I would like to enable the following:
Linux ec2 instances in AWS that perform LDAP authentication of users who have no home directory currently on the box. I have a working openLDAP in AWS for the task
Once LDAP authenticated:
- The user's home directory will get created
- The user's public ssh key is retrieved from their
sshPublicKey
attribute in LDAP and they can only log on if their local sshPrivateKey matches
I know how to do LDAP auth OR retrieval of public key via an ldapsearch
but I want to do both.
The scenario I am trying to mitigate against is when an employee leaves the company: I can just disable their account in openLDAP and even if their public key exists on machines, they won't be able to use them because they will also fail ldap auth.
I've hunted round on StackExchanges and don't think I've found what I'm looking for. The closest I've come is
Best Answer
Authentication
There's
AuthorizedKeysCommand
andAuthorizedKeysCommandUser
in sshd_config(5) since OpenSSH 6.2. You need that to authenticate user against his/hersshPublicKey
which is stored in LDAP. You don't even need ldapsearch to get the sshPublicKey - curl can do it too, since it's knows the ldap protocol.When
AuthorizedKeysCommand
is defined but the command won't return any public key, openssh server continues withAuthorizedKeysFile
and then withPasswordAuthentication
.On AWS EC2 the PasswordAuthentication is disabled so If You really want it, You need to enable it in config. But I wouldn't recommend PasswordAuthentication at all today.
Small recap: you want these options in /etc/ssh/sshd_config:
AuthorizedKeysFile
,AuthorizedKeysCommand
,AuthorizedKeysCommandUser
andPasswordAuthentication
.Disabling user
As mentioned in discussion under the question: You can either use
loginShell
ldap attribute and modify it's value to/bin/false
or/usr/sbin/nologin
or use another attribute and add it into search query. This differs depending on Your setup.What's Your setup? nslcd (nss-pam-ldapd), nss-pam-ldap, sssd or something else?