rpms / openssh

Clone
Source Code
GIT

Blame openssh-5.5p1-pka-ldap.patch

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   b6bdf185187ad8546313daa6e989f9d46ca97740
  2.   openssh-5.5p1-pka-ldap.patch
Blob History Raw
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/auth2-pubkey.c.pka openssh-5.5p1/auth2-pubkey.c
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/auth2-pubkey.c.pka	2010-05-06 10:50:47.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/auth2-pubkey.c	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima b6bdf1 
@@ -186,27 +186,15 @@ done:
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
 /* return 1 if user allows given key */
Jan F. Chadima 3fdf10 
 static int
Jan F. Chadima 3fdf10 
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
Jan F. Chadima 3fdf10 
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
Jan F. Chadima 3fdf10 
 {
Jan F. Chadima 3fdf10 
 	char line[SSH_MAX_PUBKEY_BYTES];
Jan F. Chadima 3fdf10 
 	const char *reason;
Jan F. Chadima 3fdf10 
 	int found_key = 0;
Jan F. Chadima 3fdf10 
-	FILE *f;
Jan F. Chadima 3fdf10 
 	u_long linenum = 0;
Jan F. Chadima 3fdf10 
 	Key *found;
Jan F. Chadima 3fdf10 
 	char *fp;
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
-	/* Temporarily use the user's uid. */
Jan F. Chadima 3fdf10 
-	temporarily_use_uid(pw);
Jan F. Chadima 3fdf10 
-
Jan F. Chadima 3fdf10 
-	debug("trying public key file %s", file);
Jan F. Chadima 3fdf10 
-	f = auth_openkeyfile(file, pw, options.strict_modes);
Jan F. Chadima 3fdf10 
-
Jan F. Chadima 3fdf10 
-	if (!f) {
Jan F. Chadima 3fdf10 
-		restore_uid();
Jan F. Chadima 3fdf10 
-		return 0;
Jan F. Chadima 3fdf10 
-	}
Jan F. Chadima 3fdf10 
-
Jan F. Chadima 3fdf10 
 	found_key = 0;
Jan F. Chadima 3fdf10 
 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
Jan F. Chadima 3fdf10
Jan F. Chadima b6bdf1 
@@ -281,8 +269,6 @@ user_key_allowed2(struct passwd *pw, Key
Jan F. Chadima 3fdf10 
 			break;
Jan F. Chadima 3fdf10 
 		}
Jan F. Chadima 3fdf10 
 	}
Jan F. Chadima 3fdf10 
-	restore_uid();
Jan F. Chadima 3fdf10 
-	fclose(f);
Jan F. Chadima 3fdf10 
 	key_free(found);
Jan F. Chadima 3fdf10 
 	if (!found_key)
Jan F. Chadima 3fdf10 
 		debug2("key not found");
Jan F. Chadima b6bdf1 
@@ -329,13 +315,153 @@ user_cert_trusted_ca(struct passwd *pw,
Jan F. Chadima 3fdf10 
 	return ret;
Jan F. Chadima 3fdf10 
 }
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
-/* check whether given key is in .ssh/authorized_keys* */
Jan F. Chadima 3fdf10 
+/* return 1 if user allows given key */
Jan F. Chadima 3fdf10 
+static int
Jan F. Chadima 3fdf10 
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
Jan F. Chadima 3fdf10 
+{
Jan F. Chadima 3fdf10 
+	FILE *f;
Jan F. Chadima 3fdf10 
+	int found_key = 0;
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	/* Temporarily use the user's uid. */
Jan F. Chadima 3fdf10 
+	temporarily_use_uid(pw);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	debug("trying public key file %s", file);
Jan F. Chadima 3fdf10 
+	f = auth_openkeyfile(file, pw, options.strict_modes);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+ 	if (f) {
Jan F. Chadima 3fdf10 
+ 		found_key = user_search_key_in_file (f, file, key, pw);
Jan F. Chadima 3fdf10 
+		fclose(f);
Jan F. Chadima 3fdf10 
+	}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	restore_uid();
Jan F. Chadima 3fdf10 
+	return found_key;
Jan F. Chadima 3fdf10 
+}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+#ifdef WITH_PUBKEY_AGENT
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+/* return 1 if user allows given key */
Jan F. Chadima 3fdf10 
+static int
Jan F. Chadima 3fdf10 
+user_key_via_agent_allowed2(struct passwd *pw, Key *key)
Jan F. Chadima 3fdf10 
+{
Jan F. Chadima 3fdf10 
+	FILE *f;
Jan F. Chadima 3fdf10 
+	int found_key = 0;
Jan F. Chadima 3fdf10 
+	char *pubkey_agent_string = NULL;
Jan F. Chadima 3fdf10 
+	char *tmp_pubkey_agent_string = NULL;
Jan F. Chadima 3fdf10 
+	char *progname;
Jan F. Chadima 3fdf10 
+	char *cp;
Jan F. Chadima 3fdf10 
+	struct passwd *runas_pw;
Jan F. Chadima 3fdf10 
+	struct stat st;
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
Jan F. Chadima 3fdf10 
+		return -1;
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	/* get the run as identity from config */
Jan F. Chadima 3fdf10 
+	runas_pw = (options.pubkey_agent_runas == NULL)? pw
Jan F. Chadima 3fdf10 
+	    : getpwnam (options.pubkey_agent_runas);
Jan F. Chadima 3fdf10 
+	if (!runas_pw) {
Jan F. Chadima 3fdf10 
+		error("%s: getpwnam(\"%s\"): %s", __func__,
Jan F. Chadima 3fdf10 
+		    options.pubkey_agent_runas, strerror(errno));
Jan F. Chadima 3fdf10 
+		return 0;
Jan F. Chadima 3fdf10 
+	}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	/* Temporarily use the specified uid. */
Jan F. Chadima 3fdf10 
+	if (runas_pw->pw_uid != 0)
Jan F. Chadima 3fdf10 
+		temporarily_use_uid(runas_pw);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	pubkey_agent_string = percent_expand(options.pubkey_agent,
Jan F. Chadima 3fdf10 
+	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	/* Test whether agent can be modified by non root user */
Jan F. Chadima 3fdf10 
+	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
Jan F. Chadima 3fdf10 
+	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	debug3("%s: checking program '%s'", __func__, progname);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	if (stat (progname, &st) < 0) {
Jan F. Chadima 3fdf10 
+		error("%s: stat(\"%s\"): %s", __func__,
Jan F. Chadima 3fdf10 
+		    progname, strerror(errno));
Jan F. Chadima 3fdf10 
+		goto go_away;
Jan F. Chadima 3fdf10 
+	}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
Jan F. Chadima 3fdf10 
+		error("bad ownership or modes for pubkey agent \"%s\"",
Jan F. Chadima 3fdf10 
+		    progname);
Jan F. Chadima 3fdf10 
+		goto go_away;
Jan F. Chadima 3fdf10 
+	}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	if (!S_ISREG(st.st_mode)) {
Jan F. Chadima 3fdf10 
+		error("pubkey agent \"%s\" is not a regular file",
Jan F. Chadima 3fdf10 
+		    progname);
Jan F. Chadima 3fdf10 
+		goto go_away;
Jan F. Chadima 3fdf10 
+	}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	/*
Jan F. Chadima 3fdf10 
+	 * Descend the path, checking that each component is a
Jan F. Chadima 3fdf10 
+	 * root-owned directory with strict permissions.
Jan F. Chadima 3fdf10 
+	 */
Jan F. Chadima 3fdf10 
+	do {
Jan F. Chadima 3fdf10 
+		if ((cp = strrchr(progname, '/')) == NULL)
Jan F. Chadima 3fdf10 
+			break;
Jan F. Chadima 3fdf10 
+		else
Jan F. Chadima 3fdf10 
+			*cp = '\0';
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+		debug3("%s: checking component '%s'", __func__, progname);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+		if (stat(progname, &st) != 0) {
Jan F. Chadima 3fdf10 
+			error("%s: stat(\"%s\"): %s", __func__,
Jan F. Chadima 3fdf10 
+			    progname, strerror(errno));
Jan F. Chadima 3fdf10 
+			goto go_away;
Jan F. Chadima 3fdf10 
+		}
Jan F. Chadima 3fdf10 
+		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
Jan F. Chadima 3fdf10 
+			error("bad ownership or modes for pubkey agent path component \"%s\"",
Jan F. Chadima 3fdf10 
+			    progname);
Jan F. Chadima 3fdf10 
+			goto go_away;
Jan F. Chadima 3fdf10 
+		}
Jan F. Chadima 3fdf10 
+		if (!S_ISDIR(st.st_mode)) {
Jan F. Chadima 3fdf10 
+			error("pubkey agent path component \"%s\" is not a directory",
Jan F. Chadima 3fdf10 
+			    progname);
Jan F. Chadima 3fdf10 
+			goto go_away;
Jan F. Chadima 3fdf10 
+		}
Jan F. Chadima 3fdf10 
+	} while (0);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	/* open the pipe and read the keys */
Jan F. Chadima 3fdf10 
+	f = popen (pubkey_agent_string, "r");
Jan F. Chadima 3fdf10 
+	if (!f) {
Jan F. Chadima 3fdf10 
+		error("%s: popen (\"%s\", \"r\"): %s", __func__,
Jan F. Chadima 3fdf10 
+		    pubkey_agent_string, strerror (errno));
Jan F. Chadima 3fdf10 
+		goto go_away;
Jan F. Chadima 3fdf10 
+	}
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
Jan F. Chadima 3fdf10 
+	pclose (f);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+go_away:
Jan F. Chadima 3fdf10 
+	if (tmp_pubkey_agent_string)
Jan F. Chadima 3fdf10 
+		xfree (tmp_pubkey_agent_string);
Jan F. Chadima 3fdf10 
+	if (pubkey_agent_string)
Jan F. Chadima 3fdf10 
+		xfree (pubkey_agent_string);
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	if (runas_pw->pw_uid != 0)
Jan F. Chadima 3fdf10 
+		restore_uid();
Jan F. Chadima 3fdf10 
+	return found_key;
Jan F. Chadima 3fdf10 
+}
Jan F. Chadima 3fdf10 
+#endif
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+/* check whether given key is in
Jan F. Chadima 3fdf10 
 int
Jan F. Chadima 3fdf10 
 user_key_allowed(struct passwd *pw, Key *key)
Jan F. Chadima 3fdf10 
 {
Jan F. Chadima 3fdf10 
 	int success;
Jan F. Chadima 3fdf10 
 	char *file;
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
+#ifdef WITH_PUBKEY_AGENT
Jan F. Chadima 3fdf10 
+	success = user_key_via_agent_allowed2(pw, key);
Jan F. Chadima 3fdf10 
+	if (success >= 0)
Jan F. Chadima 3fdf10 
+		return success;
Jan F. Chadima 3fdf10 
+#endif
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
 	if (auth_key_is_revoked(key))
Jan F. Chadima 3fdf10 
 		return 0;
Jan F. Chadima 3fdf10 
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/config.h.in.pka openssh-5.5p1/config.h.in
Jan F. Chadima 3fdf10 
--- openssh-5.5p1/config.h.in.pka	2010-04-16 02:17:09.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/config.h.in	2010-05-06 10:51:21.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -1,5 +1,8 @@
Jan F. Chadima 7e7fb4 
 /* config.h.in.  Generated from configure.ac by autoheader.  */
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
+/* Define if building universal (internal helper macro) */
Jan F. Chadima 7e7fb4 
+#undef AC_APPLE_UNIVERSAL_BUILD
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
 /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
Jan F. Chadima 7e7fb4 
    */
Jan F. Chadima 7e7fb4 
 #undef AIX_GETNAMEINFO_HACK
Jan F. Chadima b6bdf1 
@@ -536,6 +539,57 @@
Jan F. Chadima 7e7fb4 
 /* Define to 1 if you have the <lastlog.h> header file. */
Jan F. Chadima 7e7fb4 
 #undef HAVE_LASTLOG_H
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the <lber.h> header file. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LBER_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldapssl_init' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAPSSL_INIT
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_controls_free' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_CONTROLS_FREE
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_get_lderrno' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_get_option' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_GET_OPTION
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the <ldap.h> header file. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_init' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_INIT
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_initialize' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_memfree' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_MEMFREE
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_parse_result' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_PARSE_RESULT
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_pvt_tls_set_option' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_PVT_TLS_SET_OPTION
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_set_lderrno' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_set_option' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_set_rebind_proc' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_SET_REBIND_PROC
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the <ldap_ssl.h> header file. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_SSL_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Define to 1 if you have the `ldap_start_tls_s' function. */
Jan F. Chadima 7e7fb4 
+#undef HAVE_LDAP_START_TLS_S
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima b6bdf1 
+/* Define to 1 if you have the <libaudit.h> header file. */
Jan F. Chadima b6bdf1 
+#undef HAVE_LIBAUDIT_H
Jan F. Chadima b6bdf1 
+
Jan F. Chadima 7e7fb4 
 /* Define to 1 if you have the `bsm' library (-lbsm). */
Jan F. Chadima 7e7fb4 
 #undef HAVE_LIBBSM
Jan F. Chadima 7e7fb4
Jan F. Chadima b6bdf1 
@@ -575,6 +629,9 @@
Jan F. Chadima b6bdf1 
 /* Define to 1 if you have the <limits.h> header file. */
Jan F. Chadima b6bdf1 
 #undef HAVE_LIMITS_H
Jan F. Chadima b6bdf1
Jan F. Chadima b6bdf1 
+/* Define if you want Linux audit support. */
Jan F. Chadima b6bdf1 
+#undef HAVE_LINUX_AUDIT
Jan F. Chadima b6bdf1 
+
Jan F. Chadima b6bdf1 
 /* Define to 1 if you have the <linux/if_tun.h> header file. */
Jan F. Chadima b6bdf1 
 #undef HAVE_LINUX_IF_TUN_H
Jan F. Chadima b6bdf1
Jan F. Chadima b6bdf1 
@@ -771,6 +828,9 @@
Jan F. Chadima b6bdf1 
 /* Define to 1 if you have the `setgroups' function. */
Jan F. Chadima b6bdf1 
 #undef HAVE_SETGROUPS
Jan F. Chadima b6bdf1
Jan F. Chadima b6bdf1 
+/* Define to 1 if you have the `setkeycreatecon' function. */
Jan F. Chadima b6bdf1 
+#undef HAVE_SETKEYCREATECON
Jan F. Chadima b6bdf1 
+
Jan F. Chadima b6bdf1 
 /* Define to 1 if you have the `setlogin' function. */
Jan F. Chadima b6bdf1 
 #undef HAVE_SETLOGIN
Jan F. Chadima b6bdf1
Jan F. Chadima b6bdf1 
@@ -921,13 +981,13 @@
Jan F. Chadima 7e7fb4 
 /* define if you have struct sockaddr_in6 data type */
Jan F. Chadima 7e7fb4 
 #undef HAVE_STRUCT_SOCKADDR_IN6
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
-/* Define to 1 if `sin6_scope_id' is member of `struct sockaddr_in6'. */
Jan F. Chadima 7e7fb4 
+/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */
Jan F. Chadima 7e7fb4 
 #undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 /* define if you have struct sockaddr_storage data type */
Jan F. Chadima 7e7fb4 
 #undef HAVE_STRUCT_SOCKADDR_STORAGE
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
-/* Define to 1 if `st_blksize' is member of `struct stat'. */
Jan F. Chadima 7e7fb4 
+/* Define to 1 if `st_blksize' is a member of `struct stat'. */
Jan F. Chadima 7e7fb4 
 #undef HAVE_STRUCT_STAT_ST_BLKSIZE
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 /* Define to 1 if the system has the type `struct timespec'. */
Jan F. Chadima b6bdf1 
@@ -1191,6 +1251,9 @@
Jan F. Chadima 7e7fb4 
 /* Define if pututxline updates lastlog too */
Jan F. Chadima 7e7fb4 
 #undef LASTLOG_WRITE_PUTUTXLINE
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
+/* number arguments of ldap_set_rebind_proc */
Jan F. Chadima 7e7fb4 
+#undef LDAP_SET_REBIND_PROC_ARGS
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
 /* Define if you want TCP Wrappers support */
Jan F. Chadima 7e7fb4 
 #undef LIBWRAP
Jan F. Chadima 7e7fb4
Jan F. Chadima b6bdf1 
@@ -1274,6 +1337,9 @@
Jan F. Chadima 7e7fb4 
 /* Define to the one symbol short name of this package. */
Jan F. Chadima 7e7fb4 
 #undef PACKAGE_TARNAME
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
+/* Define to the home page for this package. */
Jan F. Chadima 7e7fb4 
+#undef PACKAGE_URL
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
 /* Define to the version of this package. */
Jan F. Chadima 7e7fb4 
 #undef PACKAGE_VERSION
Jan F. Chadima 7e7fb4
Jan F. Chadima b6bdf1 
@@ -1360,6 +1426,10 @@
Jan F. Chadima b6bdf1 
 /* Prepend the address family to IP tunnel traffic */
Jan F. Chadima b6bdf1 
 #undef SSH_TUN_PREPEND_AF
Jan F. Chadima b6bdf1
Jan F. Chadima b6bdf1 
+/* Define to your vendor patch level, if it has been modified from the
Jan F. Chadima b6bdf1 
+   upstream source release. */
Jan F. Chadima b6bdf1 
+#undef SSH_VENDOR_PATCHLEVEL
Jan F. Chadima b6bdf1 
+
Jan F. Chadima b6bdf1 
 /* Define to 1 if you have the ANSI C header files. */
Jan F. Chadima b6bdf1 
 #undef STDC_HEADERS
Jan F. Chadima b6bdf1
Jan F. Chadima b6bdf1 
@@ -1418,12 +1488,26 @@
Jan F. Chadima 7e7fb4 
 /* Define if you want IRIX project management */
Jan F. Chadima 7e7fb4 
 #undef WITH_IRIX_PROJECT
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
+/* Enable LDAP pubkey support */
Jan F. Chadima 7e7fb4 
+#undef WITH_LDAP_PUBKEY
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Enable pubkey agent support */
Jan F. Chadima 7e7fb4 
+#undef WITH_PUBKEY_AGENT
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
 /* Define if you want SELinux support. */
Jan F. Chadima 7e7fb4 
 #undef WITH_SELINUX
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
-/* Define to 1 if your processor stores words with the most significant byte
Jan F. Chadima 7e7fb4 
-   first (like Motorola and SPARC, unlike Intel and VAX). */
Jan F. Chadima 7e7fb4 
-#undef WORDS_BIGENDIAN
Jan F. Chadima 7e7fb4 
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
Jan F. Chadima 7e7fb4 
+   significant byte first (like Motorola and SPARC, unlike Intel). */
Jan F. Chadima 7e7fb4 
+#if defined AC_APPLE_UNIVERSAL_BUILD
Jan F. Chadima 7e7fb4 
+# if defined __BIG_ENDIAN__
Jan F. Chadima 7e7fb4 
+#  define WORDS_BIGENDIAN 1
Jan F. Chadima 7e7fb4 
+# endif
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+# ifndef WORDS_BIGENDIAN
Jan F. Chadima 7e7fb4 
+#  undef WORDS_BIGENDIAN
Jan F. Chadima 7e7fb4 
+# endif
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 /* Define if xauth is found in your path */
Jan F. Chadima 7e7fb4 
 #undef XAUTH_PATH
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/configure.ac.pka openssh-5.5p1/configure.ac
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/configure.ac.pka	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/configure.ac	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima 3fdf10 
@@ -1346,6 +1346,118 @@ AC_ARG_WITH(audit,
Jan F. Chadima 3fdf10 
 	esac ]
Jan F. Chadima 7e7fb4 
 )
Jan F. Chadima 7e7fb4
Jan F. Chadima 3fdf10 
+# Check whether user wants pubkey agent support
Jan F. Chadima 3fdf10 
+PKA_MSG="no"
Jan F. Chadima 3fdf10 
+AC_ARG_WITH(pka,
Jan F. Chadima 3fdf10 
+	[  --with-pka      Enable pubkey agent support],
Jan F. Chadima 3fdf10 
+	[
Jan F. Chadima 3fdf10 
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 3fdf10 
+			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
Jan F. Chadima 3fdf10 
+			PKA_MSG="yes"
Jan F. Chadima 3fdf10 
+		fi
Jan F. Chadima 3fdf10 
+	]
Jan F. Chadima 3fdf10 
+)
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 7e7fb4 
+# Check whether user wants LDAP support
Jan F. Chadima 7e7fb4 
+LDAP_MSG="no"
Jan F. Chadima 7e7fb4 
+INSTALL_SSH_LDAP_HELPER=""
Jan F. Chadima 7e7fb4 
+AC_ARG_WITH(ldap,
Jan F. Chadima 7e7fb4 
+	[  --with-ldap[[=PATH]]      Enable LDAP pubkey support (optionally in PATH)],
Jan F. Chadima 7e7fb4 
+	[
Jan F. Chadima 7e7fb4 
+		if test "x$withval" != "xno" ; then
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			INSTALL_SSH_LDAP_HELPER="yes"
Jan F. Chadima 7e7fb4 
+			CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test "x$withval" != "xyes" ; then
Jan F. Chadima 7e7fb4 
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
Jan F. Chadima 7e7fb4 
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
Jan F. Chadima 7e7fb4 
+			LDAP_MSG="yes"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			AC_CHECK_HEADERS(lber.h)
Jan F. Chadima 7e7fb4 
+			AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
Jan F. Chadima 7e7fb4 
+			AC_CHECK_HEADERS(ldap_ssl.h)
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			AC_ARG_WITH(ldap-lib,
Jan F. Chadima 7e7fb4 
+				[  --with-ldap-lib=type    select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test -z "$with_ldap_lib"; then
Jan F. Chadima 7e7fb4 
+				with_ldap_lib=auto
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
Jan F. Chadima 7e7fb4 
+				AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+				AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
Jan F. Chadima 7e7fb4 
+				AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
Jan F. Chadima 7e7fb4 
+				AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4 
+					AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+				fi
Jan F. Chadima 7e7fb4 
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4 
+					AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+				fi
Jan F. Chadima 7e7fb4 
+				if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4 
+					AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+				fi
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
Jan F. Chadima 7e7fb4 
+				AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if test -z "$found_ldap_lib"; then
Jan F. Chadima 7e7fb4 
+				AC_MSG_ERROR(could not locate a valid LDAP library)
Jan F. Chadima 7e7fb4 
+			fi
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			AC_MSG_CHECKING([for working LDAP support])
Jan F. Chadima 7e7fb4 
+			AC_TRY_COMPILE(
Jan F. Chadima 7e7fb4 
+				[#include <sys/types.h>
Jan F. Chadima 7e7fb4 
+				 #include <ldap.h>],
Jan F. Chadima 7e7fb4 
+				[(void)ldap_init(0, 0);],
Jan F. Chadima 7e7fb4 
+				[AC_MSG_RESULT(yes)],
Jan F. Chadima 7e7fb4 
+				[
Jan F. Chadima 7e7fb4 
+				    AC_MSG_RESULT(no)
Jan F. Chadima 7e7fb4 
+					AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
Jan F. Chadima 7e7fb4 
+				])
Jan F. Chadima 7e7fb4 
+			AC_CHECK_FUNCS( \
Jan F. Chadima 7e7fb4 
+				ldap_init \
Jan F. Chadima 7e7fb4 
+				ldap_get_lderrno \
Jan F. Chadima 7e7fb4 
+				ldap_set_lderrno \
Jan F. Chadima 7e7fb4 
+				ldap_parse_result \
Jan F. Chadima 7e7fb4 
+				ldap_memfree \
Jan F. Chadima 7e7fb4 
+				ldap_controls_free \
Jan F. Chadima 7e7fb4 
+				ldap_set_option \
Jan F. Chadima 7e7fb4 
+				ldap_get_option \
Jan F. Chadima 7e7fb4 
+				ldapssl_init \
Jan F. Chadima 7e7fb4 
+				ldap_start_tls_s \
Jan F. Chadima 7e7fb4 
+				ldap_pvt_tls_set_option \
Jan F. Chadima 7e7fb4 
+				ldap_initialize \
Jan F. Chadima 7e7fb4 
+			)
Jan F. Chadima 7e7fb4 
+			AC_CHECK_FUNCS(ldap_set_rebind_proc,
Jan F. Chadima 7e7fb4 
+				AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
Jan F. Chadima 7e7fb4 
+				AC_TRY_COMPILE(
Jan F. Chadima 7e7fb4 
+					[#include <lber.h>
Jan F. Chadima 7e7fb4 
+					#include <ldap.h>],
Jan F. Chadima 7e7fb4 
+					[ldap_set_rebind_proc(0, 0, 0);],
Jan F. Chadima 7e7fb4 
+					[ac_cv_ldap_set_rebind_proc=3],
Jan F. Chadima 7e7fb4 
+					[ac_cv_ldap_set_rebind_proc=2])
Jan F. Chadima 7e7fb4 
+				AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
Jan F. Chadima 7e7fb4 
+				AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
Jan F. Chadima 7e7fb4 
+			)
Jan F. Chadima 7e7fb4 
+		fi
Jan F. Chadima 7e7fb4 
+	]
Jan F. Chadima 7e7fb4 
+)
Jan F. Chadima 7e7fb4 
+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
 dnl    Checks for library functions. Please keep in alphabetical order
Jan F. Chadima 7e7fb4 
 AC_CHECK_FUNCS( \
Jan F. Chadima 7e7fb4 
 	arc4random \
Jan F. Chadima b6bdf1 
@@ -4202,6 +4314,8 @@ echo "               Linux audit support
Jan F. Chadima 3fdf10 
 echo "                 Smartcard support: $SCARD_MSG"
Jan F. Chadima 7e7fb4 
 echo "                     S/KEY support: $SKEY_MSG"
Jan F. Chadima 7e7fb4 
 echo "              TCP Wrappers support: $TCPW_MSG"
Jan F. Chadima 3fdf10 
+echo "                       PKA support: $PKA_MSG"
Jan F. Chadima 7e7fb4 
+echo "                      LDAP support: $LDAP_MSG"
Jan F. Chadima 7e7fb4 
 echo "              MD5 password support: $MD5_MSG"
Jan F. Chadima 7e7fb4 
 echo "                   libedit support: $LIBEDIT_MSG"
Jan F. Chadima 7e7fb4 
 echo "  Solaris process contract support: $SPC_MSG"
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapbody.c.pka openssh-5.5p1/ldapbody.c
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapbody.c.pka	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapbody.c	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,494 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4 
+#include "log.h"
Jan F. Chadima 7e7fb4 
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4 
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4 
+#include "ldapmisc.h"
Jan F. Chadima 7e7fb4 
+#include "ldapbody.h"
Jan F. Chadima 7e7fb4 
+#include <stdio.h>
Jan F. Chadima 7e7fb4 
+#include <unistd.h>
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
Jan F. Chadima 7e7fb4 
+#define PUBKEYATTR "sshPublicKey"
Jan F. Chadima 7e7fb4 
+#define LDAP_LOGFILE	"%s/ldap.%d"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static FILE *logfile = NULL;
Jan F. Chadima 7e7fb4 
+static LDAP *ld;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static char *attrs[] = {
Jan F. Chadima 7e7fb4 
+    PUBKEYATTR,
Jan F. Chadima 7e7fb4 
+    NULL
Jan F. Chadima 7e7fb4 
+};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+ldap_checkconfig (void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4 
+		if (options.host == NULL && options.uri == NULL)
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		if (options.host == NULL)
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+		    fatal ("missing  \"host\" in config file");
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
Jan F. Chadima 7e7fb4 
+static int
Jan F. Chadima 7e7fb4 
+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	struct timeval timeout;
Jan F. Chadima 7e7fb4 
+	int rc;
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4 
+	LDAPMessage *result;
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug2 ("Doing LDAP rebind to %s", options.binddn);
Jan F. Chadima 7e7fb4 
+	if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 7e7fb4 
+		if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4 
+			error ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+			return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4 
+	return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+	if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
Jan F. Chadima 7e7fb4 
+	    fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4 
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4 
+	result = NULL;
Jan F. Chadima 7e7fb4 
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 7e7fb4 
+		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
Jan F. Chadima 7e7fb4 
+		ldap_msgfree (result);
Jan F. Chadima 7e7fb4 
+		return LDAP_OPERATIONS_ERROR;
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	debug3 ("LDAP rebind to %s succesfull", options.binddn);
Jan F. Chadima 7e7fb4 
+	return rc;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static int
Jan F. Chadima 7e7fb4 
+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	if (freeit)
Jan F. Chadima 7e7fb4 
+	    return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	*whop = strdup (options.binddn);
Jan F. Chadima 7e7fb4 
+	*credp = strdup (options.bindpw);
Jan F. Chadima 7e7fb4 
+	*methodp = LDAP_AUTH_SIMPLE;
Jan F. Chadima 7e7fb4 
+	debug2 ("Doing LDAP rebind for %s", *whop);
Jan F. Chadima 7e7fb4 
+	return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+ldap_do_connect(void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	int rc, msgid, ld_errno = 0;
Jan F. Chadima 7e7fb4 
+	struct timeval timeout;
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4 
+	int parserc;
Jan F. Chadima 7e7fb4 
+	LDAPMessage *result;
Jan F. Chadima 7e7fb4 
+	LDAPControl **controls;
Jan F. Chadima 7e7fb4 
+	int reconnect = 0;
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug ("LDAP do connect");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+retry:
Jan F. Chadima 7e7fb4 
+	if (reconnect) {
Jan F. Chadima 7e7fb4 
+		debug3 ("Reconnecting with ld_errno %d", ld_errno);
Jan F. Chadima 7e7fb4 
+		if (options.bind_policy == 0 ||
Jan F. Chadima 7e7fb4 
+		    (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
Jan F. Chadima 7e7fb4 
+			reconnect > 5)
Jan F. Chadima 7e7fb4 
+			    fatal ("Cannot connect to LDAP server");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		if (reconnect > 1)
Jan F. Chadima 7e7fb4 
+			sleep (reconnect - 1);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		if (ld != NULL) {
Jan F. Chadima 7e7fb4 
+			ldap_unbind (ld);
Jan F. Chadima 7e7fb4 
+			ld = NULL;
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+		logit("reconnecting to LDAP server...");
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (ld == NULL) {
Jan F. Chadima 7e7fb4 
+		int rc;
Jan F. Chadima 7e7fb4 
+		struct timeval tv;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4 
+		if (options.debug > 0) {
Jan F. Chadima 7e7fb4 
+#ifdef LBER_OPT_LOG_PRINT_FILE
Jan F. Chadima 7e7fb4 
+			if (options.logdir) {
Jan F. Chadima 7e7fb4 
+				char *logfilename;
Jan F. Chadima 7e7fb4 
+				int logfilenamelen;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+				logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
Jan F. Chadima 7e7fb4 
+				logfilename = xmalloc (logfilenamelen);
Jan F. Chadima 7e7fb4 
+				snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
Jan F. Chadima 7e7fb4 
+				logfilename[logfilenamelen - 1] = 0;
Jan F. Chadima 7e7fb4 
+				if ((logfile = fopen (logfilename, "a")) == NULL)
Jan F. Chadima 7e7fb4 
+				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
Jan F. Chadima 7e7fb4 
+				debug3 ("LDAP debug into %s", logfilename);
Jan F. Chadima 7e7fb4 
+				xfree (logfilename);
Jan F. Chadima 7e7fb4 
+				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+			if (options.debug) {
Jan F. Chadima 7e7fb4 
+#ifdef LBER_OPT_DEBUG_LEVEL
Jan F. Chadima 7e7fb4 
+				ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 7e7fb4 
+#endif /* LBER_OPT_DEBUG_LEVEL */
Jan F. Chadima 7e7fb4 
+#ifdef LDAP_OPT_DEBUG_LEVEL
Jan F. Chadima 7e7fb4 
+				ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
Jan F. Chadima 7e7fb4 
+#endif /* LDAP_OPT_DEBUG_LEVEL */
Jan F. Chadima 7e7fb4 
+				debug3 ("Set LDAP debug to %d", options.debug);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAP_SET_OPTION */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		ld = NULL;
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAPSSL_INIT
Jan F. Chadima 7e7fb4 
+		if (options.host != NULL) {
Jan F. Chadima 7e7fb4 
+			if (options.ssl_on == SSL_LDAPS) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+				    fatal ("ldapssl_client_init %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("LDAPssl client init");
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if (options.ssl_on != SSL_OFF) {
Jan F. Chadima 7e7fb4 
+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
Jan F. Chadima 7e7fb4 
+				    fatal ("ldapssl_init failed");
Jan F. Chadima 7e7fb4 
