Closed Bug 1191554 Opened 9 years ago Closed 8 years ago

Stop using openssh-lpk, switch to AuthorizedKeysCommand

Categories

(Developer Services :: General, task)

Product:
Developer Services
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1261212

People

(Reporter: gps, Assigned: gps)

References

(Blocks 1 open bug)

Details

hg.mozilla.org and reviewboard-hg.mozilla.org are using a custom openssh-lpk package with LDAP integration. I'm not a huge fan of running custom packages, especially ones with security implications like OpenSSH.

Modern versions of OpenSSH have support for external SSH public key lookup via the AuthorizedKeysCommand config option, which means we should be able to ditch openssh-lpk for vanilla OpenSSH.

That being said, I'm not sure what all openssh-lpk is doing under the covers and it is quite possible that it is doing some user mapping that will make using vanilla SSH prohibitive. It is at least worth an investigation.
http://www.openssh.com/txt/release-6.2 says AuthorizedKeysCommand was added in OpenSSH 6.2. Naturally RHEL 6 ships with 5.3. So, we'll need to find/build an RPM for modern OpenSSH for RHEL 6 / CentOS 6 if we want to move forward. (I already looked in mrepo and there's nothing there.)
It looks like the OpenSSH in CentOS 7 has the necessary LDAP support almost turnkey: https://git.centos.org/blob/rpms!openssh/11c3be8c5f6f2e2fd9087efc3d0f2b7a8ed52694/SOURCES!openssh-6.6p1-ldap.patch

Add this to the list of problems that would go away if we used CentOS 7 in production :/
Blocks: 1226410
This is being done in the CentOS 7 upgrade bug.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.