Re: inconsistent sshPublicKey entries

["Michael W. Lucas" <mwlucas@michaelwlucas.com>]

On Tue, Feb 12, 2013 at 05:47:23PM +0100, Pierangelo Masarati wrote:
> On 02/12/2013 05:32 PM, Michael W. Lucas wrote:
> > Hi,
> >
> > I'm running OpenLDAP 2.4.21 on FreeBSD. We do a lot of administration
> > via phpLDAPAdmin, but I do some command-line stuff. And I've seen an
> > inconsistency between the two in the ldapPublicKey object class.
> >
> > When I look in phpLDAPAdmin, my SSH keys start like this:
> >
> > ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAw9zmtbk8b...
> > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfZ/p...
> >
> > If I do a ldapsearch, however, I get:
> >
> > sshPublicKey:: c3NoLXJzYSBBQUFBQjNOemFD....
> > sshPublicKey: ssh-rsa AAAAB3NzaC1
> >
> > The ssh-rsa or ssh-dss string is missing from all public keys except
> > the last one displayed. The entries without a key type have a double
> > colon.
> >
> > slapcat behaves like ldapsearch.
> >
> > But I have to believe that the key type information is in the
> > database, somewhere, because phpLDAPAdmin reports it's there.
> >
> > I didn't notice this while we used the LPK patch for our SSH servers,
> > but we're now migrating to the official OpenSSH AuthorizedKeysCommand
> > feature. I have a script to retrieve the keys, but my SSH servers only
> > recognize the last key. It rejects the others because they don't have
> > a key type attached.
> 
> $ echo -n 'c3NoLXJzYSBBQUFBQjNOemFD' | base64 -d && echo ''
> ssh-rsa AAAAB3NzaC
> 
> likely there is something in the key that makes ldapsearch present in 
> b64-encoded (likely a trailing space?)


You are exactly correct, thank you!

The problem keys had a trailing newline. Removed that, and all
problems went away.

==ml

-- 
Michael W. Lucas  -  mwlucas@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.