MRW
http://piratenpartei.ch

Piratenpartei Zürich
PC 85-112704-0

Der Politnetz Auftritt von Marc Wäckerlin Im Politnetz unterstützen

Combine SSH Public-Key and LDAP on Ubuntu

The idea is, that OpenSSH reads authorized_keys for public-/private-key login not from ~/.ssh/authorized_keys, but directly from an attribute in LDAP.

The first implementation was the LPK patch: http://code.google.com/p/openssh-lpk. Unfortunately, that project is not actively maintained (as of 08/2012) and the OpenSSH maintainer refuse to introduce the patch upstream. Even though it's the simplest and most straight-forward solution.

The next try was to add a configuration option AuthorizedKeysCommand to sshd_config which passes not a file, but a helper command to get the authorized keys. There is a ticket OpenSSH, but unformtunately here also, e-mail adresses are outdated, the OpenSSH maintainers are sleeping and nothing happens: https://bugzilla.mindrot.org/show_bug.cgi?id=1663. At least RedHat has integrated the patch into Fedora, but Ubuntu refuses to do so: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/911747.

So I got the two patches, integrated them into the current openssh-server package and offer them to be installed through my Ubuntu repository1).

Install from Ubuntu Repository

Configure apt to use my repository:

wget -O- http://dev.marc.waeckerlin.org/repo/PublicKey | sudo apt-key add -
sudo apt-add-repository http://dev.marc.waeckerlin.org/repo
sudo apt-get update

You can then choose your preferred implementation:

sudo apt-get install openssh-lpk-server

or

sudo apt-get install openssh-akc-server

Configuration

You can manage the users and their keys with the LDAP Account Manager (LAM), it has been extended to support the SSH key addition.

On your LDAP host you must add a schema for the SSH keys.

Create file publickey.ldif:

dn: cn=openssh-lpk_openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk_openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MAY ( sshPublicKey $
 uid ) )

Load the file publickey.ldif into LDAP (if you use the new cn=config configuration):

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f publickey.ldif

Then in LAM server profiles add module ldapPublicKey to user modules.

Check if everything is setup correctly. For this you can use the schema tests in LAM: toolstestsschema-test should show the SSH key extension with no associated problem.

The AuthorizedKeysCommand (AKC) Patch

I downloaded the patch from https://bugzilla.mindrot.org/attachment.cgi?id=2083 and resolved the conflicts with other Ubuntu patches, so here is the patch that can be applied to the Ubuntu sources: openssh-5.9p1.ubuntu.akc.patch

You then need a good command to get keys from the LDAP host.

I use the following configuration:

Changes in /etc/ssh/sshd_config

In file /etc/ssh/sshd_config, I change and add the following lines:

PermitRootLogin no
PasswordAuthentication no

AuthorizedKeysCommand /etc/ssh/ldap-keys.sh

The first two lines increase security, the last line enables the new feature.

New LDAP-Authorizaton Script /etc/ssh/ldap-keys.sh

As command to read the keys from LDAP, I use a new script /etc/ssh/ldap-keys.sh2), which evaluates the definitions in /etc/ldap.conf3) and uses the same definitions:

#!/bin/bash
 
# get configuration from /etc/ldap.conf
for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do 
    eval $x; 
done
 
OPTIONS=
case "$ssl" in
    start_tls) 
	case "$tls_checkpeer" in
	    no) OPTIONS+="-Z";;
	    *) OPTIONS+="-ZZ";;
	esac;;
esac
 
ldapsearch $OPTIONS -H ${uri} \
    -w "${bindpw}" -D "${binddn}" \
    -b "${base}" \
    '(&(objectClass=posixAccount)(uid='"$1"'))' \
    'sshPublicKey' \
    | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Test the script frm the commandline: Call it with an LDAP uid (which is also the UNIX login name) as first commandline argument, it should then return all keys of the given user. Example: /etc/ssh/ldap-keys.sh marc looksup the ssh keys of UNIX user marc in LDAP.

The LPK Patch

At least, there is an actual patch in the bug reports: http://code.google.com/p/openssh-lpk/issues/detail?id=13 (This is a copy of the patch: openssh-lpk-5.9p1.patch)

There is a bug in this patch: Lines 350 and 351 are duplicates, one of them must be removed.

On Ubuntu, there is also an outdated PPA repository that already provides a patched OpenSSH, but not for recent versions:

sudo apt-add-repository ppa:sfire/ssh-lpk
sudo apt-get update

Jenkins Scripts

This is additional detail information on what I exactly did. You don't have to know it unless you want to rebuild the packages yourself.

The packages are built using the following Jenkins bash scripts.

