap-helper
		23	.Sh SYNOPSIS
		24	.Nm /etc/ssh/ldap.conf
		25	.Sh DESCRIPTION
		26	.Xr ssh-ldap-helper 8
		27	reads configuration data from
		28	.Pa /etc/ssh/ldap.conf
		29	(or the file specified with
		30	.Fl f
		31	on the command line).
		32	The file contains keyword-argument pairs, one per line.
		33	Lines starting with
		34	.Ql #
		35	and empty lines are interpreted as comments.
		36	.Pp
		37	The value starts with the first non-blank character after
		38	the keyword's name, and terminates at the end of the line,
		39	or at the last sequence of blanks before the end of the line.
		40	Quoting values that contain blanks
		41	may be incorrect, as the quotes would become part of the value.
		42	The possible keywords and their meanings are as follows (note that
		43	keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
		44	.It Cm URI
		45	The argument(s) are in the form
		46	.Pa ldap[si]://[name[:port]]
		47	and specify the URI(s) of an LDAP server(s) to which the
		48	.Xr ssh-ldap-helper 8
		49	should connect. The URI scheme may be any of
		50	.Dq ldap ,
		51	.Dq ldaps
		52	or
		53	.Dq ldapi ,
		54	which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
		55	over IPC (UNIX domain sockets), respectively.
		56	Each server's name can be specified as a
		57	domain-style name or an IP address literal. Optionally, the
		58	server's name can followed by a ':' and the port number the LDAP
		59	server is listening on. If no port number is provided, the default
		60	port for the scheme is used (389 for ldap://, 636 for ldaps://).
		61	For LDAP over IPC, name is the name of the socket, and no port
		62	is required, nor allowed; note that directory separators must be
		63	URL-encoded, like any other characters that are special to URLs;
		64	A space separated list of URIs may be provided.
65	There is no default.
66	.It Cm Base
67	Specifies the default base Distinguished Name (DN) to use when performing ldap operations.
68	The base must be specified as a DN in LDAP format.
69	There is no default.
70	.It Cm BindDN
71	Specifies the default BIND DN to use when connecting to the ldap server.
72	The bind DN must be specified as a Distinguished Name in LDAP format.
73	There is no default.
74	.It Cm BindPW
75	Specifies the default password to use when connecting to the ldap server via
76	.Cm BindDN .
77	There is no default.
78	.It Cm RootBindDN
79	Intentionaly does nothing. Recognized for compatibility reasons.
80	.It Cm Host
81	The argument(s) specifies the name(s) of an LDAP server(s) to which the
82	.Xr ssh-ldap-helper 8
83	should connect. Each server's name can be specified as a
84	domain-style name or an IP address and optionally followed by a ':' and
85	the port number the ldap server is listening on. A space-separated
86	list of hosts may be provided.
87	There is no default.
88	.Cm Host
89	is deprecated in favor of
90	.Cm URI .
91	.It Cm Port
92	Specifies the default port used when connecting to LDAP servers(s).
93	The port may be specified as a number.
94	The default port is 389 for ldap:// or 636 for ldaps:// respectively.
95	.Cm Port
96	is deprecated in favor of
97	.Cm URI .
98	.It Cm Scope
99	Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend.
100	There are three options (values) that can be assigned to the
101	.Cm Scope parameter:
102	.Dq base ,
103	.Dq one
104	and
105	.Dq subtree .
106	Alias for the subtree is
107	.Dq sub .
108	The value
109	.Dq base
110	is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
111	The value
112	.Dq one
113	is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN.
114	The value
115	.Dq subtree
116	is used to indicate searching of all entries at all levels under and including the specified base DN.
117	The default is
118	.Dq subtree .
119	.It Cm Deref
120	Specifies how alias dereferencing is done when performing a search. There are four
121	possible values that can be assigned to the
122	.Cm Deref
123	parameter:
124	.Dq never ,
125	.Dq searching ,
126	.Dq finding ,
127	and
128	.Dq always .
129	The value
130	.Dq never
131	means that the aliases are never dereferenced.
132	The value
133	.Dq searching
134	means that the aliases are dereferenced in subordinates of the base object, but
135	not in locating the base object of the search.
136	The value
137	.Dq finding
138	means that the aliases are only dereferenced when locating the base object of the search.
139	The value
140	.Dq always
141	means that the aliases are dereferenced both in searching and in locating the base object
142	of the search.
143	The default is
144	.Dq never .
145	.It Cm TimeLimit
146	Specifies a time limit (in seconds) to use when performing searches.
147	The number should be a non-negative integer. A
148	.Cm TimeLimit
149	of zero (0) specifies that the search time is unlimited. Please note that the server
150	may still apply any server-side limit on the duration of a search operation.
