Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455350 - [FEAT] OpenSSH to support centralized management of SSH keys
Summary: [FEAT] OpenSSH to support centralized management of SSH keys
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Jan F. Chadima
QA Contact: Brian Brock
Depends On:
Blocks: 215741
TreeView+ depends on / blocked
Reported: 2008-07-14 22:58 UTC by Daniel Riek
Modified: 2018-11-14 20:36 UTC (History)
15 users (show)

Fixed In Version: openssh-5.3p1-47.el6
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2011-05-19 13:30:04 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0598 normal SHIPPED_LIVE openssh bug fix and enhancement update 2011-05-19 09:37:32 UTC

Description Daniel Riek 2008-07-14 22:58:19 UTC
Copying this RHEL5 RFE to RHEL6, in order to track for that release.

The requested changes have not been accepted upstream, so the request is to
either try to help getting them accepted upstream or to find an alternate
solution for the problem of dynamic ssh-key distribution (and removal) for
(large) centrally managed environments.

+++ This bug was initially created as a clone of Bug #215741 +++

Description of problem:

When a user is disabled (ie locked) on the ldap server (because they are
terminated, etc...) and they have access to their ssh private key, they will
still be able to login to any server in the organization that contains their ssh
public key. This can be considered an security breach by an auditing team.

With the ability to lookup ssh keys over LDAP, the directory server will have
the ability to not send the public key to the user logging in, even if they have
the correct private key.

Additional info:

A patch enabling this is available here:

Comment 1 Reed Loden 2009-04-06 10:05:27 UTC
The patch has moved to

Comment 3 Steve Grubb 2009-11-18 15:25:51 UTC
*** Bug 529062 has been marked as a duplicate of this bug. ***

Comment 4 Jan F. Chadima 2009-11-20 10:26:36 UTC
The more correct patch to sshd is posted to mindrot bugzilla as #1663

Comment 5 Siddharth Nagar 2010-03-11 15:41:31 UTC
Deferring to 6.1

Comment 6 Jan F. Chadima 2010-06-07 10:21:59 UTC
The patched version is successfuly tested and deployed in fedora.

Comment 17 Denise Dumas 2011-02-08 19:59:19 UTC
This is in Modified but I'm not seeing it in the openssh errata. You need to get the brew build updates and add it. This should have happened by the 6.1 code freeze, which was last Friday Feb 4.

Comment 21 Miroslav Vadkerti 2011-03-10 12:06:04 UTC
I was manually able to use this feature and it works. Testing was done only using ldap server without TLS. I'm currently creating a RHTS test that will automatize the testing and will also test the feature in more depth.

The problem is the documentation because it is in many places misleading and it is scattered in 3 files:

I recommend to have one file which will contain step to step up-to-date guide how to set up openssh for getting public keys from ldap server and some basic information maybe. Sections describing LPK should be wiped, for example this from lpk-user-example.txt:
Add the following config to /etc/ssh/ssh_config
UseLPK yes
LpkServers ldap://
LpkUserDN  ou=People,dc=mydomain,dc=com

The man page for ssh-ldap-helper is misleading as it says it can be used in sshd_config. This is not true, ssh-wrapper should be used instead in the latest version. The man page should mention that this tool is great for manual testing (not the oposite as it does now).

ssh-ldap-helper run without parameters should return the help and not end without a message.

The man page for ssh-ldap.conf was generated incorrectly and is missing new lines:

Both man pages should be reviewed by some other senior developer and then also by the documentation team.

Moving to assigned as the documentation for this nice feature needs improvements.

Comment 22 Miroslav Vadkerti 2011-03-11 08:11:30 UTC
Great the new package openssh-5.3p1-46.el5 now comes with a nice HOWTO in one file. The howto is understandable but needs to be reviewed by the documentation team to fix any gramatical issues. I'm contacting them to get this done.

The man page for ssh-ldap-helper is corrected now.

The ssh-ldap.conf is still broken (no newlines) and needs to be fixed so the bug stays in assigned.

Comment 26 errata-xmlrpc 2011-05-19 13:30:04 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 27 Barrow Kwan 2012-05-07 21:44:36 UTC
I am trying to get this working with our Active Directory but has problem with the ldap_searching string.

I am wondering if this can be made configurable in the /etc/ssh/ldap.conf

In the openssh-5.3p1-ldap.patch file,  if we can make this changeable in /etc/ssh/ldap.conf, that will be very helpful.

right now I have to change this

+#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"


+#define LDAPSEARCH_FORMAT "(&(objectclass=user)(uid=%s)%s)"


Note You need to log in before you can comment on or make changes to this bug.