Sources:

The AKC Patch

#!/bin/bash -ex
 
export EMAIL=marc@waeckerlin.org
export NAME="Marc Wäckerlin"
 
renamepackage() {
  from=$1
  to=$2
  for file in $(find debian -name "*${from}*"); do
    mv ${file} ${file//${from}/${to}}
  done
  for file in $(find debian -exec grep -l ${from} {} ';'); do
    sed -i "s/${from}/${to}/g" ${file}
  done
  sed -i "/Package: *${to} *$/,/^$/s/Conflicts:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Replaces:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Provides:.*/&, ${from}/" debian/control
}
 
# add source-repository and install all necessary packages
schroot -c ${distro}_${arch} -u root -d / -- sed -i '/^deb-src/d;/^deb /{p;s/^deb/deb-src/}' /etc/apt/sources.list
schroot -c ${distro}_${arch} -u root -d / -- apt-get update
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes install quilt devscripts
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes build-dep openssh-server
 
# download the sources of openssh-server - not with sudo
apt-get source openssh-server
 
# download the akc patch file
wget -O openssh-akc.patch 'http://marc.wäckerlin.ch/_media/computer/blog/openssh-5.9p1.ubuntu.ack.patch'
 
# go to the downloaded and extracted directory
cd openssh-5.9p1
 
# add the new patch to the build using quilt
quilt push -a || true
quilt new openssh-akc.patch
quilt add $(patch --dry-run -p1 < ../openssh-akc.patch  | sed -n 's,patching file ,,p')
patch -p1 < ../openssh-akc.patch
quilt add configure config.h.in
autoconf
autoheader
quilt refresh
quilt pop -a
# append "confflags += --with-authorized-keys-command" to the deban rules, just after "confflags += --with-pam"
sed -i '/confflags *+= *--with-pam/aconfflags += --with-authorized-keys-command' debian/rules
## refresh configure file before calling configure
#sed -i '/^override_dh_auto_configure:/a\\taclocal && autoconf' debian/rules
# There's a bug in consolekit
sed -i '/confflags *+= *--with-consolekit/d' debian/rules
 
# rename package name to contain akc
renamepackage openssh-server openssh-akc-server
# Fix dependency on openssh-client, so building openssh-akc-client is not necessary
sed -i "/Package: *openssh-akc-server *$/,/^$/s/\(Depends:.*\) openssh-client[^,]*,\(.*\)/\1\2/" debian/control
# otherwise we'd need to provide openssh-akc-client:
#   renamepackage openssh-client openssh-akc-client
 
# Fix (build-) dependencies for old distributions: remove minimal versions
sed -i 's/ (>[^)]*),/,/g' debian/control
 
# create a new build version - enter a change-tect, e.g. "applied akc patch"
debchange -i "apply akc patch"
 
# rebuild debian packages
schroot -p -c ${distro}_${arch} -- debuild -us -uc -i -I

The LPK Patch

#!/bin/bash -ex
 
export EMAIL=marc@waeckerlin.org
export NAME="Marc Wäckerlin"
 
renamepackage() {
  from=$1
  to=$2
  for file in $(find debian -name "*${from}*"); do
    mv ${file} ${file//${from}/${to}}
  done
  for file in $(find debian -exec grep -l ${from} {} ';'); do
    sed -i "s/${from}/${to}/g" ${file}
  done
  sed -i "/Package: *${to} *$/,/^$/s/Conflicts:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Replaces:.*/&, ${from}/" debian/control
  sed -i "/Package: *${to} *$/,/^$/s/Provides:.*/&, ${from}/" debian/control
}
 
# add source-repository and install all necessary packages
schroot -c ${distro}_${arch} -u root -d / -- sed -i '/^deb-src/d;/^deb /{p;s/^deb/deb-src/}' /etc/apt/sources.list
schroot -c ${distro}_${arch} -u root -d / -- apt-get update
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes install quilt devscripts libldap2-dev
schroot -c ${distro}_${arch} -u root -d / -- apt-get -y --force-yes build-dep openssh-server
 
# download the sources of openssh-server - not with sudo
apt-get source openssh-server
 
# download the lpk patch file
wget -O openssh-lpk.patch 'http://marc.wäckerlin.ch/_media/computer/blog/openssh-lpk-5.9p1.patch'
# bugfix in patch
sed -i '287s/95/94/;350d' openssh-lpk.patch
 
# go to the downloaded and extracted directory
cd openssh-5.9p1
 
# add the new patch to the build using quilt
quilt push -a || true
quilt new openssh-lpk.patch
quilt add $(patch --dry-run -p0 < ../openssh-lpk.patch  | sed -n 's,patching file ./,,p')
patch -p0 < ../openssh-lpk.patch
quilt refresh
quilt pop -a
# append "confflags += --with-ldap" to the deban rules, just after "confflags += --with-pam"
sed -i '/confflags *+= *--with-pam/aconfflags += --with-ldap' debian/rules
 
