Request for LPK patch to be merged

Chris Wilson chris at qwirx.com
Fri Dec 7 22:58:09 EST 2007 

Hi all,

I sent this message a few weeks ago and so far have not had any reply. Is 
there another procedure for requesting such changes?

Cheers, Chris.

On Sun, 25 Nov 2007, Chris Wilson wrote:

> At my organisation we have an LDAP infrastructure built on OpenLDAP, 
> between Unix boxes running OpenSSH at multiple sites. It works well but 
> the SSH key management is something of an inconvenience, especially as we 
> would like to implement SSO with ssh-agent and passphrased keys.
> 
> There is an OpenSSH patch called LPK which can allow the authorized_keys 
> to be stored in LDAP, and that would be really useful in our environment. 
> However we don't really want to maintain our own packages, and our default 
> distro doesn't want to supply packages with the LPK patch as long as it's 
> not supported upstream.
> 
> So I'd like to request that you consider the LPK patch for merging into 
> OpenSSH. You can find it here:
> 
>   http://dev.inversepath.com/trac/openssh-lpk
> 
> Here is the description of what specifically we are trying to achieve:
> 
>   http://dev.inversepath.com/openssh-lpk/ldap_fosdem_2006.pdf
> 
> In particular: "The final goal is cross-platform authentication, being 
> able to manage users globally on the LDAP server, without performing any 
> action on the server pool (scalability for add/revoke a user to N servers 
> scenarios)"
> 
> And here is another page giving another good reason for using LPK:
> 
>   http://blog.fupps.com/2006/03/02/ssh-public-keys-from-ldap/
> 
> "What happens when you have dozens or more [machines]? You have to 
> maintain your public keys on all those systems, ensuring they are kept up 
> to date. God forbid that you loose your private key, or that it becomes 
> compromised: you'd have to quickly change all the authorized_keys files on 
> all machines!"
> 
> I'm not the developer of the patch, but if there are specific issues that 
> need to be addressed then I'd be happy to coordinate with the maintainer 
> and/or lend a hand to see them addressed.
> 
> Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

More information about the openssh-unix-dev mailing list