SSH key authentication using LDAP

ldapssh

In short:

Would like a way to do SSH key authentication via LDAP.

Problem:

We use LDAP (slapd) for directory services and we've recently moved to using our own AMI for building instances. The reason the AMI bit is important is that, ideally, we would like to be able to login with SSH via key authentication as soon as the instance is running and not have to wait for our somewhat slow configuration management tool to kickoff a script to add the correct keys to the instance.

The ideal scenario is that, when adding a user to LDAP we add their key as well and they'd be immediately be able to login.

Key authentication is a must because password-based login is both less secure and bothersome.

I've read this question which suggests there's a patch for OpenSSH called OpenSSH-lpk to do this but this is no longer needed with OpenSSH server >= 6.2

Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option

How can I configure OpenSSH and LDAP to implement this?

Best Answer

Update LDAP to include the OpenSSH-LPK schema

We first need to update LDAP with a schema to add the sshPublicKey attribute for users:

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
    DESC 'MANDATORY: OpenSSH Public key'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
    DESC 'MANDATORY: OpenSSH LPK objectclass'
    MAY ( sshPublicKey $ uid )
    )

Create a script that queries LDAP for a user's public key:

The script should output the public keys for that user, example:

ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Update `sshd_config` to point to the script from the previous step

AuthorizedKeysCommand /path/to/script
AuthorizedKeysCommandUser nobody

Bonus: Update sshd_config to allow password authentication from internal RFC1918 networks as seen in this question:

Only allow password authentication to SSH server from internal network

Useful links:

EDIT: Added user nobody as suggested TRS-80

Related Solutions

Ssh – How to configure Centos 5.3 using OpenLDAP to store and serve SSH public keys

I have struggle one this one as well for some time. Firstly check the version of openssh is >6.2 then the syntax of the sshpublickey from gosa.

I had it on Debian 7.7 then dist upgrade to Debian 8 to get the latest openSSH features.

ldapsearch  -x '(&(objectClass=posixAccount)(uid='<Your user>'))' sshPublickey

If you have added it with gosa it will probably say something like

sshPublicKey::c3NoLXJzYSBBQUFBQ........ bla bla

This is because it is getting hashed in someway that I haven't figured out yet but you can at this manually with creating a file called e.g sshkey.ldif and add the following content

dn: cn=Jonas Pedersen,ou=people,dc=kirk,dc=local
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa <your_key> "Comment" jkp@aptproxy

Then modify it with ldapmodify

ldapmodify -x -D cn=admin,dc=kirk,dc=local -W -f sshkey.ldif

My entries looked like this with Gosa and with ldapmodify Gosa enter image description here

Then take a look here ldap-ssh-key

Ssh – How to use openssh sftp command with a RSA/DSA key specified from the command line

One potential option is to use sftp -oIdentityFile=/path/to/private/keyfile. Need more info to say whether that will work for you. Seems to work under Mac/Linux.