[SSSD] [sssd PR#5566][synchronized] Fix exponent padding when deriving rsapubkey to ssh
URL: https://github.com/SSSD/sssd/pull/5566
Author: peptekmail
Title: #5566: Fix exponent padding when deriving rsapubkey to ssh
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5566/head:pr5566
git checkout pr5566
From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001
From: peptekmail
Date: Sat, 3 Apr 2021 02:14:52 +0200
Subject: [PATCH 1/3] TEST: FIX: When generating a ssh pubkey from a cert extra
padding is needed if a nonstandard eponent is chosen.
---
src/tests/cmocka/test_pam_srv.c | 2 +-
src/tests/intg/test_ssh_pubkey.py | 61 ---
src/tests/test_CA/Makefile.am | 21 +--
src/tests/test_CA/README | 3 +-
src/tests/test_CA/SSSD_test_cert_0005.config | 1 +
src/tests/test_CA/SSSD_test_cert_0007.config | 6 +-
src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52
src/util/cert/libcrypto/cert.c| 9 ++-
8 files changed, 110 insertions(+), 45 deletions(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index d41f5e78a5..3720cf17bb 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
TEST_MODULE_NAME,
"C554C9F82C2A9D58B70921C143304153A8A42F17",
-"SSSD test cert 0007 /oddchar", NULL,
+"SSSD test cert 0007", NULL,
test_lookup_by_cert_cb, SSSD_TEST_CERT_0007);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 24b5c258c6..949f082124 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -22,16 +22,16 @@
import signal
import subprocess
import time
-import ldap
-import ldap.modlist
-import pytest
import string
import random
+import pytest
-import config
import ds_openldap
-import ent
import ldap_ent
+import ldap
+import ldap.modlist
+import config
+
from util import unindent, get_call_output
LDAP_BASE_DN = "dc=example,dc=com"
@@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None):
SCHEMA_RFC2307_BIS = "rfc2307bis"
-def format_basic_conf(ldap_conn, schema):
+def format_basic_conf(ldap_conn, schema, config):
"""Format a basic SSSD configuration"""
schema_conf = "ldap_schema = " + schema + "\n"
schema_conf += "ldap_group_object_class = groupOfNames\n"
@@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema):
[ssh]
debug_level=10
+ca_db = {config.PAM_CERT_DB_PATH}
+
+[pam]
+pam_cert_auth = True
[domain/LDAP]
{schema_conf}
@@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_search_base= {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
debug_level=10
+ldap_user_certificate = userCertificate;binary
""").format(**locals())
@@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn):
ent_list.add_user("user2", 1002, 2001)
create_ldap_fixture(request, ldap_conn, ent_list)
-conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
return None
@@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
assert len(sshpubkey) == 0
+def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
+"""
+Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match.
+"""
+for u in [1,7]:
+pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u)
+with open(pubsshkey_path, 'r') as f:
+pubsshkey = f.read()
+sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
+print(sshpubkey)
+print(pubsshkey)
+assert sshpubkey == pubsshkey
+
@pytest.fixture()
def sighup_client(request):
test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,
@@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn):
ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)
create_ldap_fixture(request, ldap_conn, ent_list)
-conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
[SSSD] [sssd PR#5566][synchronized] Fix exponent padding when deriving rsapubkey to ssh
URL: https://github.com/SSSD/sssd/pull/5566
Author: peptekmail
Title: #5566: Fix exponent padding when deriving rsapubkey to ssh
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5566/head:pr5566
git checkout pr5566
From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001
From: peptekmail
Date: Sat, 3 Apr 2021 02:14:52 +0200
Subject: [PATCH 1/2] TEST: FIX: When generating a ssh pubkey from a cert extra
padding is needed if a nonstandard eponent is chosen.
---
src/tests/cmocka/test_pam_srv.c | 2 +-
src/tests/intg/test_ssh_pubkey.py | 61 ---
src/tests/test_CA/Makefile.am | 21 +--
src/tests/test_CA/README | 3 +-
src/tests/test_CA/SSSD_test_cert_0005.config | 1 +
src/tests/test_CA/SSSD_test_cert_0007.config | 6 +-
src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52
src/util/cert/libcrypto/cert.c| 9 ++-
8 files changed, 110 insertions(+), 45 deletions(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index d41f5e78a5..3720cf17bb 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
TEST_MODULE_NAME,
"C554C9F82C2A9D58B70921C143304153A8A42F17",
-"SSSD test cert 0007 /oddchar", NULL,
+"SSSD test cert 0007", NULL,
test_lookup_by_cert_cb, SSSD_TEST_CERT_0007);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 24b5c258c6..949f082124 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -22,16 +22,16 @@
import signal
import subprocess
import time
-import ldap
-import ldap.modlist
-import pytest
import string
import random
+import pytest
-import config
import ds_openldap
-import ent
import ldap_ent
+import ldap
+import ldap.modlist
+import config
+
from util import unindent, get_call_output
LDAP_BASE_DN = "dc=example,dc=com"
@@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None):
SCHEMA_RFC2307_BIS = "rfc2307bis"
-def format_basic_conf(ldap_conn, schema):
+def format_basic_conf(ldap_conn, schema, config):
"""Format a basic SSSD configuration"""
schema_conf = "ldap_schema = " + schema + "\n"
schema_conf += "ldap_group_object_class = groupOfNames\n"
@@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema):
[ssh]
debug_level=10
+ca_db = {config.PAM_CERT_DB_PATH}
+
+[pam]
+pam_cert_auth = True
[domain/LDAP]
{schema_conf}
@@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_search_base= {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
debug_level=10
+ldap_user_certificate = userCertificate;binary
""").format(**locals())
@@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn):
ent_list.add_user("user2", 1002, 2001)
create_ldap_fixture(request, ldap_conn, ent_list)
-conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
return None
@@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
assert len(sshpubkey) == 0
+def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
+"""
+Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match.
+"""
+for u in [1,7]:
+pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u)
+with open(pubsshkey_path, 'r') as f:
+pubsshkey = f.read()
+sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
+print(sshpubkey)
+print(pubsshkey)
+assert sshpubkey == pubsshkey
+
@pytest.fixture()
def sighup_client(request):
test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,
@@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn):
ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)
create_ldap_fixture(request, ldap_conn, ent_list)
-conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
[SSSD] [sssd PR#5566][opened] Fix exponent padding when deriving rsapubkey to ssh
URL: https://github.com/SSSD/sssd/pull/5566
Author: peptekmail
Title: #5566: Fix exponent padding when deriving rsapubkey to ssh
Action: opened
PR body:
"""
Padding is sometimes needed if a nonstandard exponent is chosen.
The fix is just a couple of lines in cert.c
But the integration-test requires a certificate to be pushed to LDAP and the
output should match the pubkey derived from THE original certificate via
p11-tool and openssh.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5566/head:pr5566
git checkout pr5566
From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001
From: peptekmail
Date: Sat, 3 Apr 2021 02:14:52 +0200
Subject: [PATCH] TEST: FIX: When generating a ssh pubkey from a cert extra
padding is needed if a nonstandard eponent is chosen.
---
src/tests/cmocka/test_pam_srv.c | 2 +-
src/tests/intg/test_ssh_pubkey.py | 61 ---
src/tests/test_CA/Makefile.am | 21 +--
src/tests/test_CA/README | 3 +-
src/tests/test_CA/SSSD_test_cert_0005.config | 1 +
src/tests/test_CA/SSSD_test_cert_0007.config | 6 +-
src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52
src/util/cert/libcrypto/cert.c| 9 ++-
8 files changed, 110 insertions(+), 45 deletions(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index d41f5e78a5..3720cf17bb 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
TEST_MODULE_NAME,
"C554C9F82C2A9D58B70921C143304153A8A42F17",
-"SSSD test cert 0007 /oddchar", NULL,
+"SSSD test cert 0007", NULL,
test_lookup_by_cert_cb, SSSD_TEST_CERT_0007);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index 24b5c258c6..949f082124 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -22,16 +22,16 @@
import signal
import subprocess
import time
-import ldap
-import ldap.modlist
-import pytest
import string
import random
+import pytest
-import config
import ds_openldap
-import ent
import ldap_ent
+import ldap
+import ldap.modlist
+import config
+
from util import unindent, get_call_output
LDAP_BASE_DN = "dc=example,dc=com"
@@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None):
SCHEMA_RFC2307_BIS = "rfc2307bis"
-def format_basic_conf(ldap_conn, schema):
+def format_basic_conf(ldap_conn, schema, config):
"""Format a basic SSSD configuration"""
schema_conf = "ldap_schema = " + schema + "\n"
schema_conf += "ldap_group_object_class = groupOfNames\n"
@@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema):
[ssh]
debug_level=10
+ca_db = {config.PAM_CERT_DB_PATH}
+
+[pam]
+pam_cert_auth = True
[domain/LDAP]
{schema_conf}
@@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema):
ldap_search_base= {ldap_conn.ds_inst.base_dn}
ldap_sudo_use_host_filter = false
debug_level=10
+ldap_user_certificate = userCertificate;binary
""").format(**locals())
@@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn):
ent_list.add_user("user2", 1002, 2001)
create_ldap_fixture(request, ldap_conn, ent_list)
-conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
return None
@@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
assert len(sshpubkey) == 0
+def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert):
+"""
+Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match.
+"""
+for u in [1,7]:
+pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u)
+with open(pubsshkey_path, 'r') as f:
+pubsshkey = f.read()
+sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u])
+print(sshpubkey)
+print(pubsshkey)
+assert sshpubkey == pubsshkey
+
@pytest.fixture()
def sighup_client(request):
test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,
@@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn):
ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)
[SSSD] [sssd PR#5535][comment] A set of patches to sanitize logger code a little bit.
URL: https://github.com/SSSD/sssd/pull/5535 Title: #5535: A set of patches to sanitize logger code a little bit. joakim-tjernlund commented: """ This PR forgot to change -f in src/sysv/gentoo/sssd.in so sssd now fails to start as -f option is not recognized. Please replace -f with --logger=files """ See the full comment at https://github.com/SSSD/sssd/pull/5535#issuecomment-812456635 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
