Re: ssh keys in ldap

1999-09-26 Thread Ben Gertzfield 
 Jason == Jason Gunthorpe [EMAIL PROTECTED] writes:

Jason If nobody can see why this would be a bad idea I will
Jason deploy this system on db.debian.org and the debian.org
Jason machines in the near future. I hope that when lsh becomes
Jason usable a similar patch to it can be made.

It's definitely quite usable. Hopefully it won't encourage more people
to keep their private keys in, well, not-so-private places. :)

-- 
Brought to you by the letters B and X and the number 9.
It makes my nipples hard!
Debian GNU/Linux maintainer of Gimp and GTK+ -- http://www.debian.org/

Re: ssh keys in ldap

1999-09-26 Thread Wichert Akkerman 
Previously Jason Gunthorpe wrote:
 I would like a couple people to look over this patch I have made to SSH.
 It creates a new option that allows ssh to lookup RSA authentication keys
 in a global file modeled after the shadow password file.

Does this support multiple keys?

Wichert.

-- 
==
This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: [EMAIL PROTECTED]
WWW: http://www.wi.leidenuniv.nl/~wichert/


pgpXRF3lsyi3r.pgp
Description: PGP signature

Re: ssh keys in ldap

1999-09-26 Thread Jason Gunthorpe 

On Sun, 26 Sep 1999, Wichert Akkerman wrote:

 Previously Jason Gunthorpe wrote:
  I would like a couple people to look over this patch I have made to SSH.
  It creates a new option that allows ssh to lookup RSA authentication keys
  in a global file modeled after the shadow password file.
 
 Does this support multiple keys?

Yes, it is exactly like the existing search method, it tries every key
assigned to the user until one actually works.

Jason

ssh keys in ldap

1999-09-25 Thread Jason Gunthorpe 

Hi all,

I would like a couple people to look over this patch I have made to SSH.
It creates a new option that allows ssh to lookup RSA authentication keys
in a global file modeled after the shadow password file. The intent is to
allow users to place their RSA ssh key into the ldap directory and then
have that key replicated automatically to all machines and used by ssh.

Checking of the global key file is done after looking at the users
.ssh/authorizes_key file and the global file is keyed to each maintainer.
LDAP entries would look like this:

sshrsaauthkey=1024 35
13188913800864665310056145282172752809896969986210687776638992421269538682667499807562325681722264279958572627924253677904887346542958562754647616248471798299277451202136815142932982865314941795877586991831796183279248323438349823299332680534314763423857547649263063185581654408646481264156574330001283021
[EMAIL PROTECTED]

And I would probably put a PGP mail gateway to set new keys. [ie gpg
--clearsign  .ssh/identity.pub | mail [EMAIL PROTECTED]

The advantage would be that everyone can use their ssh key uniformly on
all the machines. If someone looses their key or needs to revoke it due to
a compromise it can be done quickly and correctly. 

If nobody can see why this would be a bad idea I will deploy this system
on db.debian.org and the debian.org machines in the near future. I hope
that when lsh becomes usable a similar patch to it can be made.

Thanks,
Jason

diff -ur ssh-1.2.27/auth-rsa.c ssh-1.2.27+jgg/auth-rsa.c
--- ssh-1.2.27/auth-rsa.c   Wed May 12 05:19:24 1999
+++ ssh-1.2.27+jgg/auth-rsa.c   Sat Sep 25 14:25:40 1999
@@ -211,7 +211,7 @@
successful.  This may exit if there is a serious protocol violation. */
 
 int auth_rsa(struct passwd *pw, MP_INT *client_n, RandomState *state,
- int strict_modes)
+ int strict_modes,int global)
 {
   char line[8192];
   int authenticated;
@@ -220,61 +220,93 @@
   UserFile uf;
   unsigned long linenum = 0;
   struct stat st;
-
-  /* Check permissions  owner of user's .ssh directory */
-  snprintf(line, sizeof(line), %.500s/%.100s, pw-pw_dir, SSH_USER_DIR);
-
-  /* Check permissions  owner of user's home directory */
-  if (strict_modes  !userfile_check_owner_permissions(pw, pw-pw_dir))
-{
-  log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
-  pw-pw_name, pw-pw_dir);
-  packet_send_debug(Bad file modes for %.200s, pw-pw_dir);
-  return 0;
-}
-
-  /* Check if user have .ssh directory */
-  if (userfile_stat(pw-pw_uid, line, st)  0)
-{
-  log_msg(Rsa authentication refused for %.100s: no %.200s directory,
-  pw-pw_name, line);
-  packet_send_debug(Rsa authentication refused, no %.200s directory,
-line);
-  return 0;
-}
-  
-  if (strict_modes  !userfile_check_owner_permissions(pw, line))
-{
-  log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
-  pw-pw_name, line);
-  packet_send_debug(Bad file modes for %.200s, line);
-  return 0;
-}
+  const char *keyfile = 0;
+   
+  if (global == 0)
+  {
+ /* Check permissions  owner of user's .ssh directory */
+ snprintf(line, sizeof(line), %.500s/%.100s, pw-pw_dir, SSH_USER_DIR);
+ 
+ /* Check permissions  owner of user's home directory */
+ if (strict_modes  !userfile_check_owner_permissions(pw, pw-pw_dir))
+ {
+   log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
+   pw-pw_name, pw-pw_dir);
+   packet_send_debug(Bad file modes for %.200s, pw-pw_dir);
+   return 0;
+ }
+ 
+ /* Check if user have .ssh directory */
+ if (userfile_stat(pw-pw_uid, line, st)  0)
+ {
+   log_msg(Rsa authentication refused for %.100s: no %.200s directory,
+   pw-pw_name, line);
+   packet_send_debug(Rsa authentication refused, no %.200s directory,
+ line);
+   return 0;
+ }
+ 
+ if (strict_modes  !userfile_check_owner_permissions(pw, line))
+ {
+   log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
+   pw-pw_name, line);
+   packet_send_debug(Bad file modes for %.200s, line);
+   return 0;
+ }
+ 
+ /* Check permissions  owner of user's authorized keys file */
+ snprintf(line, sizeof(line),
+ %.500s/%.100s, pw-pw_dir, SSH_USER_PERMITTED_KEYS);
+ 
+ /* Open the file containing the authorized keys. */
+ if (userfile_stat(pw-pw_uid, line, st)  0)
+   return 0;
+ 
+ if (strict_modes  !userfile_check_owner_permissions(pw, line))
+ {
+   log_msg(Rsa authentication refused for %.100s: bad modes for %.200s,
+   pw-pw_name, line);
+   packet_send_debug(Bad file modes for %.200s, line);
+   return 0;
+ }
+
+ uf = userfile_open(pw-pw_uid, line, O_RDONLY, 0);
+ if (uf == NULL)
+ {
+   packet_send_debug(Could not open %.900s for