openssh-portable and nsswitch integration
Michael Bushkov
bushman at rsu.ru
Tue Jul 19 11:48:14 GMT 2005
Hello!
I'm working on openssh and nsswitch integration in FreeBSD during the
Google Summer of Code program. The patch is completed. Here is the
approach, that I've used to integrate openssh and nsswitch.
The idea is to replace system-wide known-hosts file with nsswitch source.
After examining openssh port, I've found 2 basic functions, which handle
the known-hosts files (hostfile.h):
HostStatus check_host_in_hostfile(const char *, const char *, const Key
*, Key *, int *);
int lookup_key_in_hostfile_by_type(const char *, const char *, int,
Key *, int *);
As far as I know, all other routines, that deal with these files are
seem to be built on top of these 2 functions. So I've implemented
another 2 functions:
HostStatus nsswitch_check_host(const char *, const Key *, Key *);
int nsswitch_lookup_key_by_type(const char *, int, Key *);
They are used instead of previous 2 in all places, where system-wide
known-hosts file was accessed. And they dispatch the calls to the
nsswitch subsystem. Nsswitch 'files' module has the same functionality
as the previous 2 functions, but users will be able to store their
public keys in LDAP, for example. Besides any other source can be
implemented as the pluggable nsswitch module. OpenSSH now checks the
nsswitch source and then the user files.
In ssh client the files module will take the system files path from the
Options structure. And in the sshd (in case of hostbased
authentication), it will use the default values.
I hope this approach is applicable. I've prepared the updated port
version in the perforce repository:
//depot/projects/soc2005/nsswitch_cached/tests/ssh_hostkeys_test/port/
The only problem is with the configure script. I've modified the
configure.ac file to check for nsdispatch functions - so thath the port
can work on earlier system versions. So, I've rebuilt the configure
script. But the diff output for this file is about 500k. Can I add
USE_AUTOCONF directive to the Makefile?
After this question is clear, I can submit the port patch, I guess.
With best regards,
Michael Bushkov
Rostov State University
More information about the freebsd-ports
mailing list