[SSSD] [sssd PR#5566][synchronized] Fix exponent padding when deriving rsapubkey to ssh
URL: https://github.com/SSSD/sssd/pull/5566 Author: peptekmail Title: #5566: Fix exponent padding when deriving rsapubkey to ssh Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5566/head:pr5566 git checkout pr5566 From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001 From: peptekmail Date: Sat, 3 Apr 2021 02:14:52 +0200 Subject: [PATCH 1/3] TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen. --- src/tests/cmocka/test_pam_srv.c | 2 +- src/tests/intg/test_ssh_pubkey.py | 61 --- src/tests/test_CA/Makefile.am | 21 +-- src/tests/test_CA/README | 3 +- src/tests/test_CA/SSSD_test_cert_0005.config | 1 + src/tests/test_CA/SSSD_test_cert_0007.config | 6 +- src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52 src/util/cert/libcrypto/cert.c| 9 ++- 8 files changed, 110 insertions(+), 45 deletions(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index d41f5e78a5..3720cf17bb 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state) mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", TEST_MODULE_NAME, "C554C9F82C2A9D58B70921C143304153A8A42F17", -"SSSD test cert 0007 /oddchar", NULL, +"SSSD test cert 0007", NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0007); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 24b5c258c6..949f082124 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -22,16 +22,16 @@ import signal import subprocess import time -import ldap -import ldap.modlist -import pytest import string import random +import pytest -import config import ds_openldap -import ent import ldap_ent +import ldap +import ldap.modlist +import config + from util import unindent, get_call_output LDAP_BASE_DN = "dc=example,dc=com" @@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None): SCHEMA_RFC2307_BIS = "rfc2307bis" -def format_basic_conf(ldap_conn, schema): +def format_basic_conf(ldap_conn, schema, config): """Format a basic SSSD configuration""" schema_conf = "ldap_schema = " + schema + "\n" schema_conf += "ldap_group_object_class = groupOfNames\n" @@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema): [ssh] debug_level=10 +ca_db = {config.PAM_CERT_DB_PATH} + +[pam] +pam_cert_auth = True [domain/LDAP] {schema_conf} @@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema): ldap_search_base= {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false debug_level=10 +ldap_user_certificate = userCertificate;binary """).format(**locals()) @@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn): ent_list.add_user("user2", 1002, 2001) create_ldap_fixture(request, ldap_conn, ent_list) -conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) +config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] +conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf) create_sssd_fixture(request) return None @@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key): assert len(sshpubkey) == 0 +def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): +""" +Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match. +""" +for u in [1,7]: +pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u) +with open(pubsshkey_path, 'r') as f: +pubsshkey = f.read() +sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) +print(sshpubkey) +print(pubsshkey) +assert sshpubkey == pubsshkey + @pytest.fixture() def sighup_client(request): test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR, @@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn): ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list) create_ldap_fixture(request, ldap_conn, ent_list) -conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) +config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] +conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf)
[SSSD] [sssd PR#5566][synchronized] Fix exponent padding when deriving rsapubkey to ssh
URL: https://github.com/SSSD/sssd/pull/5566 Author: peptekmail Title: #5566: Fix exponent padding when deriving rsapubkey to ssh Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5566/head:pr5566 git checkout pr5566 From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001 From: peptekmail Date: Sat, 3 Apr 2021 02:14:52 +0200 Subject: [PATCH 1/2] TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen. --- src/tests/cmocka/test_pam_srv.c | 2 +- src/tests/intg/test_ssh_pubkey.py | 61 --- src/tests/test_CA/Makefile.am | 21 +-- src/tests/test_CA/README | 3 +- src/tests/test_CA/SSSD_test_cert_0005.config | 1 + src/tests/test_CA/SSSD_test_cert_0007.config | 6 +- src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52 src/util/cert/libcrypto/cert.c| 9 ++- 8 files changed, 110 insertions(+), 45 deletions(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index d41f5e78a5..3720cf17bb 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state) mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", TEST_MODULE_NAME, "C554C9F82C2A9D58B70921C143304153A8A42F17", -"SSSD test cert 0007 /oddchar", NULL, +"SSSD test cert 0007", NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0007); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 24b5c258c6..949f082124 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -22,16 +22,16 @@ import signal import subprocess import time -import ldap -import ldap.modlist -import pytest import string import random +import pytest -import config import ds_openldap -import ent import ldap_ent +import ldap +import ldap.modlist +import config + from util import unindent, get_call_output LDAP_BASE_DN = "dc=example,dc=com" @@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None): SCHEMA_RFC2307_BIS = "rfc2307bis" -def format_basic_conf(ldap_conn, schema): +def format_basic_conf(ldap_conn, schema, config): """Format a basic SSSD configuration""" schema_conf = "ldap_schema = " + schema + "\n" schema_conf += "ldap_group_object_class = groupOfNames\n" @@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema): [ssh] debug_level=10 +ca_db = {config.PAM_CERT_DB_PATH} + +[pam] +pam_cert_auth = True [domain/LDAP] {schema_conf} @@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema): ldap_search_base= {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false debug_level=10 +ldap_user_certificate = userCertificate;binary """).format(**locals()) @@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn): ent_list.add_user("user2", 1002, 2001) create_ldap_fixture(request, ldap_conn, ent_list) -conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) +config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] +conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf) create_sssd_fixture(request) return None @@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key): assert len(sshpubkey) == 0 +def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): +""" +Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match. +""" +for u in [1,7]: +pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u) +with open(pubsshkey_path, 'r') as f: +pubsshkey = f.read() +sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) +print(sshpubkey) +print(pubsshkey) +assert sshpubkey == pubsshkey + @pytest.fixture() def sighup_client(request): test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR, @@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn): ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list) create_ldap_fixture(request, ldap_conn, ent_list) -conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) +config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] +conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf)
[SSSD] [sssd PR#5566][opened] Fix exponent padding when deriving rsapubkey to ssh
URL: https://github.com/SSSD/sssd/pull/5566 Author: peptekmail Title: #5566: Fix exponent padding when deriving rsapubkey to ssh Action: opened PR body: """ Padding is sometimes needed if a nonstandard exponent is chosen. The fix is just a couple of lines in cert.c But the integration-test requires a certificate to be pushed to LDAP and the output should match the pubkey derived from THE original certificate via p11-tool and openssh. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5566/head:pr5566 git checkout pr5566 From 68b127651544b70e2f525768853502c5fb0d1d2d Mon Sep 17 00:00:00 2001 From: peptekmail Date: Sat, 3 Apr 2021 02:14:52 +0200 Subject: [PATCH] TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen. --- src/tests/cmocka/test_pam_srv.c | 2 +- src/tests/intg/test_ssh_pubkey.py | 61 --- src/tests/test_CA/Makefile.am | 21 +-- src/tests/test_CA/README | 3 +- src/tests/test_CA/SSSD_test_cert_0005.config | 1 + src/tests/test_CA/SSSD_test_cert_0007.config | 6 +- src/tests/test_CA/SSSD_test_cert_key_0007.pem | 52 src/util/cert/libcrypto/cert.c| 9 ++- 8 files changed, 110 insertions(+), 45 deletions(-) diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index d41f5e78a5..3720cf17bb 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -2310,7 +2310,7 @@ void test_pam_pss_cert_auth(void **state) mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", TEST_MODULE_NAME, "C554C9F82C2A9D58B70921C143304153A8A42F17", -"SSSD test cert 0007 /oddchar", NULL, +"SSSD test cert 0007", NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0007); will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py index 24b5c258c6..949f082124 100644 --- a/src/tests/intg/test_ssh_pubkey.py +++ b/src/tests/intg/test_ssh_pubkey.py @@ -22,16 +22,16 @@ import signal import subprocess import time -import ldap -import ldap.modlist -import pytest import string import random +import pytest -import config import ds_openldap -import ent import ldap_ent +import ldap +import ldap.modlist +import config + from util import unindent, get_call_output LDAP_BASE_DN = "dc=example,dc=com" @@ -115,7 +115,7 @@ def create_ldap_fixture(request, ldap_conn, ent_list=None): SCHEMA_RFC2307_BIS = "rfc2307bis" -def format_basic_conf(ldap_conn, schema): +def format_basic_conf(ldap_conn, schema, config): """Format a basic SSSD configuration""" schema_conf = "ldap_schema = " + schema + "\n" schema_conf += "ldap_group_object_class = groupOfNames\n" @@ -128,6 +128,10 @@ def format_basic_conf(ldap_conn, schema): [ssh] debug_level=10 +ca_db = {config.PAM_CERT_DB_PATH} + +[pam] +pam_cert_auth = True [domain/LDAP] {schema_conf} @@ -137,6 +141,7 @@ def format_basic_conf(ldap_conn, schema): ldap_search_base= {ldap_conn.ds_inst.base_dn} ldap_sudo_use_host_filter = false debug_level=10 +ldap_user_certificate = userCertificate;binary """).format(**locals()) @@ -217,7 +222,8 @@ def add_user_with_ssh_key(request, ldap_conn): ent_list.add_user("user2", 1002, 2001) create_ldap_fixture(request, ldap_conn, ent_list) -conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) +config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] +conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS, config) create_conf_fixture(request, conf) create_sssd_fixture(request) return None @@ -235,6 +241,19 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key): assert len(sshpubkey) == 0 +def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): +""" +Test that we can retrieve an SSH public key derived from a cert in ldap and compare with the sshpubkey derived via openssl, they should match. +""" +for u in [1,7]: +pubsshkey_path = os.path.join(os.path.dirname(config.PAM_CERT_DB_PATH),"SSSD_test_cert_pubsshkey_000%s.pub" % u) +with open(pubsshkey_path, 'r') as f: +pubsshkey = f.read() +sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user%s" % u]) +print(sshpubkey) +print(pubsshkey) +assert sshpubkey == pubsshkey + @pytest.fixture() def sighup_client(request): test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR, @@ -261,12 +280,38 @@ def add_user_with_many_keys(request, ldap_conn): ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)
[SSSD] [sssd PR#5535][comment] A set of patches to sanitize logger code a little bit.
URL: https://github.com/SSSD/sssd/pull/5535 Title: #5535: A set of patches to sanitize logger code a little bit. joakim-tjernlund commented: """ This PR forgot to change -f in src/sysv/gentoo/sssd.in so sssd now fails to start as -f option is not recognized. Please replace -f with --logger=files """ See the full comment at https://github.com/SSSD/sssd/pull/5535#issuecomment-812456635 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure