Hello I've done a ebuild to support ldap public key for authenticating on a sshd server. It's working fine here. I had to fix cosmetic stuff in the patch for 3.8.1. That's why the patch is in my dev space. The only problem would be that ldap and X509 patch don't work with each other. Maybe prefer one by default if both are selected. Attachement follows
Created attachment 36276 [details] penssh-3.8.1_p1-r1 ebuild with ldap public key support
Created attachment 47575 [details, diff] openssh-3.9 ldap public key patch This is a updated patch for openssh-3.9 To make the ebuild work, just patch the sources and add this before ./configure : if use ldap then append-ldflags '-lldap -llber' export LDFLAGS append-flags -DWITH_LDAP_PUBKEY filter-flags -funroll-loops fi
This project looks actively supported and well documented: http://www.opendarwin.org/en/projects/openssh-lpk/ so that looks like a better candidate for an eventual portage inclusion.
-funroll-loops seems strange one to force. Is there a reson for this?
filter-flags -funroll-loops comes from the original ebuild. I don't know why it's there.
Sorry don't listen to me. I commented on this before I finished my coffee and for whatever reason read the filter-flags as an append-flags.
Created attachment 59684 [details, diff] new lpk patch New patch with a minor fix that changes default behaviour (lpk disabled) and doesn't touch default sshd_config except for lpk commented declarations.
Created attachment 59685 [details] openssh-3.9_p1-r3 ebuild with lpk support New ebuild that applies the previously attached patch.
Right now we at -infra are using the patch on our soon_to_be ldap server and it works fine, the only weird thing is that with patched openssh the 'Last Login' message usually printed after connecting is not shown. That happens leaving the configuration untouched. I looked into the code and nothing seems to modify the loginrec.c behaviour. Any idea or what could it be?
*** Bug 93949 has been marked as a duplicate of this bug. ***
Created attachment 59857 [details, diff] latest lpk patch New patch for upstream with the fixes I proposed, also the 'last login' bit seems to be fixed.
added support to 3.8.1, 3.9, and 4.0 the x509 and ldap patches conflict though, so x509 is given preference in the case of USE="x509 ldap"
Doesn't the LPK patch requires a change to the LDAP schema? Then perhaps the corresponding schema should be included in the package, either installed in etc/openldap/schema/openssh-lpk.schema or in doc/openssh/openldap-lpk.schema. I think this one would do: http://dev.inversepath.com/openssh-lpk/openssh-lpk_openldap.schema