SSH key authentication using LDAP
In short:
Would like a way to do SSH key authentication via LDAP.
Problem:
We use LDAP (slapd) for directory services and we've recently moved to using our own AMI for building instances. The reason the AMI bit is important is that, ideally, we would like to be able to login with SSH via key authentication as soon as the instance is running and not have to wait for our somewhat slow configuration management tool to kickoff a script to add the correct keys to the instance.
The ideal scenario is that, when adding a user to LDAP we add their key as well and they'd be immediately be able to login.
Key authentication is a must because password-based login is both less secure and bothersome.
I've read this question which suggests there's a patch for OpenSSH called OpenSSH-lpk to do this but this is no longer needed with OpenSSH server >= 6.2
Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option
How can I configure OpenSSH and LDAP to implement this?
Update LDAP to include the OpenSSH-LPK schema
We first need to update LDAP with a schema to add the sshPublicKey attribute for users:
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)
Create a script that queries LDAP for a user's public key:
The script should output the public keys for that user, example:
ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Update sshd_config to point to the script from the previous step
AuthorizedKeysCommand /path/to/scriptAuthorizedKeysCommandUser nobody
Bonus: Update sshd_config to allow password authentication from internal RFC1918 networks as seen in this question:
Only allow password authentication to SSH server from internal network
Useful links:
- https://github.com/AndriiGrytsenko/openssh-ldap-publickey
- Private key authentication with pam_ldap
EDIT: Added user nobody as suggested TRS-80
This is not a full answer, just an addition to c4urself's answer. I would have added this as a comment, but I don't have sufficient reputation to comment, so please don't downvote!
This is the script I'm using for the AuthorizedKeysCommand (based on c4urself's version). It works regardless of whether the value is returned in base64 encoding or not. This can be especially useful if you want to store multiple authorized keys in LDAP -- simply seperate the keys with newline characters, similar to the authorized_keys file.
#!/bin/bash
set -eou pipefail
IFS=$'\n\t'
result=$(ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey')
attrLine=$(echo "$result" | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;/sshPublicKey:/p')
if [[ "$attrLine" == sshPublicKey::* ]]; then
echo "$attrLine" | sed 's/sshPublicKey:: //' | base64 -d
elif [[ "$attrLine" == sshPublicKey:* ]]; then
echo "$attrLine" | sed 's/sshPublicKey: //'
else
exit 1
fi
For anyone getting the error when running the ldapsearch:
sed: 1: "/^ /{H;d};": extra characters at the end of d command
as I was (on FreeBSD), the fix is to change the first sed command to:
/^ /{H;d;};
(adding a semicolon after the 'd').
Just wanted to share my "method", my client side is Debian/Ubuntu Specific, but my Server side is basically the same as above, but with a little more "HowTo:"
Server :
Enable Public Key Attribute :
Credit :
https://blog.shichao.io/2015/04/17/setup_openldap_server_with_openssh_lpk_on_ubuntu.html
cat << EOL >~/openssh-lpk.ldif
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)
EOL
Now use this to add ldif :
ldapadd -Y EXTERNAL -H ldapi:/// -f ~/openssh-lpk.ldif
Adding a user with SSH public key in phpLDAPadmin
First, create a user with the “Generic: User Account” template. Then, go to the “objectClass” attribute section, click “add value”, and choose the “ldapPublicKey” attribute. After you submit, go back to the user edit page, click “Add new attribute” on the top part, and choose “sshPublicKey”, paste the public key into the text area, and finally click “Update Object”."
sshPublicKey Attribute not showing - OpenLDAP PHPLDAP SSH Key Auth
Ubuntu Client :
apt-get -y install python-pip python-ldap
pip install ssh-ldap-pubkey
sh -c 'echo "AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config' && service ssh restart
Create Test Keys :
ssh-keygen -t rsa