# rename package name to contain lpk
renamepackage openssh-server openssh-lpk-server
# Fix dependency on openssh-client, so building openssh-lpk-client is not necessary
sed -i "/Package: *openssh-lpk-server *$/,/^$/s/\(Depends:.*\) openssh-client[^,]*,\(.*\)/\1\2/" debian/control
# otherwise we'd need to provide openssh-lpk-client:
#   renamepackage openssh-client openssh-lpk-client
 
# Fix (build-) dependencies for old distributions: remove minimal versions
sed -i 's/ (>[^)]*),/,/g' debian/control
 
# create a new build version - enter a change-tect, e.g. "applied lpk patch"
debchange -i "apply ldap lpk patch"
 
# rebuild debian packages
schroot -p -c ${distro}_${arch} -- debuild -us -uc -i -I
1) The repository supports the following Ubuntu versions (valid in August 2012): precise, oneiric, natty, maverick
2) don't forget to give it executable rights:
sudo chmod ugo+x /etc/ssh/ldap-keys.sh
3) /etc/ldap.conf is configured when you install package setup-ldap-client

Diskussion

, %2013/%12/%09 %22:%Dec:

Hallo, beim Befehl "/etc/ssh/ldap-keys.sh stharbich" bekomme ich folgende Fehlermeldung: Could not parse LDAP URI(s)=-w (3). Kannst Du mir weiterhelfen?

Lieben Gruß von Stefan

, %2015/%10/%26 %15:%Oct:

Realice sus productos de belleza para sostener los productos químicos perjudiciales alejados de su piel.

, %2015/%10/%29 %18:%Oct:

Si deseas comprobar sus efectos no lo pienses más y encarga ya tu pedido de Garcinia Cambogia 500mg sesenta cápsulas de Algologie.

, %2015/%10/%30 %18:%Oct:

Para eludir los grumos, asegúrate que la cuchase esté seca antes de meterla dentro del polvo de NIDO®.

, %2015/%10/%30 %20:%Oct:

Si te dire que el fabricante aconseja tomar tantas a fin de que las termines pronto y vuelvas a adquirir.

, %2015/%11/%01 %18:%Nov:

Deja que nuestra deliciosa compilación de papel pintado de gran lujo te transporte a cualquier época y sitio, y utiliza materiales de calidad y colores atractivos para reflejar tu personalidad y emociones.

, %2015/%11/%01 %22:%Nov:

Disculpa, no equipares China con España, los primordiales distribuidores de plantas medicinales tienen registro de laboratorio de plantas medicinales, considerablemente más estrico que el de comibles, es fantástico, ahora comparáis la situación en España con la de China,es lo habitual, se es muy riguroso científico sólo según convenga.

, %2015/%11/%02 %04:%Nov:

Este renovador complemento alimentario a base de Azafrán, Garcinia Cambogia y Café verde es el perfecto aliado para..

, %2015/%11/%04 %15:%Nov:

Está científicamente comprobado que el magnesio es de gran ayuda en el momento de armonizar estados de ansiedad que generalmente acompañan a las personas con sobrepeso cuando se someten a una dieta de adelgazamiento.

, %2015/%11/%04 %23:%Nov:

El extracto de Café Verde puede ser tu mejor aliado para la pérdida de peso con control de calorías.El cafe verde es rico en ácido clorogenico que ayuda a supervisar el peso anatómico.

, %2015/%11/%07 %23:%Nov:

Pese a numerosos artistas de maquillaje consejos en revistas, periódicos, Internet y otras fuentes de información, buen maquillaje dominar solo una pequeña una parte de los enclenques media.

, %2015/%11/%12 %10:%Nov:

Pulsa sobre la imagen para poder ir directamente a nuestra tienda y poder realizar la adquisición de Internature Esbelture Plus 30 cápsulas.

, %2015/%11/%13 %00:%Nov:

Green Coffee & Garcinia Cambogia de Weider es un completo producto antilipogeníco que combina extracto de café verde rico en ácido clorog…

, %2015/%11/%13 %07:%Nov:

El campo de la salud es el que menos está padeciendo la crisis porque hay una plena concienciación entre la ciudadanía de la relevancia que tiene la utilización de productos naturales y ecológicos y de eludir productos químicos”, comenta Gonzalo Irigoyen, director de marketing de esta empresa, que en Cataluña factura todos los años siete millones de euros.

, %2015/%11/%14 %16:%Nov:

Used in conjunction with a reduced calorie diet and daily exercise program, Garcinia Cambogia just might help you with your healthy weight management.

, %2015/%11/%15 %09:%Nov:

Y así hemos hecho - hemos probado varios y tras elaborar una lista de pros y contra de cada uno, nos hemos decantado por Mi Herbolario Natural.

, %2015/%11/%19 %21:%Nov:

Para cualquier consulta relativa al registro, identificación, proceso de adquiere, etc puedes contactar en cualquier momento con nuestro Herbolario en línea por medio de info@ del formulario de Contacto , donde te responderemos Aprende Más Acá a la mayor brevedad posible.