+				debug3 ("LDAPssl init");
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAPSSL_INIT */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		/* continue with opening */
Jan F. Chadima 7e7fb4 
+		if (ld == NULL) {
Jan F. Chadima 7e7fb4 
+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
Jan F. Chadima 7e7fb4 
+			/* Some global TLS-specific options need to be set before we create our
Jan F. Chadima 7e7fb4 
+			 * session context, so we set them here. */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
Jan F. Chadima 7e7fb4 
+			/* rand file */
Jan F. Chadima 7e7fb4 
+			if (options.tls_randfile != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
Jan F. Chadima 7e7fb4 
+				    options.tls_randfile)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
Jan F. Chadima 7e7fb4 
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("Set TLS random file %s", options.tls_randfile);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* ca cert file */
Jan F. Chadima 7e7fb4 
+			if (options.tls_cacertfile != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
Jan F. Chadima 7e7fb4 
+				    options.tls_cacertfile)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
Jan F. Chadima 7e7fb4 
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* ca cert directory */
Jan F. Chadima 7e7fb4 
+			if (options.tls_cacertdir != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
Jan F. Chadima 7e7fb4 
+				    options.tls_cacertdir)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
Jan F. Chadima 7e7fb4 
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* require cert? */
Jan F. Chadima 7e7fb4 
+			if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
Jan F. Chadima 7e7fb4 
+			    &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
Jan F. Chadima 7e7fb4 
+				    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+			debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* set cipher suite, certificate and private key: */
Jan F. Chadima 7e7fb4 
+			if (options.tls_ciphers != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
Jan F. Chadima 7e7fb4 
+				    options.tls_ciphers)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
Jan F. Chadima 7e7fb4 
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* cert file */
Jan F. Chadima 7e7fb4 
+			if (options.tls_cert != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
Jan F. Chadima 7e7fb4 
+				    options.tls_cert)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
Jan F. Chadima 7e7fb4 
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("Set TLS cert file %s ", options.tls_cert);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* key file */
Jan F. Chadima 7e7fb4 
+			if (options.tls_key != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
Jan F. Chadima 7e7fb4 
+				    options.tls_key)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
Jan F. Chadima 7e7fb4 
+					    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("Set TLS key file %s ", options.tls_key);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_INITIALIZE
Jan F. Chadima 7e7fb4 
+			if (options.uri != NULL) {
Jan F. Chadima 7e7fb4 
+				if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+					fatal ("ldap_initialize %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+				debug3 ("LDAP initialize %s", options.uri);
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAP_INTITIALIZE */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		/* continue with opening */
Jan F. Chadima 7e7fb4 
+		if ((ld == NULL) && (options.host != NULL)) {
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_INIT
Jan F. Chadima 7e7fb4 
+			if ((ld = ldap_init (options.host, options.port)) == NULL)
Jan F. Chadima 7e7fb4 
+			    fatal ("ldap_init failed");
Jan F. Chadima 7e7fb4 
+			debug3 ("LDAP init %s:%d", options.host, options.port);
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+			if ((ld = ldap_open (options.host, options.port)) == NULL)
Jan F. Chadima 7e7fb4 
+			    fatal ("ldap_open failed");
Jan F. Chadima 7e7fb4 
+			debug3 ("LDAP open %s:%d", options.host, options.port);
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAP_INIT */
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		if (ld == NULL)
Jan F. Chadima 7e7fb4 
+			fatal ("no way to open ldap");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
Jan F. Chadima 7e7fb4 
+		if (options.ssl == SSL_LDAPS) {
Jan F. Chadima 7e7fb4 
+			if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+				fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+			debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+#endif /* LDAP_OPT_X_TLS */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 7e7fb4 
+		    &options.ldap_version);
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		ld->ld_version = options.ldap_version;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set version to %d", options.ldap_version);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if LDAP_SET_REBIND_PROC_ARGS == 3
Jan F. Chadima 7e7fb4 
+		ldap_set_rebind_proc (ld, _rebind_proc, NULL);
Jan F. Chadima 7e7fb4 
+#elif LDAP_SET_REBIND_PROC_ARGS == 2
Jan F. Chadima 7e7fb4 
+		ldap_set_rebind_proc (ld, _rebind_proc);
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+#warning unknown LDAP_SET_REBIND_PROC_ARGS
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set rebind proc");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		ld->ld_deref = options.deref;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set deref to %d", options.deref);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
Jan F. Chadima 7e7fb4 
+		    &options.timelimit);
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		ld->ld_timelimit = options.timelimit;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set timelimit to %d", options.timelimit);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
Jan F. Chadima 7e7fb4 
+		/*
Jan F. Chadima 7e7fb4 
+		 * This is a new option in the Netscape SDK which sets
Jan F. Chadima 7e7fb4 
+		 * the TCP connect timeout. For want of a better value,
Jan F. Chadima 7e7fb4 
+		 * we use the bind_timelimit to control this.
Jan F. Chadima 7e7fb4 
+		 */
Jan F. Chadima 7e7fb4 
+		timeout = options.bind_timelimit * 1000;
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set opt connect timeout to %d", timeout);
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
Jan F. Chadima 7e7fb4 
+		tv.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4 
+		tv.tv_usec = 0;
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv;;
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
Jan F. Chadima 7e7fb4 
+		    options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set referrals to %d", options.referrals);
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
Jan F. Chadima 7e7fb4 
+		(void) ldap_set_option (ld, LDAP_OPT_RESTART,
Jan F. Chadima 7e7fb4 
+		    options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
Jan F. Chadima 7e7fb4 
+		debug3 ("LDAP set restart to %d", options.restart);
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_START_TLS_S
Jan F. Chadima 7e7fb4 
+		if (options.ssl == SSL_START_TLS) {
Jan F. Chadima 7e7fb4 
+			int version;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
Jan F. Chadima 7e7fb4 
+			    == LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4 
+				if (version < LDAP_VERSION3) {
Jan F. Chadima 7e7fb4 
+					version = LDAP_VERSION3;
Jan F. Chadima 7e7fb4 
+					(void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
Jan F. Chadima 7e7fb4 
+					    &version);
Jan F. Chadima 7e7fb4 
+					debug3 ("LDAP set version to %d", version);
Jan F. Chadima 7e7fb4 
+				}
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+			    fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+			debug3 ("LDAP start TLS");
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+#endif /* HAVE_LDAP_START_TLS_S */
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if ((msgid = ldap_simple_bind (ld, options.binddn,
Jan F. Chadima 7e7fb4 
+	    options.bindpw)) == -1) {
Jan F. Chadima 7e7fb4 
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
Jan F. Chadima 7e7fb4 
+		reconnect++;
Jan F. Chadima 7e7fb4 
+		goto retry;
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	debug3 ("LDAP simple bind (%s)", options.binddn);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	timeout.tv_sec = options.bind_timelimit;
Jan F. Chadima 7e7fb4 
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4 
+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
Jan F. Chadima 7e7fb4 
+		ld_errno = ldap_get_lderrno (ld, 0, 0);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		error ("ldap_result %s", ldap_err2string (ld_errno));
Jan F. Chadima 7e7fb4 
+		reconnect++;
Jan F. Chadima 7e7fb4 
+		goto retry;
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	debug3 ("LDAP result in time");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
Jan F. Chadima 7e7fb4 
+	controls = NULL;
Jan F. Chadima 7e7fb4 
+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
Jan F. Chadima 7e7fb4 
+	debug3 ("LDAP parse result OK");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (controls != NULL) {
Jan F. Chadima 7e7fb4 
+		ldap_controls_free (controls);
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+	rc = ldap_result2error (session->ld, result, TRUE);
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+	if (rc != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+	    fatal ("error trying to bind as user \"%s\" (%s)",
Jan F. Chadima 7e7fb4 
+		options.binddn, ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug2 ("LDAP do connect OK");
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+process_user (const char *user, FILE *output)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	LDAPMessage *res, *e;
Jan F. Chadima 7e7fb4 
+	char *buffer;
Jan F. Chadima 7e7fb4 
+	int bufflen, rc, i;
Jan F. Chadima 7e7fb4 
+	struct timeval timeout;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug ("LDAP process user");
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* quick check for attempts to be evil */
Jan F. Chadima 7e7fb4 
+	if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
Jan F. Chadima 7e7fb4 
+	    (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
Jan F. Chadima 7e7fb4 
+		logit ("illegal user name %s not processed", user);
Jan F. Chadima 7e7fb4 
+		return;
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* build  filter for LDAP request */
Jan F. Chadima 7e7fb4 
+	bufflen = strlen (LDAPSEARCH_FORMAT) + strlen (user);
Jan F. Chadima 7e7fb4 
+	if (options.ssh_filter != NULL)
Jan F. Chadima 7e7fb4 
+	    bufflen += strlen (options.ssh_filter);
Jan F. Chadima 7e7fb4 
+	buffer = xmalloc (bufflen);
Jan F. Chadima 7e7fb4 
+	snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
Jan F. Chadima 7e7fb4 
+	buffer[bufflen - 1] = 0;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug3 ("LDAP search scope = %d %s", options.scope, buffer);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	timeout.tv_sec = options.timelimit;
Jan F. Chadima 7e7fb4 
+	timeout.tv_usec = 0;
Jan F. Chadima 7e7fb4 
+	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4 
+		error ("ldap_search_st(): %s", ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+		xfree (buffer);
Jan F. Chadima 7e7fb4 
+		return;
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* free */
Jan F. Chadima 7e7fb4 
+	xfree (buffer);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
Jan F. Chadima 7e7fb4 
+		int num;
Jan F. Chadima 7e7fb4 
+		struct berval **keys;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		keys = ldap_get_values_len(ld, e, PUBKEYATTR);
Jan F. Chadima 7e7fb4 
+		num = ldap_count_values_len(keys);
Jan F. Chadima 7e7fb4 
+		for (i = 0 ; i < num ; i++) {
Jan F. Chadima 7e7fb4 
+			char *cp; //, *options = NULL;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
Jan F. Chadima 7e7fb4 
+			if (!*cp || *cp == '\n' || *cp == '#')
Jan F. Chadima 7e7fb4 
+			    continue;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			/* We have found the desired key. */
Jan F. Chadima 7e7fb4 
+			fprintf (output, "%s\n", keys[i]->bv_val);
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		ldap_value_free_len(keys);
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	ldap_msgfree(res);
Jan F. Chadima 7e7fb4 
+	debug2 ("LDAP process user finished");
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+ldap_do_close(void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	int rc;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug ("LDAP do close");
Jan F. Chadima 7e7fb4 
+	if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+	    fatal ("ldap_unbind_ext: %s",
Jan F. Chadima 7e7fb4 
+                                    ldap_err2string (rc));
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	ld = NULL;
Jan F. Chadima 7e7fb4 
+	debug2 ("LDAP do close OK");
Jan F. Chadima 7e7fb4 
+	return;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapbody.h.pka openssh-5.5p1/ldapbody.h
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapbody.h.pka	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapbody.h	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,37 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef LDAPBODY_H
Jan F. Chadima 7e7fb4 
+#define LDAPBODY_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include <stdio.h>
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void ldap_checkconfig(void);
Jan F. Chadima 7e7fb4 
+void ldap_do_connect(void);
Jan F. Chadima 7e7fb4 
+void process_user(const char *, FILE *);
Jan F. Chadima 7e7fb4 
+void ldap_do_close(void);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#endif /* LDAPBODY_H */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapconf.c.pka openssh-5.5p1/ldapconf.c
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapconf.c.pka	2010-05-06 10:50:49.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapconf.c	2010-05-06 10:48:32.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,665 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4 
+#include "ldap-helper.h"
Jan F. Chadima 7e7fb4 
+#include "log.h"
Jan F. Chadima 7e7fb4 
+#include "misc.h"
Jan F. Chadima 7e7fb4 
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4 
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4 
+#include <unistd.h>
Jan F. Chadima 7e7fb4 
+#include <string.h>
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Keyword tokens. */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+typedef enum {
Jan F. Chadima 7e7fb4 
+	lBadOption,
Jan F. Chadima 7e7fb4 
+	lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
Jan F. Chadima 7e7fb4 
+	lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
Jan F. Chadima 7e7fb4 
+	lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
Jan F. Chadima 7e7fb4 
+	lRestart, lTLS_CheckPeer, lTLS_Certificate, lTLS_CaCertFile,
Jan F. Chadima 7e7fb4 
+	lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
Jan F. Chadima 7e7fb4 
+	lTLS_RandFile, lLogdir, lDebug, lSSH_Filter,
Jan F. Chadima 7e7fb4 
+	lDeprecated, lUnsupported
Jan F. Chadima 7e7fb4 
