LPK integration - summary and ideas
Philipp Marek
philipp.marek at linbit.com
Wed Jun 9 18:18:53 EST 2010
Hello everybody,
I'd like to have LPK (or something like that - getting public keys from
LDAP) integrated into mainline OpenSSH.
*** First of all, a summary.
The project page at
http://code.google.com/p/openssh-lpk/
mentions that a few distributions include LPK per default; but reading the
various threads at
Support for merging LPK and hpn-ssh into mainline openssh?
http://marc.info/?l=openssh-unix-dev&m=123483016220368&w=2
and
Support for merging LPK into mainline openssh?
http://marc.info/?l=openssh-unix-dev&m=125655418812760&w=2
I get the impression that the most important argument is this one, citing
Damien Miller (http://marc.info/?l=openssh-unix-dev&m=125252189630862&w=2):
> Because the API presented by the LDAP libraries that I have looked at is
> quite ugly, because different platforms have different favourite LDAP
> APIs, because we don't want to build in support for every crazy variant
> schema that people will inevitably come up with.
Regarding the other way, ie. using another process, (from the same mail)
> On Wed, 9 Sep 2009, Howard Chu wrote:
> > Hmm. Pushing this out to a separate process requires inventing yet
> > another IPC protocol, and adds one more moving piece that can break.
> > How does this approach avoid complexity?
>
> It avoids complexity in the critical part - the sshd daemon. It is more
> orthogonal too - if someone wants to store keys in xyzdb then they can
> make a subprocess to do that too.
there's another catch:
> > One thing that would be good is having some sort of signing mechnanism
> > on the Agent. As I see you check to make sure the ownership of the
> > file is ok.
> >
> > How about another approach is to sign the Agent with the servers
> > private key (if that's possible??).
> Maybe may be included SHA hash of agent program in the config file
> and it may be checked before running the agent. But it is necessary?
> and who will check all the shared libraies used?
*** Brainstorming
So, given that arguments, I'd like to offer a few ideas that might help.
1) How about loading some shared library (libraries) for retrieving
public keys? The library would provide interfaces like an
init(), uninit(), and lookup().
Lookup would get the username and public key, and return a string
describing the login options ("environment=...") or NULL for no
public key found.
Alternatively it could provide a function for returning a list
of public keys, but I think doing a single lookup would be better.
2) If a separate process is the better way, how about skipping the
signature idea and instead provide the same level of securiy as
sshd itself?
Just open two pipes (STDIN, STDOUT) to an external program started
on sshd startup, use them for communication, and if the handles ever
get closed just log an error and don't use them anymore.
So if the external program gets changed on disk it wouldn't matter
(or at least, only as far as changing /usr/sbin/sshd would, too).
3) The other idea I heard (but more of a joke, I think) was to use
FUSE to provide the public keys from LDAP.
I'd like all interested parties to participate in this thread, to get a
discussion going, and get an approximate level of community interest.
Thank you for all answers.
Regards,
Phil
More information about the openssh-unix-dev
mailing list