OpenSSH CDB patch

Date: April 28, 2007

I've put together a patch against OpenSSH which allows users to be authenticated with their public keys stored in an CDB database. In a small device like a wireless router (perhaps using authpf?), public keys can be used without requiring each user have a home directory.

If your interested in authenticating OpenSSH against public keys stored in an LDAP directory, check out the OpenSSH LDAP Public Key patch. Design of this patch was loosely based on that fine code.

Essentials

• Sources for OpenSSH - only 4.5p1 is supported at the moment
• D. J. Bernstein's CDB library & tools
• Alternative: TinyCDB - source compatible alternative to DJB's library
The Patch: openssh-cdb-4.5p1-20070428.patch
• Optional: pubdb.py - simple tool for generating database files (requires Python)

Building

1. Extract & build your CDB library of choice
2. Extract OpenSSH sources...
3. In the source working directory, apply the patch: patch -p1 < openssh-cdb-4.5p1-20070428.patch
4. Build away!

Setup

1. Add the following lines to your sshd_config file, wherever it lives, adjusting as is necessary:

        UseCDBPK   yes
        CdbPkFile  /etc/pubkeys.cdb       # NB: This is the default location
         

2. Get yourself started with a pubkeys.cdb using the above tool pubdb.py and cdbmake:

        echo $USER  ~/.ssh/id_rsa.pub  | ./pubdb.py | cdbmake /etc/pubkeys.cdb

Try it out!

Any comments, question or contributions are most welcome! Please feel free to get in touch with me, Pete, at pete -at- blonos -dot- com.