On Tue, Feb 12, 2013 at 05:47:23PM +0100, Pierangelo Masarati wrote: > On 02/12/2013 05:32 PM, Michael W. Lucas wrote: > > Hi, > > > > I'm running OpenLDAP 2.4.21 on FreeBSD. We do a lot of administration > > via phpLDAPAdmin, but I do some command-line stuff. And I've seen an > > inconsistency between the two in the ldapPublicKey object class. > > > > When I look in phpLDAPAdmin, my SSH keys start like this: > > > > ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAw9zmtbk8b... > > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfZ/p... > > > > If I do a ldapsearch, however, I get: > > > > sshPublicKey:: c3NoLXJzYSBBQUFBQjNOemFD.... > > sshPublicKey: ssh-rsa AAAAB3NzaC1 > > > > The ssh-rsa or ssh-dss string is missing from all public keys except > > the last one displayed. The entries without a key type have a double > > colon. > > > > slapcat behaves like ldapsearch. > > > > But I have to believe that the key type information is in the > > database, somewhere, because phpLDAPAdmin reports it's there. > > > > I didn't notice this while we used the LPK patch for our SSH servers, > > but we're now migrating to the official OpenSSH AuthorizedKeysCommand > > feature. I have a script to retrieve the keys, but my SSH servers only > > recognize the last key. It rejects the others because they don't have > > a key type attached. > > $ echo -n 'c3NoLXJzYSBBQUFBQjNOemFD' | base64 -d && echo '' > ssh-rsa AAAAB3NzaC > > likely there is something in the key that makes ldapsearch present in > b64-encoded (likely a trailing space?)
You are exactly correct, thank you! The problem keys had a trailing newline. Removed that, and all problems went away. ==ml -- Michael W. Lucas - [email protected], Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code "ILUVMICHAEL" gets you 30% off & helps me.
