View Issue Details

IDProjectCategoryView StatusLast Update
0005335CentOS-6opensshpublic2013-02-28 20:05
Reportergcharot 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platformi386OSCentOSOS Version6.1
Product Version6.1 
Target VersionFixed in Version6.4 
Summary0005335: Error/typo in openssh-ldap HOWTO file
DescriptionI'm currently testing openssh-ldap on CentOS 6.1, the goal is to store users public keys in an LDAP object attr.
I have notice an error/typo in the HOW TO located in :
/usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys

The HOWTO suggests to include the following line in sshd_config :

AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"

The correct line is :

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper

Without "". When using "", sshd skip the ldap-warpper and directly tries to read the ~/.ssh/authorized_keys file
Steps To ReproduceThe following package are installed :
libssh2-1.2.2-7.el6.i686
openssh-server-5.3p1-52.el6_1.2.i686
openssh-clients-5.3p1-52.el6_1.2.i686
openssh-ldap-5.3p1-52.el6_1.2.i686
openssh-5.3p1-52.el6_1.2.i686

Use the configuration line as per suggested in /usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys :
AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"

When using this command line, sshd debug output is :

Dec 21 13:55:51 localhost sshd[3059]: debug1: userauth-request for user plop service ssh-connection method none
Dec 21 13:55:51 localhost sshd[3059]: debug1: attempt 0 failures 0
Dec 21 13:55:51 localhost sshd[3057]: debug1: PAM: initializing for "plop"
Dec 21 13:55:51 localhost sshd[3057]: debug1: PAM: setting PAM_RHOST to "10.0.2.2"
Dec 21 13:55:51 localhost sshd[3057]: debug1: PAM: setting PAM_TTY to "ssh"
Dec 21 13:56:11 localhost sshd[3059]: debug1: userauth-request for user plop service ssh-connection method publickey
Dec 21 13:56:11 localhost sshd[3059]: debug1: attempt 1 failures 0
Dec 21 13:56:11 localhost sshd[3059]: debug1: test whether pkalg/pkblob are acceptable
Dec 21 13:56:11 localhost sshd[3057]: debug1: temporarily_use_uid: 2020/2000 (e=0/0)
Dec 21 13:56:11 localhost sshd[3057]: debug1: trying public key file /home/plop/.ssh/authorized_keys
Dec 21 13:56:11 localhost sshd[3057]: debug1: restore_uid: 0/0
Dec 21 13:56:11 localhost sshd[3057]: debug1: temporarily_use_uid: 2020/2000 (e=0/0)
Dec 21 13:56:11 localhost sshd[3057]: debug1: trying public key file /home/plop/.ssh/authorized_keys2
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
Dec 21 13:56:11 localhost sshd[3057]: debug1: restore_uid: 0/0
Dec 21 13:56:11 localhost sshd[3057]: Failed publickey for plop from 10.0.2.2 port 60465 ssh2


sshd skips LDAP wrapper.

When using
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
sshd output is :
Dec 21 13:59:39 localhost sshd[3099]: debug1: userauth-request for user plop service ssh-connection method none
Dec 21 13:59:39 localhost sshd[3099]: debug1: attempt 0 failures 0
Dec 21 13:59:39 localhost sshd[3098]: debug1: PAM: initializing for "plop"
Dec 21 13:59:39 localhost sshd[3098]: debug1: PAM: setting PAM_RHOST to "10.0.2.2"
Dec 21 13:59:39 localhost sshd[3098]: debug1: PAM: setting PAM_TTY to "ssh"
Dec 21 13:59:59 localhost sshd[3099]: debug1: userauth-request for user plop service ssh-connection method publickey
Dec 21 13:59:59 localhost sshd[3099]: debug1: attempt 1 failures 0
Dec 21 13:59:59 localhost sshd[3099]: debug1: test whether pkalg/pkblob are acceptable
Dec 21 13:59:59 localhost sshd[3098]: debug1: temporarily_use_uid: 2020/2000 (e=0/0)
Dec 21 13:59:59 localhost sshd[3100]: debug1: restore_uid: 0/0
Dec 21 13:59:59 localhost sshd[3100]: debug1: permanently_set_uid: 2020/2000
Dec 21 14:00:02 localhost sshd[3098]: debug1: matching key found: file /usr/libexec/openssh/ssh-ldap-wrapper, line 1
Dec 21 14:00:02 localhost sshd[3098]: Found matching RSA key: 4d:16:3b:6f:d6:66:1f:ba:c1:cc:8f:63:d6:3c:77:d2


Which is the expected behavior.

Cheers,
Greg
TagsNo tags attached.

Activities

codertux

codertux

2012-08-24 10:30

reporter   ~0015703

I can confirm this on CentOS 6.3 x86_64. Wasted a lot of time until I found this report.
tigalch

tigalch

2012-09-16 20:40

manager   ~0015785

now reported upstream as https://bugzilla.redhat.com/show_bug.cgi?id=857760
tigalch

tigalch

2013-02-21 17:46

manager   ~0016516

will be fixed with the release of 6.4
http://rhn.redhat.com/errata/RHSA-2013-0519.html
tigalch

tigalch

2013-02-28 20:05

manager   ~0016561

6.3-CR is available

Issue History

Date Modified Username Field Change
2011-12-22 10:46 gcharot New Issue
2012-08-24 10:30 codertux Note Added: 0015703
2012-09-16 20:40 tigalch Note Added: 0015785
2013-02-21 17:46 tigalch Note Added: 0016516
2013-02-22 10:22 tigalch Status new => acknowledged
2013-02-28 20:05 tigalch Note Added: 0016561
2013-02-28 20:05 tigalch Status acknowledged => resolved
2013-02-28 20:05 tigalch Fixed in Version => 6.4
2013-02-28 20:05 tigalch Resolution open => fixed