Bug 212

Summary: Add netgroup support to ssh-keyscan
Product: Portable OpenSSH Reporter: Mike Gerdts <Michael.Gerdts>
Component: MiscellaneousAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WONTFIX    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: Solaris   
Attachments:
Description Flags
Add -n netgroup option to ssh-keyscan and man page
none
netgroups patch against cvs none

Description Mike Gerdts 2002-04-11 00:30:33 AEST 
I would find it very handy to be able to scan for keys based on netgroup.  As
such, this patch implements that feature.
Comment 1 Mike Gerdts 2002-04-11 00:33:07 AEST 
This patch also changes the behavior of ssh-keyscan when a hostname does not
resolve.  I have changed the condition from fatal() to error() so that the scan
does not quit when it runs across a bad hostname.
Comment 2 Mike Gerdts 2002-04-11 00:37:40 AEST 
Created attachment 69 [details]
Add -n netgroup option to ssh-keyscan and man page
Comment 3 Markus Friedl 2002-04-11 02:21:18 AEST 
hm, why can't you use ypcat/etc to produce a list
and feed it to keyscan's stdin?

this would be more unix like.
Comment 4 James A. Morrison 2002-04-11 02:48:29 AEST 
Created attachment 70 [details]
netgroups patch against cvs
Comment 5 James A. Morrison 2002-04-11 02:51:31 AEST 
  Why not add this feature to openssh.  There is a system call on at least
Solaris, GNU/Linux, and GNU/Hurd for this purpose.
Comment 6 Mike Gerdts 2002-04-11 03:12:05 AEST 
ypcat netgroup does not give the output in a nice format.  For example, suppose
I have netgroups like the following:

servers  servers_here servers_there

servers_here  (fred,,) (dino,,)
servers_there (barney,,) (bambam,,)

If I then do "ypmatch servers netgroup", I get back "servers_here
servers_there".  I then have to "ypmatch servers_here netgroup; ypmatch
servers_there netgroup", then parse the results "(fred,,) (dino,,) (barney,,)
(bambam,,)" to pull out the server names.  Yuck.

Also, netgroups may not actually exist in NIS.  The NIS LDAP schema (RFC 2037)
and name service switch modules in recent versions of Solaris support netgroups
in LDAP.

If there is resistence to this patch, then perhaps a separate (more unixish)
path to take would be a standalone netgroupcat(1).
Comment 7 Damien Miller 2002-04-23 22:54:51 AEST 
A standalone netgroupcat would be very useful for other things too - I recommend
that you chose this path.
Comment 8 Damien Miller 2003-01-07 17:55:26 AEDT 
Fix would be a standalone program, if anyone could be bothered writing it.
Comment 9 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED