Name | Date | Size | ||
---|---|---|---|---|
.. | 20-Apr-2021 | 10 | ||
addr.c | H A D | 26-Oct-2023 | 10.1 KiB | |
addr.h | H A D | 28-Jul-2023 | 2.4 KiB | |
addrmatch.c | H A D | 20-Apr-2021 | 4.5 KiB | |
atomicio.c | H A D | 30-Apr-2019 | 4.7 KiB | |
atomicio.h | H A D | 30-Apr-2019 | 2.2 KiB | |
auth-bsdauth.c | H A D | 30-Apr-2019 | 3.8 KiB | |
auth-krb5.c | H A D | 20-Apr-2021 | 8.2 KiB | |
auth-options.c | H A D | 26-Oct-2023 | 23.6 KiB | |
auth-options.h | H A D | 02-Sep-2021 | 3.2 KiB | |
auth-pam.c | H A D | 26-Oct-2023 | 37.3 KiB | |
auth-pam.h | H A D | 26-Oct-2023 | 2 KiB | |
auth-passwd.c | H A D | 08-Jul-2023 | 6.1 KiB | |
auth-rhosts.c | H A D | 28-Jul-2023 | 9.3 KiB | |
auth-skey.c | H A D | 27-Apr-2017 | 2.9 KiB | |
auth.c | H A D | 28-Jul-2023 | 24.8 KiB | |
auth.h | H A D | 06-Oct-2022 | 8 KiB | |
auth2-chall.c | H A D | 06-Mar-2021 | 10 KiB | |
auth2-gss.c | H A D | 26-Oct-2023 | 9.9 KiB | |
auth2-hostbased.c | H A D | 28-Jul-2023 | 7.9 KiB | |
auth2-kbdint.c | H A D | 24-Feb-2022 | 2.4 KiB | |
auth2-krb5.c | H A D | 24-Feb-2022 | 2.4 KiB | |
auth2-none.c | H A D | 28-Jul-2023 | 2.3 KiB | |
auth2-passwd.c | H A D | 06-Oct-2022 | 2.6 KiB | |
auth2-pubkey.c | H A D | 26-Oct-2023 | 23.9 KiB | |
auth2-pubkeyfile.c | H A D | 28-Jul-2023 | 16.4 KiB | |
auth2.c | H A D | 21-Dec-2023 | 23.5 KiB | |
authfd.c | H A D | 21-Dec-2023 | 19.8 KiB | |
authfd.h | H A D | 21-Dec-2023 | 4.1 KiB | |
authfile.c | H A D | 28-Jul-2023 | 12.5 KiB | |
authfile.h | H A D | 27-Feb-2020 | 2.5 KiB | |
bcrypt_pbkdf.c | H A D | 27-Apr-2017 | 5.3 KiB | |
bitmap.c | H A D | 30-Apr-2019 | 4.6 KiB | |
bitmap.h | H A D | 30-Apr-2019 | 2 KiB | |
blf.h | H A D | 07-Apr-2018 | 3.6 KiB | |
blowfish.c | H A D | 27-Apr-2017 | 23.2 KiB | |
canohost.c | H A D | 26-Oct-2023 | 4 KiB | |
canohost.h | H A D | 27-Apr-2017 | 837 | |
chacha.c | H A D | 26-Oct-2023 | 5.4 KiB | |
chacha.h | H A D | 20-Apr-2021 | 1 KiB | |
channels.c | H A D | 21-Dec-2023 | 144.4 KiB | |
channels.h | H A D | 21-Dec-2023 | 15.2 KiB | |
cipher-aesctr.c | H A D | 07-Apr-2018 | 2.2 KiB | |
cipher-aesctr.h | H A D | 07-Apr-2018 | 1.4 KiB | |
cipher-chachapoly-libcrypto.c | H A D | 26-Oct-2023 | 4.9 KiB | |
cipher-chachapoly.c | H A D | 26-Oct-2023 | 4.1 KiB | |
cipher-chachapoly.h | H A D | 29-May-2020 | 1.6 KiB | |
cipher-ctr-mt.c | H A D | 30-Apr-2019 | 11.2 KiB | |
cipher.c | H A D | 21-Dec-2023 | 13.8 KiB | |
cipher.h | H A D | 21-Dec-2023 | 3.2 KiB | |
cleanup.c | H A D | 30-Apr-2019 | 1.1 KiB | |
clientloop.c | H A D | 21-Dec-2023 | 83.5 KiB | |
clientloop.h | H A D | 29-May-2020 | 3.8 KiB | |
compat.c | H A D | 28-Jul-2023 | 5.2 KiB | |
compat.h | H A D | 28-Jul-2023 | 2.6 KiB | |
crypto_api.h | H A D | 28-Jul-2023 | 1.7 KiB | |
dh.c | H A D | 20-Apr-2021 | 15.4 KiB | |
dh.h | H A D | 20-Apr-2021 | 2.7 KiB | |
digest-libc.c | H A D | 29-May-2020 | 5.7 KiB | |
digest-openssl.c | H A D | 06-Mar-2021 | 4.8 KiB | |
digest.h | H A D | 06-Mar-2021 | 2.6 KiB | |
dispatch.c | H A D | 28-Jul-2023 | 3.6 KiB | |
dispatch.h | H A D | 30-Apr-2019 | 2 KiB | |
dns.c | H A D | 28-Jul-2023 | 9 KiB | |
dns.h | H A D | 28-Jul-2023 | 2.1 KiB | |
ed25519.c | H A D | 28-Jul-2023 | 196.9 KiB | |
ed25519.sh | H A D | 26-Jul-2023 | 4.1 KiB | |
fatal.c | H A D | 06-Mar-2021 | 1.9 KiB | |
fmt_scaled.c | H A D | 30-Apr-2019 | 7.4 KiB | |
fmt_scaled.h | H A D | 30-Apr-2019 | 211 | |
freezero.c | H A D | 06-Apr-2018 | 1.1 KiB | |
getpeereid.c | H A D | 27-Apr-2017 | 1.9 KiB | |
getpeereid.h | H A D | 27-Apr-2017 | 304 | |
getrrsetbyname.c | H A D | 13-Nov-2020 | 13.9 KiB | |
getrrsetbyname.h | H A D | 27-Apr-2017 | 3.7 KiB | |
groupaccess.c | H A D | 30-Apr-2019 | 3.3 KiB | |
groupaccess.h | H A D | 27-Apr-2017 | 1.6 KiB | |
gss-genr.c | H A D | 06-Mar-2021 | 7.9 KiB | |
gss-serv-krb5.c | H A D | 30-Apr-2019 | 5.3 KiB | |
gss-serv.c | H A D | 29-May-2020 | 10.5 KiB | |
hash.c | H A D | 27-Feb-2020 | 819 | |
hmac.c | H A D | 29-May-2020 | 5.1 KiB | |
hmac.h | H A D | 07-Apr-2018 | 1.7 KiB | |
hostfile.c | H A D | 28-Jul-2023 | 24.7 KiB | |
hostfile.h | H A D | 06-Mar-2021 | 4.4 KiB | |
includes.h | H A D | 03-Sep-2021 | 407 | |
kex.c | H A D | 21-Dec-2023 | 43.9 KiB | |
kex.h | H A D | 21-Dec-2023 | 8.8 KiB | |
kexc25519.c | H A D | 30-Apr-2019 | 5.8 KiB | |
kexdh.c | H A D | 06-Mar-2021 | 5 KiB | |
kexecdh.c | H A D | 30-Apr-2019 | 5.6 KiB | |
kexgen.c | H A D | 24-Feb-2022 | 10.5 KiB | |
kexgex.c | H A D | 30-Apr-2019 | 3.7 KiB | |
kexgexc.c | H A D | 24-Feb-2022 | 7.1 KiB | |
kexgexs.c | H A D | 26-Oct-2023 | 6.4 KiB | |
kexsntrup761x25519.c | H A D | 24-Feb-2022 | 7.1 KiB | |
krl.c | H A D | 26-Oct-2023 | 35.8 KiB | |
krl.h | H A D | 26-Oct-2023 | 2.7 KiB | |
ldapauth.c | H A D | 15-Aug-2021 | 15.9 KiB | |
ldapauth.h | H A D | 15-Aug-2021 | 4.5 KiB | |
LICENCE | H A D | 08-Jul-2023 | 9.1 KiB | |
log.c | H A D | 21-Dec-2023 | 11.3 KiB | |
log.h | H A D | 20-Apr-2021 | 7 KiB | |
lpk-user-example.txt | H A D | 21-Nov-2010 | 3.7 KiB | |
mac.c | H A D | 13-Oct-2019 | 7.3 KiB | |
mac.h | H A D | 27-Apr-2017 | 2 KiB | |
match.c | H A D | 26-Oct-2023 | 9.6 KiB | |
match.h | H A D | 05-Dec-2020 | 1.3 KiB | |
md-sha256.c | H A D | 27-Apr-2017 | 2.1 KiB | |
misc.c | H A D | 21-Dec-2023 | 63 KiB | |
misc.h | H A D | 21-Dec-2023 | 9 KiB | |
moduli | H A D | 26-Oct-2023 | 573.3 KiB | |
moduli-gen/ | H | 21-Dec-2023 | 11 | |
moduli.5 | H A D | 26-Oct-2023 | 4.7 KiB | |
moduli.c | H A D | 28-Jul-2023 | 20.7 KiB | |
monitor.c | H A D | 26-Oct-2023 | 51 KiB | |
monitor.h | H A D | 28-Jul-2023 | 4.5 KiB | |
monitor_fdpass.c | H A D | 06-Mar-2021 | 4.1 KiB | |
monitor_fdpass.h | H A D | 27-Apr-2017 | 1.6 KiB | |
monitor_wrap.c | H A D | 21-Dec-2023 | 27.1 KiB | |
monitor_wrap.h | H A D | 06-Oct-2022 | 4 KiB | |
msg.c | H A D | 06-Mar-2021 | 2.9 KiB | |
msg.h | H A D | 27-Apr-2017 | 1.5 KiB | |
mux.c | H A D | 21-Dec-2023 | 62.7 KiB | |
myproposal.h | H A D | 16-Apr-2022 | 3.9 KiB | |
namespace.h | H A D | 03-Sep-2021 | 3.7 KiB | |
nchan.c | H A D | 24-Feb-2022 | 11.8 KiB | |
nchan.ms | H A D | 27-Dec-2016 | 3.9 KiB | |
nchan2.ms | H A D | 27-Dec-2016 | 3.4 KiB | |
openssh-lpk_openldap.schema | H A D | 21-Nov-2010 | 537 | |
openssh-lpk_sun.schema | H A D | 21-Nov-2010 | 609 | |
OVERVIEW | H A D | 30-Apr-2019 | 6.2 KiB | |
packet.c | H A D | 21-Dec-2023 | 72.4 KiB | |
packet.h | H A D | 21-Dec-2023 | 7.4 KiB | |
pathnames.h | H A D | 27-Feb-2020 | 5.7 KiB | |
pfilter.c | H A D | 15-Jun-2020 | 903 | |
pfilter.h | H A D | 07-Apr-2018 | 118 | |
pkcs11.h | H A D | 27-Apr-2017 | 41.4 KiB | |
poly1305.c | H A D | 26-Oct-2023 | 4.7 KiB | |
poly1305.h | H A D | 07-Apr-2018 | 712 | |
progressmeter.c | H A D | 26-Oct-2023 | 7.9 KiB | |
progressmeter.h | H A D | 30-Apr-2019 | 1.5 KiB | |
PROTOCOL | H A D | 21-Dec-2023 | 27.8 KiB | |
PROTOCOL.agent | H A D | 21-Dec-2023 | 4.3 KiB | |
PROTOCOL.certkeys | H A D | 02-Sep-2021 | 12.9 KiB | |
PROTOCOL.chacha20poly1305 | H A D | 29-May-2020 | 4.5 KiB | |
PROTOCOL.key | H A D | 06-Oct-2022 | 1.6 KiB | |
PROTOCOL.krl | H A D | 26-Oct-2023 | 6.9 KiB | |
PROTOCOL.mux | H A D | 24-Feb-2022 | 8.9 KiB | |
PROTOCOL.sshsig | H A D | 05-Dec-2020 | 3.3 KiB | |
PROTOCOL.u2f | H A D | 05-Dec-2020 | 10.8 KiB | |
random.h | H A D | 27-Apr-2017 | 1.6 KiB | |
readconf.c | H A D | 21-Dec-2023 | 107.3 KiB | |
readconf.h | H A D | 21-Dec-2023 | 9.9 KiB | |
README | H A D | 27-Dec-2016 | 917 | |
README.lpk | H A D | 21-Nov-2010 | 10.6 KiB | |
readpass.c | H A D | 06-Oct-2022 | 8.4 KiB | |
readpassphrase.3 | H A D | 27-Apr-2017 | 3.6 KiB | |
readpassphrase.c | H A D | 30-Apr-2019 | 4.6 KiB | |
readpassphrase.h | H A D | 27-Apr-2017 | 2.2 KiB | |
recallocarray.c | H A D | 09-Mar-2019 | 2.4 KiB | |
rijndael.c | H A D | 30-Apr-2019 | 51.7 KiB | |
rijndael.h | H A D | 24-Feb-2022 | 1.7 KiB | |
sandbox-pledge.c | H A D | 06-Mar-2021 | 1.9 KiB | |
sandbox-rlimit.c | H A D | 06-Mar-2021 | 2.3 KiB | |
scp.1 | H A D | 01-Dec-2023 | 8 KiB | |
scp.c | H A D | 21-Dec-2023 | 52.6 KiB | |
servconf.c | H A D | 21-Dec-2023 | 102.9 KiB | |
servconf.h | H A D | 26-Oct-2023 | 12.4 KiB | |
serverloop.c | H A D | 26-Oct-2023 | 29.5 KiB | |
serverloop.h | H A D | 13-Oct-2017 | 1 KiB | |
session.c | H A D | 26-Oct-2023 | 62.7 KiB | |
session.h | H A D | 28-Jul-2023 | 2.7 KiB | |
sftp-client.c | H A D | 21-Dec-2023 | 78.7 KiB | |
sftp-client.h | H A D | 26-Oct-2023 | 6.5 KiB | |
sftp-common.c | H A D | 26-Oct-2023 | 7.1 KiB | |
sftp-common.h | H A D | 06-Oct-2022 | 2.1 KiB | |
sftp-glob.c | H A D | 26-Oct-2023 | 3.8 KiB | |
sftp-realpath.c | H A D | 28-Sep-2021 | 6 KiB | |
sftp-server-main.c | H A D | 13-Oct-2019 | 1.6 KiB | |
sftp-server.8 | H A D | 02-Sep-2021 | 5 KiB | |