+} OpCodes;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Textual representations of the tokens. */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct {
Jan F. Chadima 7e7fb4 
+	const char *name;
Jan F. Chadima 7e7fb4 
+	OpCodes opcode;
Jan F. Chadima 7e7fb4 
+} keywords[] = {
Jan F. Chadima 7e7fb4 
+	{ "Host", lHost },
Jan F. Chadima 7e7fb4 
+	{ "URI", lURI },
Jan F. Chadima 7e7fb4 
+	{ "Base", lBase },
Jan F. Chadima 7e7fb4 
+	{ "BindDN", lBindDN },
Jan F. Chadima 7e7fb4 
+	{ "BindPW", lBindPW },
Jan F. Chadima 7e7fb4 
+	{ "RootBindDN", lRootBindDN },
Jan F. Chadima 7e7fb4 
+	{ "Scope", lScope },
Jan F. Chadima 7e7fb4 
+	{ "Deref", lDeref },
Jan F. Chadima 7e7fb4 
+	{ "Port", lPort },
Jan F. Chadima 7e7fb4 
+	{ "Timelimit", lTimeLimit },
Jan F. Chadima 7e7fb4 
+	{ "Bind_Timelimit", lBind_TimeLimit },
Jan F. Chadima 7e7fb4 
+	{ "Ldap_Version", lLdap_Version },
Jan F. Chadima 7e7fb4 
+	{ "Bind_Policy", lBind_Policy },
Jan F. Chadima 7e7fb4 
+	{ "SSLPath", lSSLPath },
Jan F. Chadima 7e7fb4 
+	{ "SSL", lSSL },
Jan F. Chadima 7e7fb4 
+	{ "Referrals", lReferrals },
Jan F. Chadima 7e7fb4 
+	{ "Restart", lRestart },
Jan F. Chadima 7e7fb4 
+	{ "TLS_CheckPeer", lTLS_CheckPeer },
Jan F. Chadima 7e7fb4 
+	{ "TLS_Certificate", lTLS_Certificate },
Jan F. Chadima 7e7fb4 
+	{ "TLS_CaCertFile", lTLS_CaCertFile },
Jan F. Chadima 7e7fb4 
+	{ "TLS_CaCertDir", lTLS_CaCertDir },
Jan F. Chadima 7e7fb4 
+	{ "TLS_Ciphers", lTLS_Ciphers },
Jan F. Chadima 7e7fb4 
+	{ "TLS_Cert", lTLS_Cert },
Jan F. Chadima 7e7fb4 
+	{ "TLS_Key", lTLS_Key },
Jan F. Chadima 7e7fb4 
+	{ "TLS_RandFile", lTLS_RandFile },
Jan F. Chadima 7e7fb4 
+	{ "Logdir", lLogdir },
Jan F. Chadima 7e7fb4 
+	{ "Debug", lDebug },
Jan F. Chadima 7e7fb4 
+	{ "SSH_Filter", lSSH_Filter },
Jan F. Chadima 7e7fb4 
+	{ NULL, lBadOption }
Jan F. Chadima 7e7fb4 
+};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Configuration ptions. */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Options options;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Returns the number of the token pointed to by cp or oBadOption.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static OpCodes
Jan F. Chadima 7e7fb4 
+parse_token(const char *cp, const char *filename, int linenum)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	u_int i;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	for (i = 0; keywords[i].name; i++)
Jan F. Chadima 7e7fb4 
+		if (strcasecmp(cp, keywords[i].name) == 0)
Jan F. Chadima 7e7fb4 
+			return keywords[i].opcode;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (config_warning_config_file)
Jan F. Chadima 7e7fb4 
+	    logit("%s: line %d: Bad configuration option: %s",
Jan F. Chadima 7e7fb4 
+		filename, linenum, cp);
Jan F. Chadima 7e7fb4 
+	return lBadOption;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Processes a single option line as used in the configuration files. This
Jan F. Chadima 7e7fb4 
+ * only sets those values that have not already been set.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+#define WHITESPACE " \t\r\n"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static int
Jan F. Chadima 7e7fb4 
+process_config_line(char *line, const char *filename, int linenum)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
Jan F. Chadima 7e7fb4 
+	char *rootbinddn = NULL;
Jan F. Chadima 7e7fb4 
+	int opcode, *intptr, value;
Jan F. Chadima 7e7fb4 
+	size_t len;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* Strip trailing whitespace */
Jan F. Chadima 7e7fb4 
+	for (len = strlen(line) - 1; len > 0; len--) {
Jan F. Chadima 7e7fb4 
+		if (strchr(WHITESPACE, line[len]) == NULL)
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+		line[len] = '\0';
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	s = line;
Jan F. Chadima 7e7fb4 
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
Jan F. Chadima 7e7fb4 
+	if ((keyword = strdelim(&s)) == NULL)
Jan F. Chadima 7e7fb4 
+		return 0;
Jan F. Chadima 7e7fb4 
+	/* Ignore leading whitespace. */
Jan F. Chadima 7e7fb4 
+	if (*keyword == '\0')
Jan F. Chadima 7e7fb4 
+		keyword = strdelim(&s);
Jan F. Chadima 7e7fb4 
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
Jan F. Chadima 7e7fb4 
+		return 0;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	opcode = parse_token(keyword, filename, linenum);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	switch (opcode) {
Jan F. Chadima 7e7fb4 
+	case lBadOption:
Jan F. Chadima 7e7fb4 
+		/* don't panic, but count bad options */
Jan F. Chadima 7e7fb4 
+		return -1;
Jan F. Chadima 7e7fb4 
+		/* NOTREACHED */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lHost:
Jan F. Chadima 7e7fb4 
+		xstringptr = &options.host;
Jan F. Chadima 7e7fb4 
+parse_xstring:
Jan F. Chadima 7e7fb4 
+		if (!s || *s == '\0')
Jan F. Chadima 7e7fb4 
+		    fatal("%s line %d: missing dn",filename,linenum);
Jan F. Chadima 7e7fb4 
+		if (*xstringptr == NULL)
Jan F. Chadima 7e7fb4 
+		    *xstringptr = xstrdup(s);
Jan F. Chadima 7e7fb4 
+		return 0;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lURI:
Jan F. Chadima 7e7fb4 
+		xstringptr = &options.uri;
Jan F. Chadima 7e7fb4 
+		goto parse_xstring;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lBase:
Jan F. Chadima 7e7fb4 
+		xstringptr = &options.base;
Jan F. Chadima 7e7fb4 
+		goto parse_xstring;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lBindDN:
Jan F. Chadima 7e7fb4 
+		xstringptr = &options.binddn;
Jan F. Chadima 7e7fb4 
+		goto parse_xstring;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lBindPW:
Jan F. Chadima 7e7fb4 
+		charptr = &options.bindpw;
Jan F. Chadima 7e7fb4 
+parse_string:
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*charptr == NULL)
Jan F. Chadima 7e7fb4 
+			*charptr = xstrdup(arg);
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lRootBindDN:
Jan F. Chadima 7e7fb4 
+		xstringptr = &rootbinddn;
Jan F. Chadima 7e7fb4 
+		goto parse_xstring;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lScope:
Jan F. Chadima 7e7fb4 
+		intptr = &options.scope;
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4 
+		if (!strcasecmp (arg, "sub"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 7e7fb4 
+		else if (!strcasecmp (arg, "one"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_SCOPE_ONELEVEL;
Jan F. Chadima 7e7fb4 
+		else if (!strcasecmp (arg, "base"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_SCOPE_BASE;
Jan F. Chadima 7e7fb4 
+		else
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+			*intptr = value;
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lDeref:
Jan F. Chadima 7e7fb4 
+		intptr = &options.scope;
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4 
+		if (!strcasecmp (arg, "never"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_DEREF_NEVER;
Jan F. Chadima 7e7fb4 
+		else if (!strcasecmp (arg, "searching"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_DEREF_SEARCHING;
Jan F. Chadima 7e7fb4 
+		else if (!strcasecmp (arg, "finding"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_DEREF_FINDING;
Jan F. Chadima 7e7fb4 
+		else if (!strcasecmp (arg, "always"))
Jan F. Chadima 7e7fb4 
+			value = LDAP_DEREF_ALWAYS;
Jan F. Chadima 7e7fb4 
+		else
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+			*intptr = value;
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lPort:
Jan F. Chadima 7e7fb4 
+		intptr = &options.port;
Jan F. Chadima 7e7fb4 
+parse_int:
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (arg[0] < '0' || arg[0] > '9')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		/* Octal, decimal, or hex format? */
Jan F. Chadima 7e7fb4 
+		value = strtol(arg, &endofnumber, 0);
Jan F. Chadima 7e7fb4 
+		if (arg == endofnumber)
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad number.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+			*intptr = value;
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTimeLimit:
Jan F. Chadima 7e7fb4 
+		intptr = &options.timelimit;
Jan F. Chadima 7e7fb4 
+parse_time:
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%s line %d: missing time value.",
Jan F. Chadima 7e7fb4 
+			    filename, linenum);
Jan F. Chadima 7e7fb4 
+		if ((value = convtime(arg)) == -1)
Jan F. Chadima 7e7fb4 
+			fatal("%s line %d: invalid time value.",
Jan F. Chadima 7e7fb4 
+			    filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+			*intptr = value;
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lBind_TimeLimit:
Jan F. Chadima 7e7fb4 
+		intptr = &options.bind_timelimit;
Jan F. Chadima 7e7fb4 
+		goto parse_time;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lLdap_Version:
Jan F. Chadima 7e7fb4 
+		intptr = &options.ldap_version;
Jan F. Chadima 7e7fb4 
+		goto parse_int;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lBind_Policy:
Jan F. Chadima 7e7fb4 
+		intptr = &options.bind_policy;
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4 
+		if (strcasecmp(arg, "hard") == 0)
Jan F. Chadima 7e7fb4 
+			value = 1;
Jan F. Chadima 7e7fb4 
+		else if (strcasecmp(arg, "soft") == 0)
Jan F. Chadima 7e7fb4 
+			value = 0;
Jan F. Chadima 7e7fb4 
+		else
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lSSLPath:
Jan F. Chadima 7e7fb4 
+		charptr = &options.sslpath;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lSSL:
Jan F. Chadima 7e7fb4 
+		intptr = &options.ssl;
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4 
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4 
+			value = SSL_LDAPS;
Jan F. Chadima 7e7fb4 
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4 
+			value = SSL_OFF;
Jan F. Chadima 7e7fb4 
+		else if (!strcasecmp (arg, "start_tls"))
Jan F. Chadima 7e7fb4 
+			value = SSL_START_TLS;
Jan F. Chadima 7e7fb4 
+		else
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+			*intptr = value;
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lReferrals:
Jan F. Chadima 7e7fb4 
+		intptr = &options.referrals;
Jan F. Chadima 7e7fb4 
+parse_flag:
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima 7e7fb4 
+		if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4 
+			value = 1;
Jan F. Chadima 7e7fb4 
+		else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4 
+			value = 0;
Jan F. Chadima 7e7fb4 
+		else
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+			*intptr = value;
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lRestart:
Jan F. Chadima 7e7fb4 
+		intptr = &options.restart;
Jan F. Chadima 7e7fb4 
+		goto parse_flag;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_CheckPeer:
Jan F. Chadima 7e7fb4 
+		intptr = &options.tls_checkpeer;
Jan F. Chadima 7e7fb4 
+		arg = strdelim(&s);
Jan F. Chadima 7e7fb4 
+		if (!arg || *arg == '\0')
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		value = 0;	/* To avoid compiler warning... */
Jan F. Chadima b6bdf1 
+		if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
Jan F. Chadima 7e7fb4 
+			value = LDAP_OPT_X_TLS_NEVER;
Jan F. Chadima b6bdf1 
+		else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
Jan F. Chadima 7e7fb4 
+			value = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 7e7fb4 
+		else if (strcasecmp(arg, "demand") == 0)
Jan F. Chadima 7e7fb4 
+			value = LDAP_OPT_X_TLS_DEMAND;
Jan F. Chadima 7e7fb4 
+		else if (strcasecmp(arg, "allow") == 0)
Jan F. Chadima 7e7fb4 
+			value = LDAP_OPT_X_TLS_ALLOW;
Jan F. Chadima 7e7fb4 
+		else if (strcasecmp(arg, "try") == 0)
Jan F. Chadima 7e7fb4 
+			value = LDAP_OPT_X_TLS_TRY;
Jan F. Chadima 7e7fb4 
+		else
Jan F. Chadima 7e7fb4 
+			fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
Jan F. Chadima 7e7fb4 
+		if (*intptr == -1)
Jan F. Chadima 7e7fb4 
+		break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_CaCertFile:
Jan F. Chadima 7e7fb4 
+		charptr = &options.tls_cacertfile;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_CaCertDir:
Jan F. Chadima 7e7fb4 
+		charptr = &options.tls_cacertdir;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_Ciphers:
Jan F. Chadima 7e7fb4 
+		xstringptr = &options.tls_ciphers;
Jan F. Chadima 7e7fb4 
+		goto parse_xstring;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_Cert:
Jan F. Chadima 7e7fb4 
+		charptr = &options.tls_cert;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_Key:
Jan F. Chadima 7e7fb4 
+		charptr = &options.tls_key;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lTLS_RandFile:
Jan F. Chadima 7e7fb4 
+		charptr = &options.tls_randfile;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lLogdir:
Jan F. Chadima 7e7fb4 
+		charptr = &options.logdir;
Jan F. Chadima 7e7fb4 
+		goto parse_string;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lDebug:
Jan F. Chadima 7e7fb4 
+		intptr = &options.debug;
Jan F. Chadima 7e7fb4 
+		goto parse_int;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lSSH_Filter:
Jan F. Chadima 7e7fb4 
+		xstringptr = &options.ssh_filter;
Jan F. Chadima 7e7fb4 
+		goto parse_xstring;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lDeprecated:
Jan F. Chadima 7e7fb4 
+		debug("%s line %d: Deprecated option \"%s\"",
Jan F. Chadima 7e7fb4 
+		    filename, linenum, keyword);
Jan F. Chadima 7e7fb4 
+		return 0;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	case lUnsupported:
Jan F. Chadima 7e7fb4 
+		error("%s line %d: Unsupported option \"%s\"",
Jan F. Chadima 7e7fb4 
+		    filename, linenum, keyword);
Jan F. Chadima 7e7fb4 
+		return 0;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	default:
Jan F. Chadima 7e7fb4 
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* Check that there is no garbage at end of line. */
Jan F. Chadima 7e7fb4 
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
Jan F. Chadima 7e7fb4 
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
Jan F. Chadima 7e7fb4 
+		    filename, linenum, arg);
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	return 0;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Reads the config file and modifies the options accordingly.  Options
Jan F. Chadima 7e7fb4 
+ * should already be initialized before this call.  This never returns if
Jan F. Chadima 7e7fb4 
+ * there is an error.  If the file does not exist, this returns 0.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+read_config_file(const char *filename)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	FILE *f;
Jan F. Chadima 7e7fb4 
+	char line[1024];
Jan F. Chadima 7e7fb4 
+	int active, linenum;
Jan F. Chadima 7e7fb4 
+	int bad_options = 0;
Jan F. Chadima 7e7fb4 
+	struct stat sb;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if ((f = fopen(filename, "r")) == NULL)
Jan F. Chadima 7e7fb4 
+		fatal("fopen %s: %s", filename, strerror(errno));
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (fstat(fileno(f), &sb) == -1)
Jan F. Chadima 7e7fb4 
+		fatal("fstat %s: %s", filename, strerror(errno));
Jan F. Chadima 7e7fb4 
+	if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
Jan F. Chadima 7e7fb4 
+	    (sb.st_mode & 022) != 0))
Jan F. Chadima 7e7fb4 
+		fatal("Bad owner or permissions on %s", filename);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	debug("Reading configuration data %.200s", filename);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/*
Jan F. Chadima 7e7fb4 
+	 * Mark that we are now processing the options.  This flag is turned
Jan F. Chadima 7e7fb4 
+	 * on/off by Host specifications.
