Please package openssh with LPK patch

Bug #156636 reported by gcc on 2007-10-24
70
This bug affects 12 people
Affects Status Importance Assigned to Milestone
portable OpenSSH
Won't Fix
Wishlist
Nominated for Main by Raubvogel
openssh (Debian)
New
Unknown
openssh (Ubuntu)
Wishlist
Unassigned
Declined for Jaunty by Mathias Gug
Declined for Karmic by Mathias Gug
Declined for Lucid by Mathias Gug

Bug Description

This patch is very useful for people running on LDAP infrastructure. It allows us to keep authorized_keys in LDAP instead of files on individual machines. It would be very useful to have this patch either in the default openssh-server, or a special version of that package. It is currently an option on Gentoo at least. Thanks!

For more details see:

http://dev.inversepath.com/trac/openssh-lpk
http://blog.fupps.com/2006/03/02/ssh-public-keys-from-ldap/
http://dev.inversepath.com/openssh-lpk/ldap_fosdem_2006.pdf

gcc (chris+ubuntu-qwirx) wrote :

This patch is very useful for people running on LDAP infrastructure. It allows us to keep authorized_keys in LDAP instead of files on individual machines. It would be very useful to have this patch either in the default openssh-server, or a special version of that package. It is currently an option on Gentoo at least. Thanks!

For more details see:

http://dev.inversepath.com/trac/openssh-lpk
http://blog.fupps.com/2006/03/02/ssh-public-keys-from-ldap/
http://dev.inversepath.com/openssh-lpk/ldap_fosdem_2006.pdf

Mathias Gug (mathiaz) on 2007-10-25
Changed in openssh:
importance: Undecided → Wishlist
status: New → Triaged
Colin Watson (cjwatson) wrote :

Somebody really needs to submit this patch upstream. It's pretty massive and I can't find any mention of it on openssh-unix-dev at all. It also adds new configuration options; I've been bitten in the past by integrating third-party patches that upstream then chooses to integrate using different option names, and so I now have a general policy of not integrating patches that add configuration options in order to avoid having to carry any more compatibility code around until the end of time. (I have made the occasional exception for ones that have been quite thoroughly discussed upstream and are gradually being merged, such as the Kerberos patch.)

I have no objection to the patch as such (not having read it in enough detail), but in my experience adding this sort of OpenSSH patch just to distros and not upstream is asking for trouble down the line and I'd rather avoid it.

Loye Young (loyeyoung) wrote :

I agree, Colin.

If the request has been made upstream, this one should be closed, IMHO.

Colin Watson (cjwatson) wrote :

There's no real reason to close it (somebody else will just reopen it), but I've linked it to the upstream bug.

Changed in openssh:
status: Unknown → Confirmed

Created an attachment (id=1826)
patch adding public key authentication via LDAP

patch pulled from http://openssh-lpk.googlecode.com/svn/trunk/patch/contrib/openssh-lpk-0.3.10_5.4p1.patch

Changed in openssh (Debian):
status: Unknown → New

There seem to be plenty of interest downstream in supporting LDAP as a network datastore for pubkeys (e.g. going back a few years, RH, Debian, and Ubuntu have open bugs tracking this one), so, if this patch isn't acceptable as offered, might it be possible to understand the reasons and see if it's possible to arrive at an acceptable solution ?

We won't be integrating LDAP into sshd. There are patches to allow sshd to fetch keys using a helper program (which could in turn use LDAP) that will be considered, but I haven't had time to review them properly.

Do you have a pointer to that work? Is there anything someone could do to help progress down that path?

Changed in openssh:
importance: Unknown → Wishlist
status: Confirmed → Won't Fix

close resolved bugs now that openssh-5.9 has been released

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.