sftp-server.c | H A D | 26-Oct-2023 | 51 KiB | |
sftp-usergroup.c | H A D | 26-Oct-2023 | 5.8 KiB | |
sftp-usergroup.h | H A D | 05-Oct-2022 | 1.1 KiB | |
sftp.1 | H A D | 01-Dec-2023 | 17 KiB | |
sftp.c | H A D | 26-Oct-2023 | 63.7 KiB | |
sftp.h | H A D | 27-Apr-2017 | 3.4 KiB | |
sk-api.h | H A D | 06-Oct-2022 | 2.8 KiB | |
sk-usbhid.c | H A D | 26-Oct-2023 | 34.7 KiB | |
smult_curve25519_ref.c | H A D | 27-Apr-2017 | 6.8 KiB | |
sntrup761.c | H A D | 28-Jul-2023 | 25.4 KiB | |
sntrup761.sh | H A D | 28-Jul-2023 | 2.8 KiB | |
srclimit.c | H A D | 20-Apr-2021 | 3.9 KiB | |
srclimit.h | H A D | 05-Mar-2021 | 895 | |
ssh-add.1 | H A D | 21-Dec-2023 | 10.6 KiB | |
ssh-add.c | H A D | 21-Dec-2023 | 26.9 KiB | |
ssh-agent.1 | H A D | 26-Oct-2023 | 8.1 KiB | |
ssh-agent.c | H A D | 21-Dec-2023 | 64.9 KiB | |
ssh-dss.c | H A D | 28-Jul-2023 | 11.7 KiB | |
ssh-ecdsa-sk.c | H A D | 28-Jul-2023 | 13.3 KiB | |
ssh-ecdsa.c | H A D | 28-Jul-2023 | 12 KiB | |
ssh-ed25519-sk.c | H A D | 28-Jul-2023 | 7.7 KiB | |
ssh-ed25519.c | H A D | 28-Jul-2023 | 7.9 KiB | |
ssh-gss.h | H A D | 06-Mar-2021 | 4.3 KiB | |
ssh-keygen.1 | H A D | 26-Oct-2023 | 41.1 KiB | |
ssh-keygen.c | H A D | 26-Oct-2023 | 106.4 KiB | |
ssh-keyscan.1 | H A D | 28-Jul-2023 | 4.8 KiB | |
ssh-keyscan.c | H A D | 26-Oct-2023 | 19.9 KiB | |
ssh-keysign.8 | H A D | 16-Apr-2022 | 3 KiB | |
ssh-keysign.c | H A D | 06-Oct-2022 | 8.2 KiB | |
ssh-pkcs11-client.c | H A D | 21-Dec-2023 | 16.5 KiB | |
ssh-pkcs11-helper.8 | H A D | 28-Jul-2023 | 1.8 KiB | |
ssh-pkcs11-helper.c | H A D | 24-Feb-2022 | 10.2 KiB | |
ssh-pkcs11.c | H A D | 26-Oct-2023 | 46.3 KiB | |
ssh-pkcs11.h | H A D | 21-Dec-2023 | 1.8 KiB | |
ssh-rsa.c | H A D | 28-Jul-2023 | 19.6 KiB | |
ssh-sandbox.h | H A D | 07-Apr-2018 | 1.1 KiB | |
ssh-sk-client.c | H A D | 24-Feb-2022 | 11.3 KiB | |
ssh-sk-helper.8 | H A D | 06-Oct-2022 | 1.7 KiB | |
ssh-sk-helper.c | H A D | 28-Jul-2023 | 10 KiB | |
ssh-sk.c | H A D | 26-Oct-2023 | 22.2 KiB | |
ssh-sk.h | H A D | 24-Feb-2022 | 2.7 KiB | |
ssh-xmss.c | H A D | 28-Jul-2023 | 10.2 KiB | |
ssh.1 | H A D | 21-Dec-2023 | 46.4 KiB | |
ssh.c | H A D | 21-Dec-2023 | 75.1 KiB | |
ssh.h | H A D | 05-Dec-2020 | 2.9 KiB | |
ssh2.h | H A D | 21-Dec-2023 | 5.9 KiB | |
ssh_api.c | H A D | 28-Jul-2023 | 14.6 KiB | |
ssh_api.h | H A D | 30-Apr-2019 | 4.4 KiB | |
ssh_config | H A D | 26-Oct-2023 | 1.8 KiB | |
ssh_config.5 | H A D | 21-Dec-2023 | 66.7 KiB | |
sshbuf-getput-basic.c | H A D | 06-Oct-2022 | 12.3 KiB | |
sshbuf-getput-crypto.c | H A D | 06-Oct-2022 | 4.3 KiB | |
sshbuf-io.c | H A D | 26-Feb-2020 | 2.9 KiB | |
sshbuf-misc.c | H A D | 24-Feb-2022 | 7.1 KiB | |
sshbuf.c | H A D | 28-Jul-2023 | 9.9 KiB | |
sshbuf.h | H A D | 28-Jul-2023 | 13.6 KiB | |
sshconnect.c | H A D | 21-Dec-2023 | 50.4 KiB | |
sshconnect.h | H A D | 21-Dec-2023 | 3.2 KiB | |
sshconnect2.c | H A D | 21-Dec-2023 | 68.8 KiB | |
