I would like to enable the following:
Linux ec2 instances in AWS that perform LDAP authentication of users who have no home directory currently on the box. I have a working openLDAP in AWS for the task
Once LDAP authenticated:
- The user's home directory will get created
- The user's public ssh key is retrieved from their
sshPublicKeyattribute in LDAP and they can only log on if their local sshPrivateKey matches
I know how to do LDAP auth OR retrieval of public key via an ldapsearch but I want to do both.
The scenario I am trying to mitigate against is when an employee leaves the company: I can just disable their account in openLDAP and even if their public key exists on machines, they won't be able to use them because they will also fail ldap auth.
I've hunted round on StackExchanges and don't think I've found what I'm looking for. The closest I've come is
Best Answer
Authentication
There's
AuthorizedKeysCommandandAuthorizedKeysCommandUserin sshd_config(5) since OpenSSH 6.2. You need that to authenticate user against his/hersshPublicKeywhich is stored in LDAP. You don't even need ldapsearch to get the sshPublicKey - curl can do it too, since it's knows the ldap protocol.When
AuthorizedKeysCommandis defined but the command won't return any public key, openssh server continues withAuthorizedKeysFileand then withPasswordAuthentication.On AWS EC2 the PasswordAuthentication is disabled so If You really want it, You need to enable it in config. But I wouldn't recommend PasswordAuthentication at all today.
Small recap: you want these options in /etc/ssh/sshd_config:
AuthorizedKeysFile,AuthorizedKeysCommand,AuthorizedKeysCommandUserandPasswordAuthentication.Disabling user
As mentioned in discussion under the question: You can either use
loginShellldap attribute and modify it's value to/bin/falseor/usr/sbin/nologinor use another attribute and add it into search query. This differs depending on Your setup.What's Your setup? nslcd (nss-pam-ldapd), nss-pam-ldap, sssd or something else?