1 2Post to ML -> User Made Quick Install Doc. 3Contribution from John Lane <john@lane.uk.net> 4 5++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 7OpenSSH LDAP keystore Patch 8=========================== 9 10NOTE: these notes are a transcript of a specific installation 11 they work for me, your specifics may be different! 12 from John Lane March 17th 2005 john@lane.uk.net 13 14This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys 15from their LDAP record as an alternative to ~/.ssh/authorized_keys. 16 17(Assuming here that necessary build stuff is in $BUILD) 18 19cd $BUILD/openssh-4.0p1 20patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch 21mkdir -p /var/empty && 22./configure --prefix=/usr --sysconfdir=/etc/ssh \ 23 --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ 24 --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" 25Now do. 26make && 27make install 28 29Add the following config to /etc/ssh/ssh_config 30UseLPK yes 31LpkServers ldap://myhost.mydomain.com 32LpkUserDN ou=People,dc=mydomain,dc=com 33 34We need to tell sshd about the SSL keys during boot, as root's 35environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. 36Change the startup code from this: 37 echo "Starting SSH Server..." 38 loadproc /usr/sbin/sshd 39 ;; 40to this: 41 echo "Starting SSH Server..." 42 LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd 43 ;; 44 45Re-start the sshd daemon: 46/etc/rc.d/init.d/sshd restart 47 48Install the additional LDAP schema 49cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema 50 51Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: 52Add the following to the end of the existing block of schema includes 53include /etc/openldap/schema/openssh.schema 54 55Re-start the LDAP server: 56/etc/rc.d/init.d/slapd restart 57 58To add one or more public keys to a user, eg "testuser" : 59ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D 60"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser 61 62append the following to this /tmp/testuser file 63objectclass: ldapPublicKey 64sshPublicKey: ssh-rsa 65AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS 66qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI 677eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key 68 69Then do a modify: 70ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f 71/tmp/testuser -Z 72Enter LDAP Password: 73modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" 74And check the modify is ok: 75ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D 76"uid=testuser,ou=People,dc=mydomain,dc=com" 77Enter LDAP Password: 78# extended LDIF 79# 80# LDAPv3 81# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub 82# filter: (objectclass=*) 83# requesting: ALL 84# 85 86# testuser, People, mydomain.com 87dn: uid=testuser,ou=People,dc=mydomain,dc=com 88uid: testuser 89cn: testuser 90objectClass: account 91objectClass: posixAccount 92objectClass: top 93objectClass: shadowAccount 94objectClass: ldapPublicKey 95shadowLastChange: 12757 96shadowMax: 99999 97shadowWarning: 7 98loginShell: /bin/bash 99uidNumber: 9999 100gidNumber: 501 101homeDirectory: /home/testuser 102userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= 103sshPublicKey: ssh-rsa 104AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z 1058XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key 106 107# search result 108search: 3 109result: 0 Success 110 111# numResponses: 2 112# numEntries: 1 113 114Now start a ssh session to user "testuser" from usual ssh client (e.g. 115puTTY). Login should succeed. 116 117++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 118