sshd.8 | H A D | 26-Oct-2023 | 31.2 KiB | |
sshd.c | H A D | 21-Dec-2023 | 64.6 KiB | |
sshd_config | H A D | 10-May-2022 | 4 KiB | |
sshd_config.5 | H A D | 26-Oct-2023 | 59.6 KiB | |
ssherr.c | H A D | 21-Oct-2022 | 5.4 KiB | |
ssherr.h | H A D | 27-Feb-2020 | 3.4 KiB | |
sshkey-xmss.c | H A D | 03-Aug-2023 | 29.8 KiB | |
sshkey-xmss.h | H A D | 28-Jul-2023 | 2.9 KiB | |
sshkey.c | H A D | 21-Dec-2023 | 90.1 KiB | |
sshkey.h | H A D | 26-Oct-2023 | 12.1 KiB | |
sshlogin.c | H A D | 06-Mar-2021 | 8.5 KiB | |
sshlogin.h | H A D | 27-Apr-2017 | 851 | |
sshpty.c | H A D | 13-Oct-2019 | 5 KiB | |
sshpty.h | H A D | 27-Apr-2017 | 1.1 KiB | |
sshsig.c | H A D | 21-Dec-2023 | 29.5 KiB | |
sshsig.h | H A D | 24-Feb-2022 | 4 KiB | |
sshtty.c | H A D | 27-Apr-2017 | 3.1 KiB | |
ttymodes.c | H A D | 06-Mar-2021 | 9.4 KiB | |
ttymodes.h | H A D | 13-Oct-2017 | 4.9 KiB | |
uidswap.c | H A D | 13-Oct-2019 | 4.9 KiB | |
uidswap.h | H A D | 30-Apr-2019 | 746 | |
umac.c | H A D | 28-Jul-2023 | 45.5 KiB | |
umac.h | H A D | 24-Feb-2022 | 4.6 KiB | |
umac128.c | H A D | 30-Aug-2018 | 340 | |
utf8.c | H A D | 29-May-2020 | 7.1 KiB | |
utf8.h | H A D | 20-Apr-2021 | 1.4 KiB | |
version.h | H A D | 21-Dec-2023 | 528 | |
xmalloc.c | H A D | 16-Apr-2022 | 2.6 KiB | |
xmalloc.h | H A D | 21-Dec-2023 | 1.2 KiB | |
xmss_commons.c | H A D | 06-Apr-2018 | 696 | |
xmss_commons.h | H A D | 06-Apr-2018 | 441 | |
xmss_fast.c | H A D | 06-Apr-2018 | 32.2 KiB | |
xmss_fast.h | H A D | 06-Apr-2018 | 3.7 KiB | |
xmss_hash.c | H A D | 06-Oct-2022 | 3.4 KiB | |
xmss_hash.h | H A D | 06-Apr-2018 | 869 | |
xmss_hash_address.c | H A D | 06-Apr-2018 | 1.3 KiB | |
xmss_hash_address.h | H A D | 06-Apr-2018 | 846 | |
xmss_wots.c | H A D | 30-Apr-2019 | 4.8 KiB | |
xmss_wots.h | H A D | 06-Apr-2018 | 1.8 KiB |
README
1This release of OpenSSH is for OpenBSD systems only. 2 3Please read 4 http://www.openssh.com/portable.html 5if you want to install OpenSSH on other operating systems. 6 7To extract and install this release on your OpenBSD system use: 8 9 # cd /usr/src/usr.bin 10 # tar xvfz .../openssh-x.y.tgz 11 # cd ssh 12 # make obj 13 # make cleandir 14 # make depend 15 # make 16 # make install 17 # cp ssh_config sshd_config /etc/ssh 18 19OpenSSH is a derivative of the original and free ssh 1.2.12 release 20by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels 21Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer 22features and created OpenSSH. Markus Friedl contributed the support 23for SSH protocol versions 1.5 and 2.0. 24 25See http://www.openssh.com/ for more information. 26 27$OpenBSD: README,v 1.7 2006/04/01 05:37:46 djm Exp $ 28$NetBSD: README,v 1.5 2016/12/25 00:07:46 christos Exp $ 29
README.lpk
1OpenSSH LDAP PUBLIC KEY PATCH 2Copyright (c) 2003 Eric AUGE (eau@phear.org) 3All rights reserved. 4 5Redistribution and use in source and binary forms, with or without 6modification, are permitted provided that the following conditions 7are met: 81. Redistributions of source code must retain the above copyright 9 notice, this list of conditions and the following disclaimer. 102. Redistributions in binary form must reproduce the above copyright 11 notice, this list of conditions and the following disclaimer in the 12 documentation and/or other materials provided with the distribution. 133. The name of the author may not be used to endorse or promote products 14 derived from this software without specific prior written permission. 15 16THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 27purposes of this patch: 28 29This patch would help to have authentication centralization policy 30using ssh public key authentication. 31This patch could be an alternative to other "secure" authentication system 32working in a similar way (Kerberos, SecurID, etc...), except the fact 33that it's based on OpenSSH and its public key abilities. 34 35>> FYI: << 36'uid': means unix accounts existing on the current server 37'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config) 38 39example schema: 40 41 42 server1 (uid: eau,rival,toto) (lpkServerGroup: unix) 43 ___________ / 44 / \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix) 45 | LDAP Server | \ 46 | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup: unix) 47 | titi ,toto | 48 | userx,.... | server5 (uid: eau) (lpkServerGroup: mail) 49 \___________/ \ / 50 ----- - server4 (uid: eau, rival) (no group configured) 51 \ 52 etc... 53 54- WHAT WE NEED : 55 56 * configured LDAP server somewhere on the network (i.e. OpenLDAP) 57 * patched sshd (with this patch ;) 58 * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): 59 User entry: 60 - attached to the 'ldapPublicKey' objectclass 61 - attached to the 'posixAccount' objectclass 62 - with a filled 'sshPublicKey' attribute 63 Example: 64 dn: uid=eau,ou=users,dc=cuckoos,dc=net 65 objectclass: top 66 objectclass: person 67 objectclass: organizationalPerson 68 objectclass: posixAccount 69 objectclass: ldapPublicKey 70 description: Eric AUGE Account 71 userPassword: blah 72 cn: Eric AUGE 73 sn: Eric AUGE 74 uid: eau 75 uidNumber: 1034 76 gidNumber: 1 77 homeDirectory: /export/home/eau 78 sshPublicKey: ssh-dss AAAAB3... 79 sshPublicKey: ssh-dss AAAAM5... 80 81 Group entry: 82 - attached to the 'posixGroup' objectclass 83 - with a 'cn' groupname attribute 84 - with multiple 'memberUid' attributes filled with usernames allowed in this group 85 Example: 86 # few members 87 dn: cn=unix,ou=groups,dc=cuckoos,dc=net 88 objectclass: top 89 objectclass: posixGroup 90 description: Unix based servers group 91 cn: unix 92 gidNumber: 1002 93 memberUid: eau 94 memberUid: user1 95 memberUid: user2 96 97 98- HOW IT WORKS : 99 100 * without patch 101 If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) 102 and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). 