In short:
Would like a way to do SSH key authentication via LDAP.
Problem:
We use LDAP (slapd) for directory services and we've recently moved to using our own AMI for building instances. The reason the AMI bit is important is that, ideally, we would like to be able to login with SSH via key authentication as soon as the instance is running and not have to wait for our somewhat slow configuration management tool to kickoff a script to add the correct keys to the instance.
The ideal scenario is that, when adding a user to LDAP we add their key as well and they'd be immediately be able to login.
Key authentication is a must because password-based login is both less secure and bothersome.
I've read this question which suggests there's a patch for OpenSSH called OpenSSH-lpk to do this but this is no longer needed with OpenSSH server >= 6.2
Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option
How can I configure OpenSSH and LDAP to implement this?
Best Answer
Update LDAP to include the OpenSSH-LPK schema
We first need to update LDAP with a schema to add the
sshPublicKey
attribute for users:Create a script that queries LDAP for a user's public key:
The script should output the public keys for that user, example:
ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Update
sshd_config
to point to the script from the previous stepAuthorizedKeysCommand /path/to/script
AuthorizedKeysCommandUser nobody
Bonus: Update
sshd_config
to allow password authentication from internal RFC1918 networks as seen in this question:Only allow password authentication to SSH server from internal network
Useful links:
EDIT: Added user
nobody
as suggested TRS-80