OpenSSH LDAP public key patch allows OpenSSH to fetch authorized
public keys for an account from an LDAP server.

This patch is a very useful and clever way to centralize public
key authentication information into an LDAP server, where password
authentication already is.

Moreover, the patch is now stable and well tested.

More information on OpenSSH LDAP public key patch can be found here:
http://www.opendarwin.org/projects/openssh-lpk/

Regards.

- --
David Ammouial
iD8DBQFC3oEkhBy3348EyI4RAvzrAKCq68uFpwTFDZmk2IpjfJYD5Hc7UACeKyXv
1ATR9nRIdaKSpNS6TjoSwBs=
=tWyZ
-----END PGP SIGNATURE-----

If so, it should be relatively easy for somebody who knows it well to
get it integrated by Portable OpenSSH upstream. This patch adds a lot of
server configuration options, and I do not want to integrate patches
like that in Debian. I've been bitten in the past by doing so and then
having upstream change the names of the configuration options on me,
which means that I'm stuck maintaining compatibility glue forever.

Cheers,

Hi Colin,

I think it would be worth revisiting this; the patchset is now
maintained by InversePath
(http://dev.inversepath.com/trac/openssh-lpk) and applies easily
against all current versions of OpenSSH.

While it is true that many configuration options are added, it's been
my experience that they haven't changed at all over the past
months/years; so you shouldn't end up maintaining (or sniffing!) too
much glue :-)

Best Regards,
Alex

Hi Colin,
Im member of a LUG and now we need these feature.
Perhaps we will can to path openssh, recompile it and package it, but
your advanced skill, deeply knowledge about openssh and it packaging
will do surely a better package with a harder security.
Please, reconsider to include the patch.

Thank you very much.

Hi Colin,

why don't you create a new package named openssh-server-ldap which could
be the openssh-server package whith inversepath openssh-lpk patch ?

Due to the inverspath delay tu make a new lpk patch when a new version
of openssh is released, the openssh-server-ldap relase could be based on
a previous openssh release during some weeks...

Thank you very much

Best regards

Because the potential for combinatorial explosion is obvious and I have
no interest in supporting all the complicated maintainer script
interactions that would result from having to support things like
openssh-server-ldap-hpn-opensc.

Cheers,

Hi,

I've been a great fan of the lpk-patch, too, at least until today:

The LPK-patch seems to be obsolete in the near future because a by far
more flexible, powerfull and even smaller patch has been discussed
upstream and already been published within upstream's bugzilla.

Related upstream discussion can be accessed here:
http://marc.info/?l=openssh-unix-dev&m=127617868901534&w=2

The patch against 5.8p2 is published here:
https://bugzilla.mindrot.org/show_bug.cgi?id=1663

And last but not least:
"This feature is included in last releases of Fedora and RHEL6
products." (stated here:
https://bugzilla.mindrot.org/show_bug.cgi?id=1663#c18)

In my opinion the chances seem to be quite good that this patch (or at
least its principle) will be integrated into upstream's release and
there is no need for lpk in the future any more.

Compared to lpk, the AuthorizedKeysCommand is not just limited to ldap
comunication but can also lookup public keys using sql for example...

As the latest fedora and rhel release do already ship with this small
patch applied, let me please suggest to add this upstream-patch to
openssh-server's "debian/rules/patches" directory, too.

Thank you very much in advance!

Cheers
Dora

This is great news, but I would rather wait for that to actually happen;
at a minimum, for it to be committed to OpenSSH proper.  As I said in
message #10 on this bug, I've had too many bad experiences with
integrating what looked like a perfectly reasonable patch into Debian
only to find that upstream changed its name when they committed it and
then I was stuck carrying a compatibility patch.

Once (or several times) bitten, twice shy.

Cheers,

AuthorizedKeysCommand patch has been accepted by upstream. Is there
any plan to apply to debian?

https://bugzilla.mindrot.org/show_bug.cgi?id=1663#c32

Hello,

just as information:

the alternative to openssh-lpk is the AuthorizedKeysCommand which is in
openssh since 2012.
As far as I can see the missing part is the helper program which is used
to ask OpenLDAP for the ssh keys.
http://blather.michaelwlucas.com/archives/1470 points to the redhat
helper which might help.
With the helper program this bug could IMHO be closed because everything
is there/in Debian to use openldap to store the ssh-keys central.

Regards

	Noel

tags 319244 + patch
thanks

Am Montag, den 25.08.2014, 01:29 +0200 schrieb Noël Köthe:

Which can be found here:

https://git.centos.org/blob/rpms!openssh.git/4eaffbf49ce743e7aa4421e4b3378a990512d0f2/SOURCES!openssh-6.3p1-ldap.patch

I thought this might be a tiny thing, but the current version is a
2672-line patch, which is really a bit much; having the 3000-odd-line
gssapi.patch is bad enough and I don't have the time to take on more
potential maintenance burden like that.  There's no indication of the
upstream inclusion status of this patch, and the spec file comments it
with "unwanted child :(", which is not encouraging!

It does not appear to me that this LDAP helper actually uses very much
of openssh's internal functions; it seems to just use some logging,
string manipulation, and memory management helpers, which would be very
easy to handle elsewhere.

My recommendation would be to package this helper separately, where
somebody who is more familiar with and invested in the LDAP integration
could maintain it directly rather than having to go through me, since
there doesn't seem much actual benefit in patching this into the openssh
packaging to offset the maintenance costs.

Thanks,