LPK integration - summary and ideas

Philipp Marek philipp.marek at linbit.com
Wed Jun 9 18:18:53 EST 2010 

Hello everybody,

I'd like to have LPK (or something like that - getting public keys from 
LDAP) integrated into mainline OpenSSH.


*** First of all, a summary.

The project page at

	http://code.google.com/p/openssh-lpk/

mentions that a few distributions include LPK per default; but reading the 
various threads at

	Support for merging LPK and hpn-ssh into mainline openssh?
	http://marc.info/?l=openssh-unix-dev&m=123483016220368&w=2

and

	Support for merging LPK into mainline openssh?
	http://marc.info/?l=openssh-unix-dev&m=125655418812760&w=2

I get the impression that the most important argument is this one, citing 
Damien Miller (http://marc.info/?l=openssh-unix-dev&m=125252189630862&w=2):
> Because the API presented by the LDAP libraries that I have looked at is
> quite ugly, because different platforms have different favourite LDAP
> APIs, because we don't want to build in support for every crazy variant
> schema that people will inevitably come up with.

Regarding the other way, ie. using another process, (from the same mail)
> On Wed, 9 Sep 2009, Howard Chu wrote:
> > Hmm. Pushing this out to a separate process requires inventing yet
> > another IPC protocol, and adds one more moving piece that can break.
> > How does this approach avoid complexity?
> 
> It avoids complexity in the critical part - the sshd daemon. It is more
> orthogonal too - if someone wants to store keys in xyzdb then they can
> make a subprocess to do that too.

there's another catch:
> > One thing that would be good is having some sort of signing mechnanism
> > on the Agent. As I see you check to make sure the ownership of the
> > file is ok.
> > 
> > How about another approach is to sign the Agent with the servers
> > private key (if that's possible??).
> Maybe may be included SHA hash of agent program in the config file
> and it may be checked before running the agent. But it is necessary?
> and who will check all the shared libraies used?


*** Brainstorming

So, given that arguments, I'd like to offer a few ideas that might help.

1) How about loading some shared library (libraries) for retrieving
   public keys? The library would provide interfaces like an 
   init(), uninit(), and lookup().
   Lookup would get the username and public key, and return a string
   describing the login options ("environment=...") or NULL for no
   public key found.
   Alternatively it could provide a function for returning a list
   of public keys, but I think doing a single lookup would be better.

2) If a separate process is the better way, how about skipping the
   signature idea and instead provide the same level of securiy as
   sshd itself?
   Just open two pipes (STDIN, STDOUT) to an external program started
   on sshd startup, use them for communication, and if the handles ever
   get closed just log an error and don't use them anymore.
   So if the external program gets changed on disk it wouldn't matter
   (or at least, only as far as changing /usr/sbin/sshd would, too).

3) The other idea I heard (but more of a joke, I think) was to use
   FUSE to provide the public keys from LDAP.


I'd like all interested parties to participate in this thread, to get a 
discussion going, and get an approximate level of community interest.


Thank you for all answers.


Regards,

Phil

More information about the openssh-unix-dev mailing list