Stop using openssh-lpk, switch to AuthorizedKeysCommand

RESOLVED DUPLICATE of bug 1261212

Status

RESOLVED DUPLICATE of bug 1261212
3 years ago
2 years ago

People

(Reporter: gps, Assigned: gps)

Tracking

(Blocks: 1 bug)

Details

(Assignee)

Description

3 years ago
hg.mozilla.org and reviewboard-hg.mozilla.org are using a custom openssh-lpk package with LDAP integration. I'm not a huge fan of running custom packages, especially ones with security implications like OpenSSH.

Modern versions of OpenSSH have support for external SSH public key lookup via the AuthorizedKeysCommand config option, which means we should be able to ditch openssh-lpk for vanilla OpenSSH.

That being said, I'm not sure what all openssh-lpk is doing under the covers and it is quite possible that it is doing some user mapping that will make using vanilla SSH prohibitive. It is at least worth an investigation.
(Assignee)

Comment 1

3 years ago
http://www.openssh.com/txt/release-6.2 says AuthorizedKeysCommand was added in OpenSSH 6.2. Naturally RHEL 6 ships with 5.3. So, we'll need to find/build an RPM for modern OpenSSH for RHEL 6 / CentOS 6 if we want to move forward. (I already looked in mrepo and there's nothing there.)
(Assignee)

Comment 2

3 years ago
It looks like the OpenSSH in CentOS 7 has the necessary LDAP support almost turnkey: https://git.centos.org/blob/rpms!openssh/11c3be8c5f6f2e2fd9087efc3d0f2b7a8ed52694/SOURCES!openssh-6.6p1-ldap.patch

Add this to the list of problems that would go away if we used CentOS 7 in production :/
(Assignee)

Updated

3 years ago
Blocks: 1226410
(Assignee)

Comment 3

2 years ago
This is being done in the CentOS 7 upgrade bug.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1261212
You need to log in before you can comment on or make changes to this bug.