151	The default value is 10.
152	.It Cm TimeOut
153	Is an aliast to
154	.Cm TimeLimit .
155	.It Cm Bind_TimeLimit
156	Specifies the timeout (in seconds) after which the poll(2)/select(2)
157	following a connect(2) returns in case of no activity.
158	The default value is 10.
159	.It Cm Network_TimeOut
160	Is an alias to
161	.Cm Bind_TimeLimit .
162	.It Cm Ldap_Version
163	Specifies what version of the LDAP protocol should be used.
164	The allowed values are 2 or 3. The default is 3.
165	.It Cm Version
166	Is an alias to
167	.Cm Ldap_Version .
168	.It Cm Bind_Policy
169	Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values:
170	.Dq hard
171	and
172	.Dq soft.
173	.Dq hard has 2 aliases
174	.Dq hard_open
175	and
176	.Dq hard_init .
177	The value
178	.Dq hard
179	means that reconects that the
180	.Xr ssh-ldap-helper 8
181	tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying.
182	The value
183	.Dq soft
184	means that
185	.Xr ssh-ldap-helper 8
186	fails immediately when it cannot connect to the LDAP seerver.
187	The deault is
188	.Dq hard .
189	.It Cm SSLPath
190	Specifies the path to the X.509 certificate database.
191	There is no default.
192	.It Cm SSL
193	Specifies whether to use SSL/TLS or not.
194	There are three allowed values:
195	.Dq yes ,
196	.Dq no
197	and
198	.Dq start_tls
199	Both
200	.Dq true
201	and
202	.Dq on
203	are the aliases for
204	.Dq yes .
205	.Dq false
206	and
207	.Dq off
208	are the aliases for
209	.Dq no .
210	If
211	.Dqstart_tls
212	is specified then StartTLS is used rather than raw LDAP over SSL.
213	The default for ldap:// is
214	.Dq start_tls ,
215	for ldaps://
216	.Dq yes
217	and
218	.Dq no
219	for the ldapi:// .
220	In case of host based configuration the default is
221	.Dq start_tls .
222	.It Cm Referrals
223	Specifies if the client should automatically follow referrals returned
224	by LDAP servers.
225	The value can be or
226	.Dq yes
227	or
228	.Dq no .
229	.Dq true
230	and
231	.Dq on
232	are the aliases for
233	.Dq yes .
234	.Dq false
235	and
236	.Dq off
237	are the aliases for
238	.Dq no .
239	The default is yes.
240	.It Cm Restart
241	Specifies whether the LDAP client library should restart the select(2) system call when interrupted.
242	The value can be or
243	.Dq yes
244	or
245	.Dq no .
246	.Dq true
247	and
248	.Dq on
249	are the aliases for
250	.Dq yes .
251	.Dq false
252	and
253	.Dq off
254	are the aliases for
255	.Dq no .
256	The default is yes.
257	.It Cm TLS_CheckPeer
258	Specifies what checks to perform on server certificates in a TLS session,
259	if any. The value
260	can be specified as one of the following keywords:
261	.Dq never ,
262	.Dq hard ,
263	.Dq demand ,
264	.Dq allow
265	and
266	.Dq try .
267	.Dq true ,
268	.Dq on
269	and
270	.Dq yes
271	are aliases for
272	.Dq hard .
273	.Dq false ,
274	.Dq off
275	and
276	.Dq no
277	are the aliases for
278	.Dq never .
279	The value
280	.Dq never
281	means that the client will not request or check any server certificate.
282	The value
283	.Dq allow
284	means that the server certificate is requested. If no certificate is provided,
285	the session proceeds normally. If a bad certificate is provided, it will
286	be ignored and the session proceeds normally.
287	The value
288	.Dq try
289	means that the server certificate is requested. If no certificate is provided,
290	the session proceeds normally. If a bad certificate is provided,
291	the session is immediately terminated.
292	The value
293	.Dq demand
294	means that the server certificate is requested. If no
295	certificate is provided, or a bad certificate is provided, the session
296	is immediately terminated.
297	The value
298	.Dq hard
299	is the same as
300	.Dq demand .
301	It requires an SSL connection. In the case of the plain conection the
302	session is immediately terminated.
303	The default is
304	.Dq hard .
305	.It Cm TLS_ReqCert
306	Is an alias for
307	.Cm TLS_CheckPeer .
308	.It Cm TLS_CACertFile
309	Specifies the file that contains certificates for all of the Certificate
310	Authorities the client will recognize.
311	There is no default.
312	.It Cm TLS_CACert
313	Is an alias for
314	.Cm TLS_CACertFile .
315	.It Cm TLS_CACertDIR
316	Specifies the path of a directory that contains Certificate Authority
317	certificates in separate individual files. The
318	.Cm TLS_CACert
319	is always used before
320	.Cm TLS_CACertDir .
321	The specified directory must be managed with the OpenSSL c_rehash utility.
322	There is no default.
323	.It Cm TLS_Ciphers
324	Specifies acceptable cipher suite and preference order.
325	The value should be a cipher specification for OpenSSL,
326	e.g.,
327	.Dq HIGH:MEDIUM:+SSLv2 .
328	The default is
329	.Dq ALL .
330	.It Cm TLS_Cipher_Suite
331	Is an alias for
332	.Cm TLS_Ciphers .
333	.It Cm TLS_Cert
334	Specifies the file that contains the client certificate.
335	There is no default.
336	.It Cm TLS_Certificate
337	Is an alias for
338	.Cm TLS_Cert .
339	.It Cm TLS_Key
340	Specifies the file that contains the private key that matches the certificate
341	stored in the
342	.Cm TLS_Cert
343	file. Currently, the private key must not be protected with a password, so
344	it is of critical importance that the key file is protected carefully.
345	There is no default.
346	.It Cm TLS_RandFile
347	Specifies the file to obtain random bits from when /dev/[u]random is
348	not available. Generally set to the name of the EGD/PRNGD socket.
349	The environment variable RANDFILE can also be used to specify the filename.
350	There is no default.
351	.It Cm LogDir
352	Specifies the directory used for logging by the LDAP client library.
353	There is no default.
354	.It Cm Debug
355	Specifies the debug level used for logging by the LDAP client library.
356	There is no default.
357	.It Cm SSH_Filter
358	Specifies the user filter applied on the LDAP serch.
359	The default is no filter.
360	.Sh FILES
361	.Bl -tag -width Ds
362	.It Pa /etc/ssh/ldap.conf
363	Ldap configuration file for
364	.Xr ssh-ldap-helper 8 .
365	.Sh "SEE ALSO"
366	.Xr ldap.conf 5 ,
367	.Xr ssh-ldap-helper 8
368	.Sh HISTORY
369	.Nm
370	first appeared in
371	OpenSSH 5.5 + PKA-LDAP .
372	.Sh AUTHORS
373	.An Jan F. Chadima Aq jchadima@redhat.com

Line 0 Link Here

(-)openssh-5.5p1/ssh-ldap-helper.8.pka (+78 lines)
		1	.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
		2	.\"
		3	.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: April 29 2010 $
		18	.Dt SSH-LDAP-HELPER 8
		19	.Os
		20	.Sh NAME
		21	.Nm ssh-ldap-helper
		22	.Nd sshd helper program for ldap support
		23	.Sh SYNOPSIS
		24	.Nm ssh-ldap-helper
		25	.Op Fl devw
		26	.Op Fl f Ar file
		27	.Op Fl s Ar user
		28	.Sh DESCRIPTION
		29	.Nm
		30	is used by
		31	.Xr sshd 1
		32	to access keys provided by an LDAP.
		33	.Nm
		34	is disabled by default and can only be enabled in the
		35	sshd configuration file
		36	.Pa /etc/ssh/sshd_config
		37	by setting
		38	.Cm PubkeyAgent
		39	to
		40	.Dq /usr/libexec/ssh-ldap-helper -s %u .
		41	.Pp
		42	.Nm
		43	is not intended to be invoked by the user, but from
		44	.Xr sshd 8 .
		45	.Pp
		46	The options are as follows:
		47	.Bl -tag -width Ds
		48	.It Fl d
		49	Set the debug mode;
		50	.Nm
		51	prints all logs to stderr instead of syslog.
		52	.It Fl e
		53	Implies \-w;
		54	.Nm
		55	halts if it encounters an unknown item in the ldap.conf file.
		56	.It Fl f
		57	.Nm
		58	uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
		59	.It Fl s
		60	.Nm
		61	prints out the user's keys to stdout and exits.
		62	.It Fl v
		63	Implies \-d;
		64	increases verbosity.
65	.It Fl w
66	.Nm
67	writes warnings about unknown items in the ldap.conf configuration file.
68
69	.Sh SEE ALSO
70	.Xr sshd 8 ,
71	.Xr sshd_config 5 ,
72	.Xr ssh-ldap.conf 5 ,
73	.Sh HISTORY
74	.Nm
75	first appeared in
76	OpenSSH 5.5 + PKA-LDAP .
77	.Sh AUTHORS
78	.An Jan F. Chadima Aq jchadima@redhat.com