103 104 * with the patch 105 If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. 106 It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. 107 (usually in $HOME/.ssh/authorized_keys) 108 109 If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into. 110 If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled). 111 112 7 tokens are added to sshd_config : 113 # here is the new patched ldap related tokens 114 # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup 115 UseLPK yes # look the pub key into LDAP 116 LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 # which LDAP server for users ? (URL format) 117 LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ? 118 LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ? 119 LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ? 120 LpkBindPw asecret # bind DN credidentials 121 LpkServerGroup agroupname # the group the server is part of 122 123 Right now i'm using anonymous binding to get public keys, because getting public keys of someone doesn't impersonate him� but there is some 124 flaws you have to take care of. 125 126- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY 127 128 * my way (there is plenty :) 129 - create ldif file (i.e. users.ldif) 130 - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub 131 - my way in 4 steps : 132 Example: 133 134 # you add this to the user entry in the LDIF file : 135 [...] 136 objectclass: posixAccount 137 objectclass: ldapPublicKey 138 [...] 139 sshPubliKey: ssh-dss AAAABDh12DDUR2... 140 [...] 141 142 # insert your entry and you're done :) 143 ldapadd -D balblabla -w bleh < file.ldif 144 145 all standard options can be present in the 'sshPublicKey' attribute. 146 147- WHY : 148 149 Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP 150 as authentication method (like pam_ldap etc..). 151 152 After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get 153 public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser' 154 objectclass within LDAP and part of the group the SSH server is in). 155 156 Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase 157 so each user can change it as much as he wants). 158 159 Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only). 160 161- RULES : 162 Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. 163 and the additionnal lpk.schema. 164 165 This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication 166 (pamldap, nss_ldap, etc..). 167 168 This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..). 169 170 Referring to schema at the beginning of this file if user 'eau' is only in group 'unix' 171 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'. 172 If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able 173 to log in 'server5' (i hope you got the idea, my english is bad :). 174 175 Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP 176 server. 177 When you want to allow a new user to have access to the server parc, you just add him an account on 178 your servers, you add his public key into his entry on the LDAP server, it's done. 179 180 Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys). 181 182 When the user needs to change his passphrase he can do it directly from his workstation by changing 183 his own key set lock passphrase, and all servers are automatically aware. 184 185 With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself 186 so he can add/modify/delete himself his public key when needed. 187 188� FLAWS : 189 LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 190 allow write to users dn, somebody could replace someuser's public key by its own and impersonate some 191 of your users in all your server farm be VERY CAREFUL. 192 193 MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 194 as the impersonnated user. 195 196 If LDAP server is down then, fallback on passwd auth. 197 198 the ldap code part has not been well audited yet. 199 200- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif) 201 --- CUT HERE --- 202 dn: uid=jdoe,ou=users,dc=foobar,dc=net 203 objectclass: top 204 objectclass: person 205 objectclass: organizationalPerson 206 objectclass: posixAccount 207 objectclass: ldapPublicKey 208 description: My account 209 cn: John Doe 210 sn: John Doe 211 uid: jdoe 212 uidNumber: 100 213 gidNumber: 100 214 homeDirectory: /home/jdoe 215 sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB.... 216 [...] 217 --- CUT HERE --- 218 219- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif) 220 --- CUT HERE --- 221 dn: cn=unix,ou=groups,dc=cuckoos,dc=net 222 objectclass: top 223 objectclass: posixGroup 224 description: Unix based servers group 225 cn: unix 226 gidNumber: 1002 227 memberUid: jdoe 228 memberUid: user1 229 memberUid: user2 230 [...] 231 --- CUT HERE --- 232 233>> FYI: << 234Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry 235 236- COMPILING: 237 1. Apply the patch 238 2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes 239 3. make 240 4. it's done. 241 242- BLA : 243 I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. 244 245- TODO : 246 Redesign differently. 247 248- DOCS/LINK : 249 http://pacsec.jp/core05/psj05-barisani-en.pdf 250 http://fritz.potsdam.edu/projects/openssh-lpk/ 251 http://fritz.potsdam.edu/projects/sshgate/ 252 http://dev.inversepath.com/trac/openssh-lpk 253 http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm ) 254 255- CONTRIBUTORS/IDEAS/GREETS : 256 - Falk Siemonsmeier. 257 - Jacob Rief. 258 - Michael Durchgraf. 259 - frederic peters. 260 - Finlay dobbie. 261 - Stefan Fisher. 262 - Robin H. Johnson. 263 - Adrian Bridgett. 264 265- CONTACT : 266 - Eric AUGE <eau@phear.org> 267 - Andrea Barisani <andrea@inversepath.com> 268