Bug#319244: #319244 openssh-server: lpk alternative with AuthorizedKeysCommand available (OpenLDAP stores ssh keys)
On Mon, Aug 25, 2014 at 01:44:49AM +0200, Noël Köthe wrote:
> Am Montag, den 25.08.2014, 01:29 +0200 schrieb Noël Köthe:
> > As far as I can see the missing part is the helper program which is used
> > to ask OpenLDAP for the ssh keys.
> > http://blather.michaelwlucas.com/archives/1470 points to the redhat
> > helper which might help.
> > With the helper program this bug could IMHO be closed because everything
> > is there/in Debian to use openldap to store the ssh-keys central.
>
> Which can be found here:
>
> https://git.centos.org/blob/rpms!openssh.git/4eaffbf49ce743e7aa4421e4b3378a990512d0f2/SOURCES!openssh-6.3p1-ldap.patch
I thought this might be a tiny thing, but the current version is a
2672-line patch, which is really a bit much; having the 3000-odd-line
gssapi.patch is bad enough and I don't have the time to take on more
potential maintenance burden like that. There's no indication of the
upstream inclusion status of this patch, and the spec file comments it
with "unwanted child :(", which is not encouraging!
It does not appear to me that this LDAP helper actually uses very much
of openssh's internal functions; it seems to just use some logging,
string manipulation, and memory management helpers, which would be very
easy to handle elsewhere.
My recommendation would be to package this helper separately, where
somebody who is more familiar with and invested in the LDAP integration
could maintain it directly rather than having to go through me, since
there doesn't seem much actual benefit in patching this into the openssh
packaging to offset the maintenance costs.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: