Closed
Bug 1191554
Opened 9 years ago
Closed 8 years ago
Stop using openssh-lpk, switch to AuthorizedKeysCommand
Categories
(Developer Services :: General, task)
Developer Services
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1261212
People
(Reporter: gps, Assigned: gps)
References
(Blocks 1 open bug)
Details
hg.mozilla.org and reviewboard-hg.mozilla.org are using a custom openssh-lpk package with LDAP integration. I'm not a huge fan of running custom packages, especially ones with security implications like OpenSSH. Modern versions of OpenSSH have support for external SSH public key lookup via the AuthorizedKeysCommand config option, which means we should be able to ditch openssh-lpk for vanilla OpenSSH. That being said, I'm not sure what all openssh-lpk is doing under the covers and it is quite possible that it is doing some user mapping that will make using vanilla SSH prohibitive. It is at least worth an investigation.
Assignee | ||
Comment 1•9 years ago
|
||
http://www.openssh.com/txt/release-6.2 says AuthorizedKeysCommand was added in OpenSSH 6.2. Naturally RHEL 6 ships with 5.3. So, we'll need to find/build an RPM for modern OpenSSH for RHEL 6 / CentOS 6 if we want to move forward. (I already looked in mrepo and there's nothing there.)
Assignee | ||
Comment 2•9 years ago
|
||
It looks like the OpenSSH in CentOS 7 has the necessary LDAP support almost turnkey: https://git.centos.org/blob/rpms!openssh/11c3be8c5f6f2e2fd9087efc3d0f2b7a8ed52694/SOURCES!openssh-6.6p1-ldap.patch Add this to the list of problems that would go away if we used CentOS 7 in production :/
Assignee | ||
Comment 3•8 years ago
|
||
This is being done in the CentOS 7 upgrade bug.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•