Jan F. Chadima 7e7fb4 
+	 */
Jan F. Chadima 7e7fb4 
+	active = 1;
Jan F. Chadima 7e7fb4 
+	linenum = 0;
Jan F. Chadima 7e7fb4 
+	while (fgets(line, sizeof(line), f)) {
Jan F. Chadima 7e7fb4 
+		/* Update line number counter. */
Jan F. Chadima 7e7fb4 
+		linenum++;
Jan F. Chadima 7e7fb4 
+		if (process_config_line(line, filename, linenum) != 0)
Jan F. Chadima 7e7fb4 
+			bad_options++;
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	fclose(f);
Jan F. Chadima 7e7fb4 
+	if ((bad_options > 0) && config_exclusive_config_file)
Jan F. Chadima 7e7fb4 
+		fatal("%s: terminating, %d bad configuration options",
Jan F. Chadima 7e7fb4 
+		    filename, bad_options);
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Initializes options to special values that indicate that they have not yet
Jan F. Chadima 7e7fb4 
+ * been set.  Read_config_file will only set options with this value. Options
Jan F. Chadima 7e7fb4 
+ * are processed in the following order: command line, user config file,
Jan F. Chadima 7e7fb4 
+ * system config file.  Last, fill_default_options is called.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+initialize_options(void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	memset(&options, 'X', sizeof(options));
Jan F. Chadima 7e7fb4 
+	options.host = NULL;
Jan F. Chadima 7e7fb4 
+	options.uri = NULL;
Jan F. Chadima 7e7fb4 
+	options.base = NULL;
Jan F. Chadima 7e7fb4 
+	options.binddn = NULL;
Jan F. Chadima 7e7fb4 
+	options.bindpw = NULL;
Jan F. Chadima 7e7fb4 
+	options.scope = -1;
Jan F. Chadima 7e7fb4 
+	options.deref = -1;
Jan F. Chadima 7e7fb4 
+	options.port = -1;
Jan F. Chadima 7e7fb4 
+	options.timelimit = -1;
Jan F. Chadima 7e7fb4 
+	options.bind_timelimit = -1;
Jan F. Chadima 7e7fb4 
+	options.ldap_version = -1;
Jan F. Chadima 7e7fb4 
+	options.bind_policy = -1;
Jan F. Chadima 7e7fb4 
+	options.sslpath = NULL;
Jan F. Chadima 7e7fb4 
+	options.ssl = -1;
Jan F. Chadima 7e7fb4 
+	options.referrals = -1;
Jan F. Chadima 7e7fb4 
+	options.restart = -1;
Jan F. Chadima 7e7fb4 
+	options.tls_checkpeer = -1;
Jan F. Chadima 7e7fb4 
+	options.tls_cacertfile = NULL;
Jan F. Chadima 7e7fb4 
+	options.tls_cacertdir = NULL;
Jan F. Chadima 7e7fb4 
+	options.tls_ciphers = NULL;
Jan F. Chadima 7e7fb4 
+	options.tls_cert = NULL;
Jan F. Chadima 7e7fb4 
+	options.tls_key = NULL;
Jan F. Chadima 7e7fb4 
+	options.tls_randfile = NULL;
Jan F. Chadima 7e7fb4 
+	options.logdir = NULL;
Jan F. Chadima 7e7fb4 
+	options.debug = -1;
Jan F. Chadima 7e7fb4 
+	options.ssh_filter = NULL;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Called after processing other sources of option data, this fills those
Jan F. Chadima 7e7fb4 
+ * options for which no value has been specified with their default values.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+fill_default_options(void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	if (options.uri != NULL) {
Jan F. Chadima 7e7fb4 
+		LDAPURLDesc *ludp;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
Jan F. Chadima 7e7fb4 
+			if (options.ssl == -1) {
Jan F. Chadima 7e7fb4 
+				if (strcmp (ludp->lud_scheme, "ldap") || strcmp (ludp->lud_scheme, "ldapi"))
Jan F. Chadima 7e7fb4 
+				    options.ssl = 0;
Jan F. Chadima 7e7fb4 
+				else if (strcmp (ludp->lud_scheme, "ldaps"))
Jan F. Chadima 7e7fb4 
+				    options.ssl = 2;
Jan F. Chadima 7e7fb4 
+			}
Jan F. Chadima 7e7fb4 
+			if (options.host == NULL)
Jan F. Chadima 7e7fb4 
+			    options.host = xstrdup (ludp->lud_host);
Jan F. Chadima 7e7fb4 
+			if (options.port == -1)
Jan F. Chadima 7e7fb4 
+			    options.port = ludp->lud_port;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+			ldap_free_urldesc (ludp);
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	if (options.ssl == -1)
Jan F. Chadima 7e7fb4 
+	    options.ssl = SSL_START_TLS;
Jan F. Chadima 7e7fb4 
+	if (options.port == -1)
Jan F. Chadima 7e7fb4 
+	    options.port = (options.ssl == 0) ? 389 : 636;
Jan F. Chadima 7e7fb4 
+	if (options.uri == NULL) {
Jan F. Chadima 7e7fb4 
+		int len;
Jan F. Chadima 7e7fb4 
+#define MAXURILEN 4096
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		options.uri = xmalloc (MAXURILEN);
Jan F. Chadima 7e7fb4 
+		len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
Jan F. Chadima 7e7fb4 
+		    (options.ssl == 0) ? "" : "s", options.host, options.port);
Jan F. Chadima 7e7fb4 
+		options.uri[MAXURILEN - 1] = 0;
Jan F. Chadima 7e7fb4 
+		options.uri = xrealloc (options.uri, len + 1, 1);
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+	if (options.binddn == NULL)
Jan F. Chadima 7e7fb4 
+	    options.binddn = "";
Jan F. Chadima 7e7fb4 
+	if (options.bindpw == NULL)
Jan F. Chadima 7e7fb4 
+	    options.bindpw = "";
Jan F. Chadima 7e7fb4 
+	if (options.scope == -1)
Jan F. Chadima 7e7fb4 
+	    options.scope = LDAP_SCOPE_SUBTREE;
Jan F. Chadima 7e7fb4 
+	if (options.deref == -1)
Jan F. Chadima 7e7fb4 
+	    options.deref = LDAP_DEREF_NEVER;
Jan F. Chadima 7e7fb4 
+	if (options.timelimit == -1)
Jan F. Chadima 7e7fb4 
+	    options.timelimit = 10;
Jan F. Chadima 7e7fb4 
+	if (options.bind_timelimit == -1)
Jan F. Chadima 7e7fb4 
+	    options.bind_timelimit = 10;
Jan F. Chadima 7e7fb4 
+	if (options.ldap_version == -1)
Jan F. Chadima 7e7fb4 
+	    options.ldap_version = 3;
Jan F. Chadima 7e7fb4 
+	if (options.bind_policy == -1)
Jan F. Chadima 7e7fb4 
+	    options.bind_policy = 1;
Jan F. Chadima 7e7fb4 
+	if (options.referrals == -1)
Jan F. Chadima 7e7fb4 
+	    options.referrals = 1;
Jan F. Chadima 7e7fb4 
+	if (options.restart == -1)
Jan F. Chadima 7e7fb4 
+	    options.restart = 1;
Jan F. Chadima 7e7fb4 
+	if (options.tls_checkpeer == -1)
Jan F. Chadima 7e7fb4 
+	    options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
Jan F. Chadima 7e7fb4 
+	if (options.debug == -1)
Jan F. Chadima 7e7fb4 
+	    options.debug = 0;
Jan F. Chadima 7e7fb4 
+	if (options.ssh_filter == NULL)
Jan F. Chadima 7e7fb4 
+	    options.ssh_filter = "";
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static const char *
Jan F. Chadima 7e7fb4 
+lookup_opcode_name(OpCodes code)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	u_int i;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	for (i = 0; keywords[i].name != NULL; i++)
Jan F. Chadima 7e7fb4 
+	    if (keywords[i].opcode == code)
Jan F. Chadima 7e7fb4 
+		return(keywords[i].name);
Jan F. Chadima 7e7fb4 
+	return "UNKNOWN";
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static void
Jan F. Chadima 7e7fb4 
+dump_cfg_string(OpCodes code, const char *val)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	if (val == NULL)
Jan F. Chadima 7e7fb4 
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4 
+	else
Jan F. Chadima 7e7fb4 
+	    debug3("%s %s", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static void
Jan F. Chadima 7e7fb4 
+dump_cfg_int(OpCodes code, int val)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	if (val == -1)
Jan F. Chadima 7e7fb4 
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4 
+	else
Jan F. Chadima 7e7fb4 
+	    debug3("%s %d", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+struct names {
Jan F. Chadima 7e7fb4 
+	int value;
Jan F. Chadima 7e7fb4 
+	char *name;
Jan F. Chadima 7e7fb4 
+};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static void
Jan F. Chadima 7e7fb4 
+dump_cfg_namedint(OpCodes code, int val, struct names *names)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	u_int i;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (val == -1)
Jan F. Chadima 7e7fb4 
+	    debug3("%s <UNDEFINED>", lookup_opcode_name(code));
Jan F. Chadima 7e7fb4 
+	else {
Jan F. Chadima 7e7fb4 
+		for (i = 0; names[i].value != -1; i++)
Jan F. Chadima 7e7fb4 
+	 	    if (names[i].value == val) {
Jan F. Chadima 7e7fb4 
+	    		debug3("%s %s", lookup_opcode_name(code), names[i].name);
Jan F. Chadima 7e7fb4 
+			    return;
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+		debug3("%s unknown: %d", lookup_opcode_name(code), val);
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct names _yesnotls[] = {
Jan F. Chadima 7e7fb4 
+	{ 0, "No" },
Jan F. Chadima 7e7fb4 
+	{ 1, "Yes" },
Jan F. Chadima 7e7fb4 
+	{ 2, "Start_TLS" },
Jan F. Chadima 7e7fb4 
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct names _scope[] = {
Jan F. Chadima 7e7fb4 
+	{ LDAP_SCOPE_BASE, "Base" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_SCOPE_ONELEVEL, "One" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_SCOPE_SUBTREE, "Sub"},
Jan F. Chadima 7e7fb4 
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct names _deref[] = {
Jan F. Chadima 7e7fb4 
+	{ LDAP_DEREF_NEVER, "Never" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_DEREF_SEARCHING, "Searching" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_DEREF_FINDING, "Finding" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_DEREF_ALWAYS, "Always" },
Jan F. Chadima 7e7fb4 
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct names _yesno[] = {
Jan F. Chadima 7e7fb4 
+	{ 0, "No" },
Jan F. Chadima 7e7fb4 
+	{ 1, "Yes" },
Jan F. Chadima 7e7fb4 
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct names _bindpolicy[] = {
Jan F. Chadima 7e7fb4 
+	{ 0, "Soft" },
Jan F. Chadima 7e7fb4 
+	{ 1, "Hard" },
Jan F. Chadima 7e7fb4 
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static struct names _checkpeer[] = {
Jan F. Chadima 7e7fb4 
+	{ LDAP_OPT_X_TLS_NEVER, "Never" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_OPT_X_TLS_HARD, "Hard" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_OPT_X_TLS_DEMAND, "Demand" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_OPT_X_TLS_ALLOW, "Allow" },
Jan F. Chadima 7e7fb4 
+	{ LDAP_OPT_X_TLS_TRY, "TRY" },
Jan F. Chadima 7e7fb4 
+	{ -1, NULL }};
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void
Jan F. Chadima 7e7fb4 
+dump_config(void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lURI, options.uri);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lHost, options.host);
Jan F. Chadima 7e7fb4 
+	dump_cfg_int(lPort, options.port);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
Jan F. Chadima 7e7fb4 
+	dump_cfg_int(lLdap_Version, options.ldap_version);
Jan F. Chadima 7e7fb4 
+	dump_cfg_int(lTimeLimit, options.timelimit);
Jan F. Chadima 7e7fb4 
+	dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lBase, options.base);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lBindDN, options.binddn);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lBindPW, options.bindpw);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lScope, options.scope, _scope);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lDeref, options.deref, _deref);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lReferrals, options.referrals, _yesno);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lRestart, options.restart, _yesno);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lSSLPath, options.sslpath);
Jan F. Chadima 7e7fb4 
+	dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lTLS_Cert, options.tls_cert);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lTLS_Key, options.tls_key);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lTLS_RandFile, options.tls_randfile);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lLogdir, options.logdir);
Jan F. Chadima 7e7fb4 
+	dump_cfg_int(lDebug, options.debug);
Jan F. Chadima 7e7fb4 
+	dump_cfg_string(lSSH_Filter, options.ssh_filter);
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapconf.h.pka openssh-5.5p1/ldapconf.h
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapconf.h.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapconf.h	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,71 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef LDAPCONF_H
Jan F. Chadima 7e7fb4 
+#define LDAPCONF_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#define SSL_OFF          0
Jan F. Chadima 7e7fb4 
+#define SSL_LDAPS        1
Jan F. Chadima 7e7fb4 
+#define SSL_START_TLS    2
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Data structure for representing option data. */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+typedef struct {
Jan F. Chadima 7e7fb4 
+	char *host;
Jan F. Chadima 7e7fb4 
+	char *uri;
Jan F. Chadima 7e7fb4 
+	char *base;
Jan F. Chadima 7e7fb4 
+	char *binddn;
Jan F. Chadima 7e7fb4 
+	char *bindpw;
Jan F. Chadima 7e7fb4 
+	int scope;
Jan F. Chadima 7e7fb4 
+	int deref;
Jan F. Chadima 7e7fb4 
+	int port;
Jan F. Chadima 7e7fb4 
+	int timelimit;
Jan F. Chadima 7e7fb4 
+	int bind_timelimit;
Jan F. Chadima 7e7fb4 
+	int ldap_version;
Jan F. Chadima 7e7fb4 
+	int bind_policy;
Jan F. Chadima 7e7fb4 
+	char *sslpath;
Jan F. Chadima 7e7fb4 
+	int ssl;
Jan F. Chadima 7e7fb4 
+	int referrals;
Jan F. Chadima 7e7fb4 
+	int restart;
Jan F. Chadima 7e7fb4 
+	int tls_checkpeer;
Jan F. Chadima 7e7fb4 
+	char *tls_cacertfile;
Jan F. Chadima 7e7fb4 
+	char *tls_cacertdir;
Jan F. Chadima 7e7fb4 
+	char *tls_ciphers;
Jan F. Chadima 7e7fb4 
+	char *tls_cert;
Jan F. Chadima 7e7fb4 
+	char *tls_key;
Jan F. Chadima 7e7fb4 
+	char *tls_randfile;
Jan F. Chadima 7e7fb4 
+	char *logdir;
Jan F. Chadima 7e7fb4 
+	int debug;
Jan F. Chadima 7e7fb4 
+	char *ssh_filter;
Jan F. Chadima 7e7fb4 
+}       Options;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+extern Options options;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+void read_config_file(const char *);
Jan F. Chadima 7e7fb4 
+void initialize_options(void);
Jan F. Chadima 7e7fb4 
+void fill_default_options(void);
Jan F. Chadima 7e7fb4 
+void dump_config(void);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#endif /* LDAPCONF_H */
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldap-helper.c.pka openssh-5.5p1/ldap-helper.c
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldap-helper.c.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldap-helper.c	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,154 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4 
+#include "log.h"
Jan F. Chadima 7e7fb4 
+#include "misc.h"
Jan F. Chadima 7e7fb4 
+#include "xmalloc.h"
Jan F. Chadima 7e7fb4 
+#include "ldapconf.h"
Jan F. Chadima 7e7fb4 
+#include "ldapbody.h"
Jan F. Chadima 7e7fb4 
+#include <string.h>
Jan F. Chadima 7e7fb4 
+#include <unistd.h>
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static int config_debug = 0;
Jan F. Chadima 7e7fb4 
+int config_exclusive_config_file = 0;
Jan F. Chadima 7e7fb4 
+static char *config_file_name = "/etc/ldap.conf";
Jan F. Chadima 7e7fb4 
+static char *config_single_user = NULL;
Jan F. Chadima 7e7fb4 
+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
Jan F. Chadima 7e7fb4 
+int config_warning_config_file = 0;
Jan F. Chadima 7e7fb4 
+extern char *__progname;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+static void
Jan F. Chadima 7e7fb4 
+usage(void)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "usage: %s [options]\n",
Jan F. Chadima 7e7fb4 
+	    __progname);
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "Options:\n");
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ldap.conf).\n");
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
Jan F. Chadima 7e7fb4 
+	fprintf(stderr, "  -w          Warn on unknown commands int the config file.\n");
Jan F. Chadima 7e7fb4 
+	exit(1);
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Main program for the ssh pka ldap agent.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+int
Jan F. Chadima 7e7fb4 
+main(int ac, char **av)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+	int opt;
Jan F. Chadima 7e7fb4 
+	FILE *outfile = NULL;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	__progname = ssh_get_progname(av[0]);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/*
Jan F. Chadima 7e7fb4 
+	 * Initialize option structure to indicate that no values have been
Jan F. Chadima 7e7fb4 
+	 * set.
Jan F. Chadima 7e7fb4 
+	 */
Jan F. Chadima 7e7fb4 
+	initialize_options();
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* Parse command-line arguments. */
Jan F. Chadima 7e7fb4 
+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
Jan F. Chadima 7e7fb4 
+		switch (opt) {
Jan F. Chadima 7e7fb4 
+		case 'd':
Jan F. Chadima 7e7fb4 
+			config_debug = 1;
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		case 'e':
Jan F. Chadima 7e7fb4 
+			config_exclusive_config_file = 1;
Jan F. Chadima 7e7fb4 
+			config_warning_config_file = 1;
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		case 'f':
Jan F. Chadima 7e7fb4 
+			config_file_name = optarg;
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		case 's':
Jan F. Chadima 7e7fb4 
+			config_single_user = optarg;
Jan F. Chadima 7e7fb4 
+			outfile = fdopen (dup (fileno (stdout)), "w");
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		case 'v':
Jan F. Chadima 7e7fb4 
+			config_debug = 1;
Jan F. Chadima 7e7fb4 
+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
Jan F. Chadima 7e7fb4 
+			    config_verbose++;
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		case 'w':
Jan F. Chadima 7e7fb4 
+			config_warning_config_file = 1;
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+		case '?':
Jan F. Chadima 7e7fb4 
+		default:
Jan F. Chadima 7e7fb4 
+			usage();
Jan F. Chadima 7e7fb4 
+			break;
Jan F. Chadima 7e7fb4 
+		}
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* Initialize loging */
Jan F. Chadima 7e7fb4 
+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (ac != optind)
Jan F. Chadima 7e7fb4 
+	    fatal ("illegal extra parameter %s", av[1]);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
Jan F. Chadima 7e7fb4 
+	if (config_debug == 0)
Jan F. Chadima 7e7fb4 
+	    sanitise_stdfd();
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	/* Read config file */
Jan F. Chadima 7e7fb4 
+	read_config_file(config_file_name);
Jan F. Chadima 7e7fb4 
+	fill_default_options();
Jan F. Chadima 7e7fb4 
+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
Jan F. Chadima 7e7fb4 
+		debug3 ("=== Configuration ===");
Jan F. Chadima 7e7fb4 
+		dump_config();
Jan F. Chadima 7e7fb4 
+		debug3 ("=== *** ===");
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	ldap_checkconfig();
Jan F. Chadima 7e7fb4 
+	ldap_do_connect();
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (config_single_user) {
Jan F. Chadima 7e7fb4 
+		process_user (config_single_user, outfile);
Jan F. Chadima 7e7fb4 
+	} else {
Jan F. Chadima 7e7fb4 
+		fatal ("Not yet implemented");
Jan F. Chadima 7e7fb4 
+/* TODO
Jan F. Chadima 7e7fb4 
+ * open unix socket a run the loop on it
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	ldap_do_close();
Jan F. Chadima 7e7fb4 
+	return 0;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+/* Ugly hack */
Jan F. Chadima 7e7fb4 
+void   *buffer_get_string(Buffer *b, u_int *l) {}
Jan F. Chadima 7e7fb4 
+void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldap-helper.h.pka openssh-5.5p1/ldap-helper.h
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldap-helper.h.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldap-helper.h	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,32 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef LDAP_HELPER_H
Jan F. Chadima 7e7fb4 
+#define LDAP_HELPER_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+extern int config_exclusive_config_file;
Jan F. Chadima 7e7fb4 
+extern int config_warning_config_file;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#endif /* LDAP_HELPER_H */
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapincludes.h.pka openssh-5.5p1/ldapincludes.h
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapincludes.h.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapincludes.h	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,41 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef LDAPINCLUDES_H
Jan F. Chadima 7e7fb4 
+#define LDAPINCLUDES_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include "includes.h"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LBER_H
Jan F. Chadima 7e7fb4 
+#include <lber.h>
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_H
Jan F. Chadima 7e7fb4 
+#include <ldap.h>
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_SSL_H
Jan F. Chadima 7e7fb4 
+#include <ldap_ssl.h>
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#endif /* LDAPINCLUDES_H */
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapmisc.c.pka openssh-5.5p1/ldapmisc.c
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapmisc.c.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapmisc.c	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,79 @@
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4 
+#include "ldapmisc.h"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef HAVE_LDAP_GET_LDERRNO
Jan F. Chadima 7e7fb4 
+int
Jan F. Chadima 7e7fb4 
+ldap_get_lderrno (LDAP * ld, char **m, char **s)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_GET_OPTION
Jan F. Chadima 7e7fb4 
+	int rc;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+	int lderrno;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 7e7fb4 
+	if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+	    return rc;
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+	lderrno = ld->ld_errno;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (s != NULL) {
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 7e7fb4 
+		if ((rc = ldap_get_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+		    return rc;
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		*s = ld->ld_error;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (m != NULL) {
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 7e7fb4 
+		if ((rc = ldap_get_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+		    return rc;
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		*m = ld->ld_matched;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	return lderrno;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef HAVE_LDAP_SET_LDERRNO
Jan F. Chadima 7e7fb4 
+int
Jan F. Chadima 7e7fb4 
+ldap_set_lderrno (LDAP * ld, int lderrno, const char *m, const char *s)
Jan F. Chadima 7e7fb4 
+{
Jan F. Chadima 7e7fb4 
+#ifdef HAVE_LDAP_SET_OPTION
Jan F. Chadima 7e7fb4 
+	int rc;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
Jan F. Chadima 7e7fb4 
+	if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_NUMBER, &lderrno)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+	    return rc;
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+	ld->ld_errno = lderrno;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (s != NULL) {
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_ERROR_STRING)
Jan F. Chadima 7e7fb4 
+		if ((rc = ldap_set_option (ld, LDAP_OPT_ERROR_STRING, s)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+		    return rc;
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		ld->ld_error = s;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	if (m != NULL) {
Jan F. Chadima 7e7fb4 
+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_MATCHED_DN)
Jan F. Chadima 7e7fb4 
+		if ((rc = ldap_set_option (ld, LDAP_OPT_MATCHED_DN, m)) != LDAP_SUCCESS)
Jan F. Chadima 7e7fb4 
+		    return rc;
Jan F. Chadima 7e7fb4 
+#else
Jan F. Chadima 7e7fb4 
+		ld->ld_matched = m;
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+	}
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	return LDAP_SUCCESS;
Jan F. Chadima 7e7fb4 
+}
Jan F. Chadima 7e7fb4 
+#endif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ldapmisc.h.pka openssh-5.5p1/ldapmisc.h
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ldapmisc.h.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ldapmisc.h	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,35 @@
Jan F. Chadima 7e7fb4 
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
Jan F. Chadima 7e7fb4 
+/*
Jan F. Chadima 7e7fb4 
+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+ * modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+ * are met:
Jan F. Chadima 7e7fb4 
+ * 1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+ * 2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+ *    notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+ *    documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+ *
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+ */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#ifndef LDAPMISC_H
Jan F. Chadima 7e7fb4 
+#define LDAPMISC_H
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#include "ldapincludes.h"
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+int ldap_get_lderrno (LDAP *, char **, char **);
Jan F. Chadima 7e7fb4 
+int ldap_set_lderrno (LDAP *, int, const char *, const char *);
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+#endif /* LDAPMISC_H */
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/lpk-user-example.txt.pka openssh-5.5p1/lpk-user-example.txt
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/lpk-user-example.txt.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/lpk-user-example.txt	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,117 @@
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Post to ML -> User Made Quick Install Doc.
Jan F. Chadima 7e7fb4 
+Contribution from John Lane <john@lane.uk.net>
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+OpenSSH LDAP keystore Patch
Jan F. Chadima 7e7fb4 
+===========================
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+NOTE: these notes are a transcript of a specific installation
Jan F. Chadima 7e7fb4 
+      they work for me, your specifics may be different!
Jan F. Chadima 7e7fb4 
+      from John Lane March 17th 2005         john@lane.uk.net
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys
Jan F. Chadima 7e7fb4 
+from their LDAP record as an alternative to ~/.ssh/authorized_keys.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+(Assuming here that necessary build stuff is in $BUILD)
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+cd $BUILD/openssh-4.0p1
Jan F. Chadima 7e7fb4 
+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
Jan F. Chadima 7e7fb4 
+mkdir -p /var/empty &&
Jan F. Chadima 7e7fb4 
+./configure --prefix=/usr --sysconfdir=/etc/ssh \
Jan F. Chadima 7e7fb4 
+    --libexecdir=/usr/sbin --with-md5-passwords --with-pam \
Jan F. Chadima 7e7fb4 
+    --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY"
Jan F. Chadima 7e7fb4 
+Now do.
Jan F. Chadima 7e7fb4 
+make &&
Jan F. Chadima 7e7fb4 
+make install
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Add the following config to /etc/ssh/ssh_config
Jan F. Chadima 7e7fb4 
+UseLPK yes
Jan F. Chadima 7e7fb4 
+LpkServers ldap://myhost.mydomain.com
Jan F. Chadima 7e7fb4 
+LpkUserDN  ou=People,dc=mydomain,dc=com
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+We need to tell sshd about the SSL keys during boot, as root's
Jan F. Chadima 7e7fb4 
+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
Jan F. Chadima 7e7fb4 
+Change the startup code from this:
Jan F. Chadima 7e7fb4 
+                echo "Starting SSH Server..."
Jan F. Chadima 7e7fb4 
+                loadproc /usr/sbin/sshd
Jan F. Chadima 7e7fb4 
+                ;;
Jan F. Chadima 7e7fb4 
+to this:
Jan F. Chadima 7e7fb4 
+                echo "Starting SSH Server..."
Jan F. Chadima 7e7fb4 
+                LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd
Jan F. Chadima 7e7fb4 
+                ;;
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Re-start the sshd daemon:
Jan F. Chadima 7e7fb4 
+/etc/rc.d/init.d/sshd restart
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Install the additional LDAP schema
Jan F. Chadima 7e7fb4 
+cp $BUILD/openssh-lpk-0.2.schema  /etc/openldap/schema/openssh.schema
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
Jan F. Chadima 7e7fb4 
+Add the following to the end of the existing block of schema includes
Jan F. Chadima 7e7fb4 
+include         /etc/openldap/schema/openssh.schema
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Re-start the LDAP server:
Jan F. Chadima 7e7fb4 
+/etc/rc.d/init.d/slapd restart
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+To add one or more public keys to a user, eg "testuser" :
Jan F. Chadima 7e7fb4 
+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
Jan F. Chadima 7e7fb4 
+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+append the following to this /tmp/testuser file
Jan F. Chadima 7e7fb4 
+objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4 
+sshPublicKey: ssh-rsa
Jan F. Chadima 7e7fb4 
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS
Jan F. Chadima 7e7fb4 
+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI
Jan F. Chadima 7e7fb4 
+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Then do a modify:
Jan F. Chadima 7e7fb4 
+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f
Jan F. Chadima 7e7fb4 
+/tmp/testuser -Z
Jan F. Chadima 7e7fb4 
+Enter LDAP Password:
Jan F. Chadima 7e7fb4 
+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com"
Jan F. Chadima 7e7fb4 
+And check the modify is ok:
Jan F. Chadima 7e7fb4 
+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D
Jan F. Chadima 7e7fb4 
+"uid=testuser,ou=People,dc=mydomain,dc=com"
Jan F. Chadima 7e7fb4 
+Enter LDAP Password:
Jan F. Chadima 7e7fb4 
+# extended LDIF
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# LDAPv3
Jan F. Chadima 7e7fb4 
+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub
Jan F. Chadima 7e7fb4 
+# filter: (objectclass=*)
Jan F. Chadima 7e7fb4 
+# requesting: ALL
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# testuser, People, mydomain.com
Jan F. Chadima 7e7fb4 
+dn: uid=testuser,ou=People,dc=mydomain,dc=com
Jan F. Chadima 7e7fb4 
+uid: testuser
Jan F. Chadima 7e7fb4 
+cn: testuser
Jan F. Chadima 7e7fb4 
+objectClass: account
Jan F. Chadima 7e7fb4 
+objectClass: posixAccount
Jan F. Chadima 7e7fb4 
+objectClass: top
Jan F. Chadima 7e7fb4 
+objectClass: shadowAccount
Jan F. Chadima 7e7fb4 
+objectClass: ldapPublicKey
Jan F. Chadima 7e7fb4 
+shadowLastChange: 12757
Jan F. Chadima 7e7fb4 
+shadowMax: 99999
Jan F. Chadima 7e7fb4 
+shadowWarning: 7
Jan F. Chadima 7e7fb4 
+loginShell: /bin/bash
Jan F. Chadima 7e7fb4 
+uidNumber: 9999
Jan F. Chadima 7e7fb4 
+gidNumber: 501
Jan F. Chadima 7e7fb4 
+homeDirectory: /home/testuser
Jan F. Chadima 7e7fb4 
+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=
Jan F. Chadima 7e7fb4 
+sshPublicKey: ssh-rsa
Jan F. Chadima 7e7fb4 
+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
Jan F. Chadima 7e7fb4 
+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# search result
Jan F. Chadima 7e7fb4 
+search: 3
Jan F. Chadima 7e7fb4 
+result: 0 Success
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# numResponses: 2
Jan F. Chadima 7e7fb4 
+# numEntries: 1
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Now start a ssh session to user "testuser" from usual ssh client (e.g.
Jan F. Chadima 7e7fb4 
+puTTY). Login should succeed.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/Makefile.in.pka openssh-5.5p1/Makefile.in
Jan F. Chadima 3fdf10 
--- openssh-5.5p1/Makefile.in.pka	2010-03-13 22:41:34.000000000 +0100
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/Makefile.in	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
Jan F. Chadima 7e7fb4 
 SFTP_SERVER=$(libexecdir)/sftp-server
Jan F. Chadima 7e7fb4 
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
Jan F. Chadima 7e7fb4 
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
Jan F. Chadima 7e7fb4 
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
Jan F. Chadima 7e7fb4 
 RAND_HELPER=$(libexecdir)/ssh-rand-helper
Jan F. Chadima 7e7fb4 
 PRIVSEP_PATH=@PRIVSEP_PATH@
Jan F. Chadima 7e7fb4 
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
Jan F. Chadima 7e7fb4 
@@ -61,8 +62,9 @@ EXEEXT=@EXEEXT@
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
Jan F. Chadima 7e7fb4 
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
Jan F. Chadima 7e7fb4 
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
Jan F. Chadima 7e7fb4 
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
Jan F. Chadima 7e7fb4 
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Jan F. Chadima 7e7fb4 
@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
Jan F. Chadima 7e7fb4 
 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
Jan F. Chadima 3fdf10 
 	roaming_common.o roaming_serv.o
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
Jan F. Chadima 7e7fb4 
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
Jan F. Chadima 7e7fb4 
+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out
Jan F. Chadima 7e7fb4 
+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5
Jan F. Chadima 7e7fb4 
 MANTYPE		= @MANTYPE@
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Jan F. Chadima 3fdf10 
@@ -162,6 +164,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
Jan F. Chadima 3fdf10 
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
Jan F. Chadima 3fdf10 
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
Jan F. Chadima 7e7fb4 
+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
Jan F. Chadima 3fdf10 
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
@@ -266,6 +271,9 @@ install-files:
Jan F. Chadima 7e7fb4 
 	fi
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
Jan F. Chadima 7e7fb4 
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 7e7fb4 
+		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
Jan F. Chadima 7e7fb4 
+	fi
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
Jan F. Chadima 7e7fb4 
@@ -285,6 +293,9 @@ install-files:
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 7e7fb4 
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 7e7fb4 
+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
Jan F. Chadima 7e7fb4 
+		$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
Jan F. Chadima 7e7fb4 
+	fi
Jan F. Chadima 7e7fb4 
 	-rm -f $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 7e7fb4 
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
Jan F. Chadima 7e7fb4 
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 7e7fb4 
@@ -384,6 +395,7 @@ uninstall:
Jan F. Chadima 7e7fb4 
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Jan F. Chadima 7e7fb4 
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
Jan F. Chadima 7e7fb4 
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
Jan F. Chadima 7e7fb4 
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
Jan F. Chadima 7e7fb4 
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Jan F. Chadima 7e7fb4
Jan F. Chadima 7e7fb4 
 tests interop-tests:	$(TARGETS)
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/openssh-lpk-openldap.schema.pka openssh-5.5p1/openssh-lpk-openldap.schema
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/openssh-lpk-openldap.schema.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/openssh-lpk-openldap.schema	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,21 @@
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 7e7fb4 
+#                              useful with PKA-LDAP also
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# Based on the proposal of : Mark Ruijter
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# octetString SYNTAX
Jan F. Chadima 7e7fb4 
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
Jan F. Chadima 7e7fb4 
+	DESC 'MANDATORY: OpenSSH Public key'
Jan F. Chadima 7e7fb4 
+	EQUALITY octetStringMatch
Jan F. Chadima 7e7fb4 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# printableString SYNTAX yes|no
Jan F. Chadima 7e7fb4 
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 7e7fb4 
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 7e7fb4 
+	MUST ( sshPublicKey $ uid )
Jan F. Chadima 7e7fb4 
+	)
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/openssh-lpk-sun.schema.pka openssh-5.5p1/openssh-lpk-sun.schema
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/openssh-lpk-sun.schema.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/openssh-lpk-sun.schema	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,23 @@
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
Jan F. Chadima 7e7fb4 
+#                              useful with PKA-LDAP also
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# Author: Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+# Schema for Sun Directory Server.
Jan F. Chadima 7e7fb4 
+# Based on the original schema, modified by Stefan Fischer.
Jan F. Chadima 7e7fb4 
+#
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+dn: cn=schema
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# octetString SYNTAX
Jan F. Chadima 7e7fb4 
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
Jan F. Chadima 7e7fb4 
+	DESC 'MANDATORY: OpenSSH Public key'
Jan F. Chadima 7e7fb4 
+	EQUALITY octetStringMatch
Jan F. Chadima 7e7fb4 
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+# printableString SYNTAX yes|no
Jan F. Chadima 7e7fb4 
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
Jan F. Chadima 7e7fb4 
+	DESC 'MANDATORY: OpenSSH LPK objectclass'
Jan F. Chadima 7e7fb4 
+	MUST ( sshPublicKey $ uid )
Jan F. Chadima 7e7fb4 
+	)
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/README.lpk.pka openssh-5.5p1/README.lpk
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/README.lpk.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/README.lpk	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,268 @@
Jan F. Chadima 7e7fb4 
+OpenSSH LDAP PUBLIC KEY PATCH
Jan F. Chadima 7e7fb4 
+Copyright (c) 2003 Eric AUGE (eau@phear.org)
Jan F. Chadima 7e7fb4 
+All rights reserved.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Rewriten by Jan F. Chadima (jchadima@redhat.com)
Jan F. Chadima 7e7fb4 
+Copyright (c) 2010 Red Hat, Inc.
Jan F. Chadima 7e7fb4 
+The new PKA-LDAP patch is rewritten from the scratch.
Jan F. Chadima 7e7fb4 
+LDAP schema and part of the documentation is based on original
Jan F. Chadima 7e7fb4 
+LPK project (http://code.google.com/p/openssh-lpk),
Jan F. Chadima 7e7fb4 
+copyright (c) 2003 Eric AUGE
Jan F. Chadima 7e7fb4 
+The new openssh configuration is different from the original LPK one.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+Redistribution and use in source and binary forms, with or without
Jan F. Chadima 7e7fb4 
+modification, are permitted provided that the following conditions
Jan F. Chadima 7e7fb4 
+are met:
Jan F. Chadima 7e7fb4 
+1. Redistributions of source code must retain the above copyright
Jan F. Chadima 7e7fb4 
+   notice, this list of conditions and the following disclaimer.
Jan F. Chadima 7e7fb4 
+2. Redistributions in binary form must reproduce the above copyright
Jan F. Chadima 7e7fb4 
+   notice, this list of conditions and the following disclaimer in the
Jan F. Chadima 7e7fb4 
+   documentation and/or other materials provided with the distribution.
Jan F. Chadima 7e7fb4 
+3. The name of the author may not be used to endorse or promote products
Jan F. Chadima 7e7fb4 
+   derived from this software without specific prior written permission.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
Jan F. Chadima 7e7fb4 
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
Jan F. Chadima 7e7fb4 
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Jan F. Chadima 7e7fb4 
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
Jan F. Chadima 7e7fb4 
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
Jan F. Chadima 7e7fb4 
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
Jan F. Chadima 7e7fb4 
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
Jan F. Chadima 7e7fb4 
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Jan F. Chadima 7e7fb4 
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
Jan F. Chadima 7e7fb4 
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+purposes of this patch:
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+This patch would help to have authentication centralization policy
Jan F. Chadima 7e7fb4 
+using ssh public key authentication.
Jan F. Chadima 7e7fb4 
+This patch could be an alternative to other "secure" authentication system
Jan F. Chadima 7e7fb4 
+working in a similar way (Kerberos, SecurID, etc...), except the fact
Jan F. Chadima 7e7fb4 
+that it's based on OpenSSH and its public key abilities.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+>> FYI: <<
Jan F. Chadima 7e7fb4 
+'uid': means unix accounts existing on the current server
Jan F. Chadima 7e7fb4 
+'ServerGroup:' mean server group configured on the current server by the SSH_Filter option in the ldap.conf.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+example schema:
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+                                  server1 (uid: eau,rival,toto) (ServerGroup: unix)
Jan F. Chadima 7e7fb4 
+                ___________      /
Jan F. Chadima 7e7fb4 
+               /           \ --- - server3 (uid: eau, titi) (ServerGroup: unix)
Jan F. Chadima 7e7fb4 
+              | LDAP Server |    \
Jan F. Chadima 7e7fb4 
+	      | eau  ,rival |     server2 (uid: rival, eau) (ServerGroup: unix)
Jan F. Chadima 7e7fb4 
+	      | titi ,toto  |
Jan F. Chadima 7e7fb4 
+	      | userx,....  |         server5 (uid: eau)  (ServerGroup: mail)
Jan F. Chadima 7e7fb4 
+               \___________/ \       /
Jan F. Chadima 7e7fb4 
+	                       ----- - server4 (uid: eau, rival)  (no group configured)
Jan F. Chadima 7e7fb4 
+			             \
Jan F. Chadima 7e7fb4 
+				        etc...
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- WHAT WE NEED :
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  * configured LDAP server somewhere on the network (i.e. OpenLDAP)
Jan F. Chadima 7e7fb4 
+  * patched sshd (with this patch ;)
Jan F. Chadima 7e7fb4 
+  * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
Jan F. Chadima 7e7fb4 
+        User entry:
Jan F. Chadima 7e7fb4 
+	- attached to the 'ldapPublicKey' objectclass
Jan F. Chadima 7e7fb4 
+	- attached to the 'posixAccount' objectclass
Jan F. Chadima 7e7fb4 
+	- with a filled 'sshPublicKey' attribute
Jan F. Chadima 7e7fb4 
+	Example:
Jan F. Chadima 7e7fb4 
+		dn: uid=eau,ou=users,dc=cuckoos,dc=net
Jan F. Chadima 7e7fb4 
+		objectclass: top
Jan F. Chadima 7e7fb4 
+		objectclass: person
Jan F. Chadima 7e7fb4 
+		objectclass: organizationalPerson
Jan F. Chadima 7e7fb4 
+		objectclass: posixAccount
Jan F. Chadima 7e7fb4 
+		objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4 
+		description: Eric AUGE Account
Jan F. Chadima 7e7fb4 
+		userPassword: blah
Jan F. Chadima 7e7fb4 
+		cn: Eric AUGE
Jan F. Chadima 7e7fb4 
+		sn: Eric AUGE
Jan F. Chadima 7e7fb4 
+		uid: eau
Jan F. Chadima 7e7fb4 
+		uidNumber: 1034
Jan F. Chadima 7e7fb4 
+		gidNumber: 1
Jan F. Chadima 7e7fb4 
+		homeDirectory: /export/home/eau
Jan F. Chadima 7e7fb4 
+		sshPublicKey: ssh-dss AAAAB3...
Jan F. Chadima 7e7fb4 
+		sshPublicKey: ssh-dss AAAAM5...
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+	Group entry:
Jan F. Chadima 7e7fb4 
+	- attached to the 'posixGroup' objectclass
Jan F. Chadima 7e7fb4 
+	- with a 'cn' groupname attribute
Jan F. Chadima 7e7fb4 
+	- with multiple 'memberUid' attributes filled with usernames allowed in this group
Jan F. Chadima 7e7fb4 
+	Example:
Jan F. Chadima 7e7fb4 
+		# few members
Jan F. Chadima 7e7fb4 
+		dn: cn=unix,ou=groups,dc=cuckoos,dc=net
Jan F. Chadima 7e7fb4 
+		objectclass: top
Jan F. Chadima 7e7fb4 
+		objectclass: posixGroup
Jan F. Chadima 7e7fb4 
+		description: Unix based servers group
Jan F. Chadima 7e7fb4 
+		cn: unix
Jan F. Chadima 7e7fb4 
+		gidNumber: 1002
Jan F. Chadima 7e7fb4 
+		memberUid: eau
Jan F. Chadima 7e7fb4 
+		memberUid: user1
Jan F. Chadima 7e7fb4 
+		memberUid: user2
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- HOW IT WORKS :
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  * without patch
Jan F. Chadima 7e7fb4 
+  If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..)
Jan F. Chadima 7e7fb4 
+  and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  * with the patch
Jan F. Chadima 7e7fb4 
+  If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled.
Jan F. Chadima 7e7fb4 
+  It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem.
Jan F. Chadima 7e7fb4 
+  (usually in $HOME/.ssh/authorized_keys)
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  2 tokens are added to sshd_config :
Jan F. Chadima 7e7fb4 
+  # here is the new patched ldap related tokens
Jan F. Chadima 7e7fb4 
+  PubkeyAgent /usr/libexec/openssh/ssh-ldap-helper -s %u
Jan F. Chadima 7e7fb4 
+  PubkeyAgentRunAs nobody
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
Jan F. Chadima 7e7fb4 
+There is also one optional parameter in the LDAP configuration file, SSH_Filter, which is a LDAP filter limiting keys to be searched.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  * my way (there is plenty :)
Jan F. Chadima 7e7fb4 
+  - create ldif file (i.e. users.ldif)
Jan F. Chadima 7e7fb4 
+  - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub
Jan F. Chadima 7e7fb4 
+  - my way in 4 steps :
Jan F. Chadima 7e7fb4 
+  Example:
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  # you add this to the user entry in the LDIF file :
Jan F. Chadima 7e7fb4 
+  [...]
Jan F. Chadima 7e7fb4 
+  objectclass: posixAccount
Jan F. Chadima 7e7fb4 
+  objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4 
+  [...]
Jan F. Chadima 7e7fb4 
+  sshPubliKey: ssh-dss AAAABDh12DDUR2...
Jan F. Chadima 7e7fb4 
+  [...]
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  # insert your entry and you're done :)
Jan F. Chadima 7e7fb4 
+  ldapadd -D balblabla -w bleh < file.ldif
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  all standard options can be present in the 'sshPublicKey' attribute.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- WHY :
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  Simply because, i was looking for a way to centralize all sysadmins authentication, easily,  without completely using LDAP
Jan F. Chadima 7e7fb4 
+  as authentication method (like pam_ldap etc..).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get
Jan F. Chadima 7e7fb4 
+  public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser'
Jan F. Chadima 7e7fb4 
+  objectclass within LDAP and part of the group the SSH server is in).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase
Jan F. Chadima 7e7fb4 
+  so each user can change it as much as he wants).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- RULES :
Jan F. Chadima 7e7fb4 
+  Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema.
Jan F. Chadima 7e7fb4 
+  and the additionnal lpk.schema.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication
Jan F. Chadima 7e7fb4 
+  (pamldap, nss_ldap, etc..).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  Referring to schema at the beginning of this file if user 'eau' is only in group 'unix'
Jan F. Chadima 7e7fb4 
+  'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'.
Jan F. Chadima 7e7fb4 
+  If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able
Jan F. Chadima 7e7fb4 
+  to log in 'server5' (i hope you got the idea, my english is bad :).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP
Jan F. Chadima 7e7fb4 
+  server.
Jan F. Chadima 7e7fb4 
+  When you want to allow a new user to have access to the server parc, you just add him an account on
Jan F. Chadima 7e7fb4 
+  your servers, you add his public key into his entry on the LDAP server, it's done.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys).
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  When the user needs to change his passphrase he can do it directly from his workstation by changing
Jan F. Chadima 7e7fb4 
+  his own key set lock passphrase, and all servers are automatically aware.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself
Jan F. Chadima 7e7fb4 
+  so he can add/modify/delete himself his public key when needed.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+­ FLAWS :
Jan F. Chadima 7e7fb4 
+  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP
Jan F. Chadima 7e7fb4 
+  allow write to users dn, somebody could replace someuser's public key by its own and impersonate some
Jan F. Chadima 7e7fb4 
+  of your users in all your server farm be VERY CAREFUL.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login
Jan F. Chadima 7e7fb4 
+  as the impersonnated user.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  If LDAP server is down then, no fallback on passwd auth.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+  the ldap code part has not been well audited yet.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
Jan F. Chadima 7e7fb4 
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4 
+    dn: uid=jdoe,ou=users,dc=foobar,dc=net
Jan F. Chadima 7e7fb4 
+    objectclass: top
Jan F. Chadima 7e7fb4 
+    objectclass: person
Jan F. Chadima 7e7fb4 
+    objectclass: organizationalPerson
Jan F. Chadima 7e7fb4 
+    objectclass: posixAccount
Jan F. Chadima 7e7fb4 
+    objectclass: ldapPublicKey
Jan F. Chadima 7e7fb4 
+    description: My account
Jan F. Chadima 7e7fb4 
+    cn: John Doe
Jan F. Chadima 7e7fb4 
+    sn: John Doe
Jan F. Chadima 7e7fb4 
+    uid: jdoe
Jan F. Chadima 7e7fb4 
+    uidNumber: 100
Jan F. Chadima 7e7fb4 
+    gidNumber: 100
Jan F. Chadima 7e7fb4 
+    homeDirectory: /home/jdoe
Jan F. Chadima 7e7fb4 
+    sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB....
Jan F. Chadima 7e7fb4 
+    [...]
Jan F. Chadima 7e7fb4 
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
Jan F. Chadima 7e7fb4 
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4 
+    dn: cn=unix,ou=groups,dc=cuckoos,dc=net
Jan F. Chadima 7e7fb4 
+    objectclass: top
Jan F. Chadima 7e7fb4 
+    objectclass: posixGroup
Jan F. Chadima 7e7fb4 
+    description: Unix based servers group
Jan F. Chadima 7e7fb4 
+    cn: unix
Jan F. Chadima 7e7fb4 
+    gidNumber: 1002
Jan F. Chadima 7e7fb4 
+    memberUid: jdoe
Jan F. Chadima 7e7fb4 
+    memberUid: user1
Jan F. Chadima 7e7fb4 
+    memberUid: user2
Jan F. Chadima 7e7fb4 
+    [...]
Jan F. Chadima 7e7fb4 
+    --- CUT HERE ---
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+>> FYI: <<
Jan F. Chadima 7e7fb4 
+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- COMPILING:
Jan F. Chadima 7e7fb4 
+  1. Apply the patch
Jan F. Chadima 7e7fb4 
+  2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes
Jan F. Chadima 7e7fb4 
+  3. make
Jan F. Chadima 7e7fb4 
+  4. it's done.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- BLA :
Jan F. Chadima 7e7fb4 
+  I hope this could help, and i hope to be clear enough,, or give ideas.  questions/comments/improvements are welcome.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- TODO :
Jan F. Chadima 7e7fb4 
+  Redesign differently.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- DOCS/LINK :
Jan F. Chadima 7e7fb4 
+  http://pacsec.jp/core05/psj05-barisani-en.pdf
Jan F. Chadima 7e7fb4 
+  http://fritz.potsdam.edu/projects/openssh-lpk/
Jan F. Chadima 7e7fb4 
+  http://fritz.potsdam.edu/projects/sshgate/
Jan F. Chadima 7e7fb4 
+  http://dev.inversepath.com/trac/openssh-lpk
Jan F. Chadima 7e7fb4 
+  http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- CONTRIBUTORS/IDEAS/GREETS :
Jan F. Chadima 7e7fb4 
+  - Eric AUGE <eau@phear.org>
Jan F. Chadima 7e7fb4 
+  - Andrea Barisani <andrea@inversepath.com>
Jan F. Chadima 7e7fb4 
+  - Falk Siemonsmeier.
Jan F. Chadima 7e7fb4 
+  - Jacob Rief.
Jan F. Chadima 7e7fb4 
+  - Michael Durchgraf.
Jan F. Chadima 7e7fb4 
+  - frederic peters.
Jan F. Chadima 7e7fb4 
+  - Finlay dobbie.
Jan F. Chadima 7e7fb4 
+  - Stefan Fisher.
Jan F. Chadima 7e7fb4 
+  - Robin H. Johnson.
Jan F. Chadima 7e7fb4 
+  - Adrian Bridgett.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+- CONTACT :
Jan F. Chadima 7e7fb4 
+    Jan F. Chadima <jchadima@redhat.com>
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/servconf.c.pka openssh-5.5p1/servconf.c
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/servconf.c.pka	2010-05-06 10:50:47.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/servconf.c	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
Jan F. Chadima 3fdf10 
 	options->num_permitted_opens = -1;
Jan F. Chadima 3fdf10 
 	options->adm_forced_command = NULL;
Jan F. Chadima 3fdf10 
 	options->chroot_directory = NULL;
Jan F. Chadima 3fdf10 
+	options->pubkey_agent = NULL;
Jan F. Chadima 3fdf10 
+	options->pubkey_agent_runas = NULL;
Jan F. Chadima 3fdf10 
 	options->zero_knowledge_password_authentication = -1;
Jan F. Chadima 3fdf10 
 	options->revoked_keys_file = NULL;
Jan F. Chadima 3fdf10 
 	options->trusted_user_ca_keys = NULL;
Jan F. Chadima b6bdf1 
@@ -315,6 +317,7 @@ typedef enum {
Jan F. Chadima 3fdf10 
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
Jan F. Chadima 3fdf10 
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
Jan F. Chadima 3fdf10 
 	sRevokedKeys, sTrustedUserCAKeys,
Jan F. Chadima 3fdf10 
+	sPubkeyAgent, sPubkeyAgentRunAs,
Jan F. Chadima 3fdf10 
 	sDeprecated, sUnsupported
Jan F. Chadima 3fdf10 
 } ServerOpCodes;
Jan F. Chadima 3fdf10
Jan F. Chadima b6bdf1 
@@ -437,6 +440,13 @@ static struct {
Jan F. Chadima 3fdf10 
 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
Jan F. Chadima 3fdf10 
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
Jan F. Chadima 3fdf10 
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
Jan F. Chadima 3fdf10 
+#ifdef WITH_PUBKEY_AGENT
Jan F. Chadima 3fdf10 
+	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
Jan F. Chadima 3fdf10 
+	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
Jan F. Chadima 3fdf10 
+#else
Jan F. Chadima 3fdf10 
+	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 3fdf10 
+	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
Jan F. Chadima 3fdf10 
+#endif
Jan F. Chadima 3fdf10 
 	{ NULL, sBadOption, 0 }
Jan F. Chadima 3fdf10 
 };
Jan F. Chadima 3fdf10
Jan F. Chadima b6bdf1 
@@ -1354,6 +1364,20 @@ process_server_config_line(ServerOptions
Jan F. Chadima 3fdf10 
 		charptr = &options->revoked_keys_file;
Jan F. Chadima 3fdf10 
 		goto parse_filename;
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
+	case sPubkeyAgent:
Jan F. Chadima 3fdf10 
+		len = strspn(cp, WHITESPACE);
Jan F. Chadima 3fdf10 
+		if (*activep && options->pubkey_agent == NULL)
Jan F. Chadima 3fdf10 
+			options->pubkey_agent = xstrdup(cp + len);
Jan F. Chadima 3fdf10 
+		return 0;
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+	case sPubkeyAgentRunAs:
Jan F. Chadima 3fdf10 
+		charptr = &options->pubkey_agent_runas;
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+		arg = strdelim(&cp;;
Jan F. Chadima 3fdf10 
+		if (*activep && *charptr == NULL)
Jan F. Chadima 3fdf10 
+			*charptr = xstrdup(arg);
Jan F. Chadima 3fdf10 
+		break;
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
 	case sDeprecated:
Jan F. Chadima 3fdf10 
 		logit("%s line %d: Deprecated option %s",
Jan F. Chadima 3fdf10 
 		    filename, linenum, arg);
Jan F. Chadima b6bdf1 
@@ -1447,6 +1471,8 @@ copy_set_server_options(ServerOptions *d
Jan F. Chadima 3fdf10 
 	M_CP_INTOPT(gss_authentication);
Jan F. Chadima 3fdf10 
 	M_CP_INTOPT(rsa_authentication);
Jan F. Chadima 3fdf10 
 	M_CP_INTOPT(pubkey_authentication);
Jan F. Chadima 3fdf10 
+	M_CP_STROPT(pubkey_agent);
Jan F. Chadima 3fdf10 
+	M_CP_STROPT(pubkey_agent_runas);
Jan F. Chadima 3fdf10 
 	M_CP_INTOPT(kerberos_authentication);
Jan F. Chadima 3fdf10 
 	M_CP_INTOPT(hostbased_authentication);
Jan F. Chadima 3fdf10 
 	M_CP_INTOPT(kbd_interactive_authentication);
Jan F. Chadima b6bdf1 
@@ -1692,6 +1718,8 @@ dump_config(ServerOptions *o)
Jan F. Chadima 3fdf10 
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
Jan F. Chadima 3fdf10 
 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
Jan F. Chadima 3fdf10 
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
Jan F. Chadima 3fdf10 
+	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
Jan F. Chadima 3fdf10 
+	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
 	/* string arguments requiring a lookup */
Jan F. Chadima 3fdf10 
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/servconf.h.pka openssh-5.5p1/servconf.h
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/servconf.h.pka	2010-05-06 10:50:47.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/servconf.h	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
@@ -157,6 +157,8 @@ typedef struct {
Jan F. Chadima 3fdf10 
 	char   *chroot_directory;
Jan F. Chadima 3fdf10 
 	char   *revoked_keys_file;
Jan F. Chadima 3fdf10 
 	char   *trusted_user_ca_keys;
Jan F. Chadima 3fdf10 
+	char   *pubkey_agent;
Jan F. Chadima 3fdf10 
+	char   *pubkey_agent_runas;
Jan F. Chadima 3fdf10 
 }       ServerOptions;
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
 void	 initialize_server_options(ServerOptions *);
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/sshd_config.0.pka openssh-5.5p1/sshd_config.0
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/sshd_config.0.pka	2010-05-06 10:50:47.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/sshd_config.0	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 3fdf10 
@@ -352,7 +352,8 @@ DESCRIPTION
Jan F. Chadima 3fdf10 
              KbdInteractiveAuthentication, KerberosAuthentication,
Jan F. Chadima 3fdf10 
              MaxAuthTries, MaxSessions, PasswordAuthentication,
Jan F. Chadima 3fdf10 
              PermitEmptyPasswords, PermitOpen, PermitRootLogin,
Jan F. Chadima 3fdf10 
-             PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
Jan F. Chadima 3fdf10 
+             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
Jan F. Chadima 3fdf10 
+             RhostsRSAAuthentication, RSAAuthentication,
Jan F. Chadima 3fdf10 
              X11DisplayOffset, X11Forwarding and X11UseLocalHost.
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
      MaxAuthTries
Jan F. Chadima 3fdf10 
@@ -467,6 +468,17 @@ DESCRIPTION
Jan F. Chadima 3fdf10 
              this file is not readable, then public key authentication will be
Jan F. Chadima 3fdf10 
              refused for all users.
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
+     PubkeyAgent
Jan F. Chadima 3fdf10 
+             Specifies which agent is used for lookup of the user's public
Jan F. Chadima 3fdf10 
+             keys. Empty string means to use the authorized_keys file.  By
Jan F. Chadima 3fdf10 
+             default there is no PubkeyAgent set.  Note that this option has
Jan F. Chadima 3fdf10 
+             an effect only with PubkeyAuthentication switched on.
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
+     PubkeyAgentRunAs
Jan F. Chadima 3fdf10 
+             Specifies the user under whose account the PubkeyAgent is run.
Jan F. Chadima 3fdf10 
+             Empty string (the default value) means the user being authorized
Jan F. Chadima 3fdf10 
+             is used.
Jan F. Chadima 3fdf10 
+
Jan F. Chadima 3fdf10 
      RhostsRSAAuthentication
Jan F. Chadima 3fdf10 
              Specifies whether rhosts or /etc/hosts.equiv authentication to-
Jan F. Chadima 3fdf10 
              gether with successful RSA host authentication is allowed.  The
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/sshd_config.5.pka openssh-5.5p1/sshd_config.5
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/sshd_config.5.pka	2010-05-06 10:50:46.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/sshd_config.5	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 3fdf10 
@@ -618,6 +618,9 @@ Available keywords are
Jan F. Chadima 3fdf10 
 .Cm KerberosAuthentication ,
Jan F. Chadima 3fdf10 
 .Cm MaxAuthTries ,
Jan F. Chadima 3fdf10 
 .Cm MaxSessions ,
Jan F. Chadima 3fdf10 
+.Cm PubkeyAuthentication ,
Jan F. Chadima 3fdf10 
+.Cm PubkeyAgent ,
Jan F. Chadima 3fdf10 
+.Cm PubkeyAgentRunAs ,
Jan F. Chadima 3fdf10 
 .Cm PasswordAuthentication ,
Jan F. Chadima 3fdf10 
 .Cm PermitEmptyPasswords ,
Jan F. Chadima 3fdf10 
 .Cm PermitOpen ,
Jan F. Chadima 3fdf10 
@@ -819,6 +822,16 @@ Specifies a list of revoked public keys.
Jan F. Chadima 3fdf10 
 Keys listed in this file will be refused for public key authentication.
Jan F. Chadima 3fdf10 
 Note that if this file is not readable, then public key authentication will
Jan F. Chadima 3fdf10 
 be refused for all users.
Jan F. Chadima 3fdf10 
++.It Cm PubkeyAgent
Jan F. Chadima 3fdf10 
++Specifies which agent is used for lookup of the user's public
Jan F. Chadima 3fdf10 
++keys. Empty string means to use the authorized_keys file.
Jan F. Chadima 3fdf10 
++By default there is no PubkeyAgent set.
Jan F. Chadima 3fdf10 
++Note that this option has an effect only with PubkeyAuthentication
Jan F. Chadima 3fdf10 
++switched on.
Jan F. Chadima 3fdf10 
++.It Cm PubkeyAgentRunAs
Jan F. Chadima 3fdf10 
++Specifies the user under whose account the PubkeyAgent is run. Empty
Jan F. Chadima 3fdf10 
++string (the default value) means the user being authorized is used.
Jan F. Chadima 3fdf10 
++.Dq
Jan F. Chadima 3fdf10 
 .It Cm RhostsRSAAuthentication
Jan F. Chadima 3fdf10 
 Specifies whether rhosts or /etc/hosts.equiv authentication together
Jan F. Chadima 3fdf10 
 with successful RSA host authentication is allowed.
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/sshd_config.pka openssh-5.5p1/sshd_config
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/sshd_config.pka	2010-05-06 10:50:47.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/sshd_config	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
Jan F. Chadima 3fdf10 
 #RSAAuthentication yes
Jan F. Chadima 3fdf10 
 #PubkeyAuthentication yes
Jan F. Chadima 3fdf10 
 #AuthorizedKeysFile	.ssh/authorized_keys
Jan F. Chadima 3fdf10 
+#PubkeyAgent none
Jan F. Chadima 3fdf10 
+#PubkeyAgentRunAs nobody
Jan F. Chadima 3fdf10
Jan F. Chadima 3fdf10 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
Jan F. Chadima 3fdf10 
 #RhostsRSAAuthentication no
Jan F. Chadima 3fdf10 
diff -up openssh-5.5p1/ssh-ldap-helper.8.pka openssh-5.5p1/ssh-ldap-helper.8
Jan F. Chadima b6bdf1 
--- openssh-5.5p1/ssh-ldap-helper.8.pka	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima b6bdf1 
+++ openssh-5.5p1/ssh-ldap-helper.8	2010-05-06 10:50:50.000000000 +0200
Jan F. Chadima 7e7fb4 
@@ -0,0 +1,78 @@
Jan F. Chadima 7e7fb4 
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
Jan F. Chadima 7e7fb4 
+.\"
Jan F. Chadima 7e7fb4 
+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
Jan F. Chadima 7e7fb4 
+.\"
Jan F. Chadima 7e7fb4 
+.\" Permission to use, copy, modify, and distribute this software for any
Jan F. Chadima 7e7fb4 
+.\" purpose with or without fee is hereby granted, provided that the above
Jan F. Chadima 7e7fb4 
+.\" copyright notice and this permission notice appear in all copies.
Jan F. Chadima 7e7fb4 
+.\"
Jan F. Chadima 7e7fb4 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
Jan F. Chadima 7e7fb4 
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
Jan F. Chadima 7e7fb4 
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
Jan F. Chadima 7e7fb4 
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
Jan F. Chadima 7e7fb4 
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
Jan F. Chadima 7e7fb4 
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
Jan F. Chadima 7e7fb4 
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Jan F. Chadima 7e7fb4 
+.\"
Jan F. Chadima 7e7fb4 
+.Dd $Mdocdate: April 29 2010 $
Jan F. Chadima 7e7fb4 
+.Dt SSH-LDAP-HELPER 8
Jan F. Chadima 7e7fb4 
+.Os
Jan F. Chadima 7e7fb4 
+.Sh NAME
Jan F. Chadima 7e7fb4 
+.Nm ssh-ldap-helper
Jan F. Chadima 7e7fb4 
+.Nd sshd helper program for ldap support
Jan F. Chadima 7e7fb4 
+.Sh SYNOPSIS
Jan F. Chadima 7e7fb4 
+.Nm ssh-ldap-helper
Jan F. Chadima 7e7fb4 
+.Op Fl devw
Jan F. Chadima 7e7fb4 
+.Op Fl f Ar file
Jan F. Chadima 7e7fb4 
+.Op Fl s Ar user
Jan F. Chadima 7e7fb4 
+.Sh DESCRIPTION
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+is used by
Jan F. Chadima 7e7fb4 
+.Xr sshd 1
Jan F. Chadima 7e7fb4 
+to access keys provided by a LDAP.
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+is disabled by default and can only be enabled in the
Jan F. Chadima 7e7fb4 
+sshd configuration file
Jan F. Chadima 7e7fb4 
+.Pa /etc/ssh/sshd_config
Jan F. Chadima 7e7fb4 
+by setting
Jan F. Chadima 7e7fb4 
+.Cm PubkeyAgent
Jan F. Chadima 7e7fb4 
+to
Jan F. Chadima 7e7fb4 
+.Dq /usr/libexec/ssh-ldap-helper -s %u .
Jan F. Chadima 7e7fb4 
+.Pp
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+is not intended to be invoked by the user, but from
Jan F. Chadima 7e7fb4 
+.Xr sshd 8 .
Jan F. Chadima 7e7fb4 
+.Pp
Jan F. Chadima 7e7fb4 
+The options are as follows:
Jan F. Chadima 7e7fb4 
+.Bl -tag -width Ds
Jan F. Chadima 7e7fb4 
+.It Fl d
Jan F. Chadima 7e7fb4 
+Set the debug mode,
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+prints all logs to stderr instead of syslog.
Jan F. Chadima 7e7fb4 
+.It Fl e
Jan F. Chadima 7e7fb4 
+Implies \-w
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+halt when an unknown item is found in the ldap.conf file.
Jan F. Chadima 7e7fb4 
+.It Fl f
Jan F. Chadima 7e7fb4 
+Default /etc/ldap.conf.
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+uses this file as a ldap configuration file.
Jan F. Chadima 7e7fb4 
+.It Fl s
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+print out the keys of the user on stdout and exits.
Jan F. Chadima 7e7fb4 
+.It Fl v
Jan F. Chadima 7e7fb4 
+Implies \-d
Jan F. Chadima 7e7fb4 
+increases verbosity.
Jan F. Chadima 7e7fb4 
+.It Fl w
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+writes warnings about unknown items in the ldap.conf file.
Jan F. Chadima 7e7fb4 
+
Jan F. Chadima 7e7fb4 
+.Sh SEE ALSO
Jan F. Chadima 7e7fb4 
+.Xr sshd 8 ,
Jan F. Chadima 7e7fb4 
+.Xr sshd_config 5 ,
Jan F. Chadima 7e7fb4 
+.Sh HISTORY
Jan F. Chadima 7e7fb4 
+.Nm
Jan F. Chadima 7e7fb4 
+first appeared in
Jan F. Chadima 7e7fb4 
+OpenSSH 5.5 + PKA-LDAP .
Jan F. Chadima 7e7fb4 
+.Sh AUTHORS
Jan F. Chadima 7e7fb4 
+.An Jan F. Chadima Aq jchadima@redhat.com

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation