Child pages
  • OpenSSH with LDAP public keys
Skip to end of metadata
Go to start of metadata

Ubuntu 12.04 ships with OpenSSH-5.9p1.

We would like to have the LDAP Public Keys patch incorporated, as well as the SFTP File Control patch

To do this:

 

  • cd /usr/src
  • apt-get source openssh && cd openssh-5.9p1
  • patch < ~/sftp.patch
  • dpkg-source --commit
  • patch < ~/lpk.patch
  • dpkg-source --commit
  • dpkg-buildpackage
The LPK patch is derived from Gentoo. The SFTP file control patch is the one for 5.4p1.
Both had to be slightly changed so they could be applied (order: sftp,lpk).

 

After successful compilation I have added them to our new Ubuntu repository at http://ubuntu.terena.net (smile)

  • No labels

8 Comments

  1. Anonymous

    Hello, i'm trying to pach openssh5.9p1 on ubuntu 12.04LTS, can you please explain what do i need to change in this patch, to get it to work?

    thank you.

    1. which patch are you trying to apply?

      the two patches can be applied without modification, but to add them both you'll have to edit them

      1. Anonymous

        Thank you for reply. Seems like i've applied the patch, but now i have troubles with package building with "confflags += --with-ldap"
        it's Ubuntu server 12.04LTS
        checking for LDAP support... no
        configure: error: ** Incomplete or missing ldap libraries **
        dh_auto_configure: ../configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openssh --disable-maintainer-mode --disable-dependency-tracking --sysconfdir=/etc/ssh --disable-strip --with-mantype=doc --with-4in6 --with-privsep-path=/var/run/sshd --with-tcp-wrappers --with-pam --with-libedit --with-kerberos5=/usr --with-ssl-engine --with-selinux --with-consolekit --with-xauth=/usr/bin/xauth --with-ldap --with-default-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-cflags=-D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSH_EXTRAVERSION=\"Debian-5ubuntu1\" --with-ldflags=-Wl,--as-needed -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now returned exit code 1
        make[1]: *** [override_dh_auto_configure] Error 2
        make[1]: Leaving directory `/usr/src/openssh-5.9p1'
        make: *** [build] Error 2
        dpkg-buildpackage: error: debian/rules build gave error exit status 2
        1. Ah, some little details, you have to patch debian/rules as well. see attached patch.

          Once that is done, you also have to install libldap2-dev of course.

          1. Anonymous

            Thank you! You are the savior (smile)

            1. So? it worked then?

  2. Anonymous

    patches applied, but no ldap option in configuration, compilation works just fine, but no support for lpk :/

    1. The configuration option do not magically appear in the configuration file, you have to add them.

      If everthing compiled OK, you should be able to see this reflected in the man page:

       

      UseLPK Specifies whether LDAP public key retrieval must be used or not. It allow
      an easy centralisation of public keys within an LDAP directory. The argu‐
      ment must be “yes” or “no”.

      LpkLdapConf
      Specifies whether LDAP Public keys should parse the specified ldap.conf
      file instead of sshd_config Tokens. The argument must be a valid path to
      an ldap.conf file like /etc/ldap.conf

      LpkServers
      Specifies LDAP one or more [:space:] separated server's url the following
      form may be used:

      LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3

      LpkUserDN
      Specifies the LDAP user DN.

      LpkUserDN ou=users,dc=phear,dc=org

      LpkGroupDN
      Specifies the LDAP groups DN.

      LpkGroupDN ou=groups,dc=phear,dc=org

      LpkBindDN
      Specifies the LDAP bind DN to use if necessary.

      LpkBindDN cn=Manager,dc=phear,dc=org

      LpkBindPw
      Specifies the LDAP bind credential.

      LpkBindPw secret

      LpkServerGroup
      Specifies one or more [:space:] separated group the server is part of.

      LpkServerGroup unix mail prod

      LpkFilter
      Specifies an additional LDAP filter to use for finding SSH keys

      LpkFilter (hostAccess=master.phear.org)

      LpkForceTLS
      Specifies if the LDAP server connection must be tried, forced or not
      used. The argument must be “yes” or “no” or “try”.

      LpkSearchTimelimit
      Sepcifies the search time limit before the search is considered over.
      value is in seconds.

      LpkSearchTimelimit 3

      LpkBindTimelimit
      Sepcifies the bind time limit before the connection is considered dead.
      value is in seconds.

      LpkBindTimelimit 3