hg.mozilla.org and reviewboard-hg.mozilla.org are using a custom openssh-lpk package with LDAP integration. I'm not a huge fan of running custom packages, especially ones with security implications like OpenSSH. Modern versions of OpenSSH have support for external SSH public key lookup via the AuthorizedKeysCommand config option, which means we should be able to ditch openssh-lpk for vanilla OpenSSH. That being said, I'm not sure what all openssh-lpk is doing under the covers and it is quite possible that it is doing some user mapping that will make using vanilla SSH prohibitive. It is at least worth an investigation.
http://www.openssh.com/txt/release-6.2 says AuthorizedKeysCommand was added in OpenSSH 6.2. Naturally RHEL 6 ships with 5.3. So, we'll need to find/build an RPM for modern OpenSSH for RHEL 6 / CentOS 6 if we want to move forward. (I already looked in mrepo and there's nothing there.)
It looks like the OpenSSH in CentOS 7 has the necessary LDAP support almost turnkey: https://git.centos.org/blob/rpms!openssh/11c3be8c5f6f2e2fd9087efc3d0f2b7a8ed52694/SOURCES!openssh-6.6p1-ldap.patch Add this to the list of problems that would go away if we used CentOS 7 in production :/
This is being done in the CentOS 7 upgrade bug.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1261212
You need to log in before you can comment on or make changes to this bug.