| View previous topic :: View next topic |
| Author |
Message |
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
 Posted: Tue Jun 27, 2006 3:25 am Post subject: SSH server w/ ldap can't check key over ldaps [solved] |
 |
|
I'm using LDAP to store public keys for SSH authentication (aka "LPK" or the ldap use flag for openssh). Everything works as long as I use unsecure ldap as opposed to ldaps. When I use ldaps I get this error:
| Code: |
ldap_connect: (TLS) ldap_start_tls(): Can't contact LDAP server (-1)
ldap_simple_bind_s(): Can't contact LDAP server (-1)
[LDAP] could not initialize ldap connection
|
I am pretty sure (from seeing the same thing when trying to configure mod_auth_ldap for Apache with ldaps) that the problem is that the SSH server (like the Apache server before) isn't trusting the LDAP server's certificate. In Apache there is an option where you give it the path to the CA certificate that signed the LDAP server's certificate. Then Apache started trusting the LDAP server and my problem was resolved. With the SSH server, there doesn't seem to be such an option to tell it to trust the LDAP server.
This is my LPK section in sshd_config:
| Code: |
UseLPK yes
#LpkLdapConf /etc/ldap.conf
LpkServers ldaps://amsa.info
LpkUserDN ou=People,dc=amsa,dc=info
LpkGroupDN ou=Group,dc=amsa,dc=info
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3
|
Like I said, it works if I change ldaps:// to ldap://, but I need to be able to use ldaps.
Last edited by RoundsToZero on Sun Jul 09, 2006 6:28 pm; edited 1 time in total |
|
| Back to top |
|
 |
Philantrop
Retired Dev
Joined: 21 Dec 2004
Posts: 1130
Location: Germany
|
| Posted: Tue Jun 27, 2006 6:03 am Post subject: |
|
|
Are you using OpenLDAP 2.1 or 2.2 and self-signed certificates?
In that case, you'll need to put "TLS_REQCERT never" (man ldap.conf) into ldap.conf:
| man ldap.conf wrote: | TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session, if any. The
<level> can be specified as one of the following keywords:
never The client will not request or check any server certificate.
allow The server certificate is requested. If no certificate is provided, the session pro-
ceeds normally. If a bad certificate is provided, it will be ignored and the session
proceeds normally.
try The server certificate is requested. If no certificate is provided, the session pro-
ceeds normally. If a bad certificate is provided, the session is immediately termi-
nated.
demand | hard
These keywords are equivalent. The server certificate is requested. If no certificate
is provided, or a bad certificate is provided, the session is immediately terminated.
This is the default setting.
|
_________________
If you feel the issues discussed in this thread have been resolved, please add a "[Solved]" to the subject of your original posting. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Tue Jun 27, 2006 12:19 pm Post subject: |
|
|
| I am using OpenLDAP 2.3 since it's stable now. Unfortunately, I want certificate checking, because otherwise how does the SSH server know that it's talking to the real LDAP server? |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Sun Jul 09, 2006 6:07 pm Post subject: |
|
|
RoundsToZero,
AFAIK, all you need to do is use the FQDN of your server for this entry when you are creating and signing your cert.
| Code: | ...
Common Name (eg, YOUR name) []:
... |
It must be your full domain name of your ldap server or it will not work.
HTH
_________________
Han. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Sun Jul 09, 2006 6:27 pm Post subject: |
|
|
I was already doing that, but it didn't work.
It turns out that OpenSSH won't use SSL for LDAP, only TLS. Therefore it always connects with ldap:// as opposed to ldaps:// and uses port 389 instead of 636. It will always ask to upgrade to a secured connection with TLS, which I already had enabled on my LDAP server. When you connect directly with ldaps:// on 636, the LDAP server doesn't do any TLS, so when OpenSSH asks to upgrade to a secured connection, it won't work.
Changed to solved. |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Sun Jul 09, 2006 6:37 pm Post subject: |
|
|
Ah... Now I know what you mean. The setting I have on my server is just to use PAM for the authentication. However, PAM is configured to use TLS and does certificate checking.
I'm wondering if that is an option to you. If not, why not?
I'm just curious.
_________________
Han. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Sun Jul 09, 2006 6:49 pm Post subject: |
|
|
| I'm using public keys, not passwords. |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Sun Jul 09, 2006 7:11 pm Post subject: |
|
|
Oops! My bad. Now I really get what you mean. 
I was stuck with the idea that public key MUST be stored in ~/.ssh/ and did not realized that you are talking about storing the public key in the LDAP directory.
Thanks. Now I know better. 
_________________
Han. |
|
| Back to top |
|
|
|
Networking & Security
