I am trying to setup a network of Centos 7 machines with sshd that authenticate public keys against an AWS Simple Directory Service directory.
Currently, I have a bunch of Centos hosts, an instance of Windows Server 2008, and a directory using Amazon Web Service (AWS) Simple Directory Service. The windows box is used to administer the directory, and the Centos boxes use the directory to authenticate SSH sessions. All machines have been joined to the directory.
I have verified that I am able to SSH into the Centos boxes as both local and domain users using simple password authentication. Similarly, I am able to RDP into the Windows box using both local and domain accounts, simple password authentication.
However, the schema setup by AWS in my directory did not include any classes with a sshPublicKey
field out of the box, so to speak.
So, I used the Active Directory Schema Snap-in on the Windows box to add the following attribute to my schema:
Common Name: sshPublicKey
OOID: 1.3.6.1.4.1.24552.1.1.1.13
Syntax: IA5-String
Multi-valued: true
I then created the following class:
Common Name: LDAP Public Key
OOID: 1.3.6.1.4.1.24552.500.1.1.2.0
Parent Class: top
Class Type: Auxiliary
Optional Attributes: sshPublicKey
Then, I used the ADSI Snap-in to add the content of a user's public key to the sshPublicKey
field of their entry in the directory.
On one of my Centos boxes, I disabled password authentication by setting PasswordAuthentication no
in sshd's config file.
Then, I attempted to ssh into that Centos box using the directory user with the sshPublicKey
attribute set:
$ ssh -l user@directory.server -i ~/.ssh/path.to.key.pub centos.box -vvv;
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/localuser/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to centos.box [ip addy] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "~/.ssh/path.to.key.pub" as a RSA1 public key
debug1: identity file ~/.ssh/path.to.key.pub type 1
debug1: identity file ~/.ssh/path.to.key.pub type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLineNumber
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 116/256
debug2: bits set: 535/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA blah
debug3: load_hostkeys: loading entries for host "centos.box" from file "/Users/localuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/localuser/.ssh/known_hosts:someLine
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'centos.box' is known and matches the RSA host key.
debug1: Found key in /Users/localuser/.ssh/known_hosts:27
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/localuser/.ssh/path.to.key.pub (0x7fb3cb600000), explicit
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/localuser/.ssh/path.to.key.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
$
And on the Centos box, we get:
$ sudo journalctl -felu sshd
....
Some Date centos.box sshd[a number]: Connection closed by 1.2.3.4 [preauth]
Permissions on the private key are 600
; permissions on the public key are 644
I'm not sure how to check the server logs on the directory service host.
Any ideas what I' doing wrong?
Best Answer
To make sure
sshd
talks tosssd
for public key authentication, do the following on thesshd
host:Add the following line to the
[sssd]
section of your/etc/sssd/sssd.conf
file:This tells
sssd
it should talk tosshd
.If there isn't already an
[ssh]
section there, add a blank[ssh]
section of your/etc/sssd/sssd.conf
file:This is a required config section for all services to which
sssd
talks.Add the following line to the
[domain/directory.server]
section of your/etc/sssd/sssd.conf
file, wheredirectory.server
is the fully qualified domain name of your directory service host:This tells
sssd
which attribute to use for findingsshd
users' public SSH keys. ( The default attribute used bysssd
isipaSshPubKey
, which can be found on the schema for theipaSshUser
andipaSshHost
classes. )Add the following lines into your
/etc/sshd/sshd_config
file:This tells
sshd
to execute the file/usr/bin/sss_ssh_authorizedkeys
as usernobody
./usr/bin/sss_ssh_authorizedkeys
fetches authorized keys for the user attempting to authenticate into thesshd
host.Add the following lines into your
/etc/sshd/ssh_config
file:This tells
sssd
adds the client's name and public keys to/var/lib/sss/pubconf/known_hosts
and to connect to the client, pipes all communication through standard I/O, using the executable file/usr/bin/sss_ssh_knownhostsproxy
.Restart both services: