tl;dr Previous openssh-lpk patch is dead and doesn't work anymore with >=openssh-7.7. We need to switch implementation. However, the new implementation is using a different schema per default. So we need to test it and we need a migration guide. New implementation is https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.7p1-ldap.patch Migration guide show be created at https://wiki.gentoo.org/wiki/SSH/LDAP_migration We will add an unkeyworded ebuild for testing very soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=780c17bca1d4ef4b7374f4fd3758e6352e622106 commit 780c17bca1d4ef4b7374f4fd3758e6352e622106 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-06-13 15:23:27 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-06-13 15:25:44 +0000 net-misc/openssh: add test ebuild for new LDAP implementation We switched from dead openssh-lpk patch to Red Hat's rewritten LDAP patch which makes use of "AuthorizedKeysCommand". Warning: Default LDAP scheme isn't compatible. Migration is needed. Bug: https://bugs.gentoo.org/658044 Package-Manager: Portage-2.3.40, Repoman-2.3.9 net-misc/openssh/Manifest | 1 + net-misc/openssh/openssh-7.7_p1-r100.ebuild | 440 ++++++++++++++++++++++++++++ 2 files changed, 441 insertions(+)
LDAP scheme from LPK is compatible with new implementation. Also, path for ssh-ldap-helper in ssh-ldap-wrapper should be changed
Ping. What's holding us on this? Only missing migration guide from our side?
Given that any future solution will use AuthorizedKeysCommand, we don't need to bundle OpenSSH package with ldap anymore. robbat2 wanted to look into packaging https://github.com/jirutka/ssh-ldap-pubkey as separate package I think.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a2d49ef9bfb9c155f532a290a05acfe79b9c780 commit 1a2d49ef9bfb9c155f532a290a05acfe79b9c780 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-08-04 20:21:17 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-08-04 20:21:17 +0000 sys-auth/ssh-ldap-pubkey: new package Bug: https://bugs.gentoo.org/658044 Package-Manager: Portage-2.3.44, Repoman-2.3.10 sys-auth/ssh-ldap-pubkey/Manifest | 1 + sys-auth/ssh-ldap-pubkey/metadata.xml | 12 ++++ .../ssh-ldap-pubkey/ssh-ldap-pubkey-1.3.0.ebuild | 64 ++++++++++++++++++++++ 3 files changed, 77 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=2f3b1798c03729be144d39c1b8d336f077db2e51 commit 2f3b1798c03729be144d39c1b8d336f077db2e51 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-08-07 21:09:22 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-08-07 21:17:25 +0000 2018-08-07-openssh-ldap-migration: add Bug: https://bugs.gentoo.org/658044 .../2018-08-07-openssh-ldap-migration.en.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89ffd7e286e781050307fbe62c0cc83d4fbd9b29 commit 89ffd7e286e781050307fbe62c0cc83d4fbd9b29 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-08-07 21:36:56 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-08-07 21:38:45 +0000 net-misc/openssh: drop USE=ldap in favor of sys-auth/ssh-ldap-pubkey We no longer patch net-misc/openssh to include LDAP functionality. If you need to authenticate against LDAP, please install sys-auth/ssh-ldap-pubkey and use OpenSSH's "AuthorizedKeysCommand" option. See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details. Closes: https://bugs.gentoo.org/658044 Closes: https://github.com/gentoo/gentoo/pull/9400 Package-Manager: Portage-2.3.44, Repoman-2.3.10 net-misc/openssh/openssh-7.7_p1-r7.ebuild | 444 ++++++++++++++++++++++++++++++ 1 file changed, 444 insertions(+)
