lpk-user-example.txt - crypto/external/bsd/openssh/dist/lpk-user-example.txt - Netbsd-lockdoc source code (lockdoc-10.99.5-vfs-0.2)


Post to ML -> User Made Quick Install Doc.
Contribution from John Lane <john@lane.uk.net>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

OpenSSH LDAP keystore Patch
===========================

NOTE: these notes are a transcript of a specific installation
      they work for me, your specifics may be different!
      from John Lane March 17th 2005         john@lane.uk.net

This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
from their LDAP record as an alternative to ~/.ssh/authorized_keys.

(Assuming here that necessary build stuff is in $BUILD)

cd $BUILD/openssh-4.0p1
patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
mkdir -p /var/empty &&
./configure --prefix=/usr --sysconfdir=/etc/ssh \
    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
Now do.
make &&
make install

Add the following config to /etc/ssh/ssh_config
UseLPK yes
LpkServers ldap://myhost.mydomain.com
LpkUserDN  ou=People,dc=mydomain,dc=com

We need to tell sshd about the SSL keys during boot, as root's
environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
Change the startup code from this:
                echo "Starting SSH Server..."
                loadproc /usr/sbin/sshd
                ;;
to this:
                echo "Starting SSH Server..."
                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
                ;;

Re-start the sshd daemon:
/etc/rc.d/init.d/sshd restart

Install the additional LDAP schema
cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema

Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
Add the following to the end of the existing block of schema includes
include         /etc/openldap/schema/openssh.schema

Re-start the LDAP server:
/etc/rc.d/init.d/slapd restart

To add one or more public keys to a user, eg "testuser" :
ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser

append the following to this /tmp/testuser file
objectclass: ldapPublicKey
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key

Then do a modify:
ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
/tmp/testuser -Z
Enter LDAP Password:
modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
And check the modify is ok:
ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
"uid=testuser,ou=People,dc=mydomain,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, People, mydomain.com
dn: uid=testuser,ou=People,dc=mydomain,dc=com
uid: testuser
cn: testuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
shadowLastChange: 12757
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 501
homeDirectory: /home/testuser
userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Now start a ssh session to user "testuser" from usual ssh client (e.g.
puTTY). Login should succeed.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++