Wrapper for OpenSSH to store public keys inside the OpenLDAP entry.
You create entry for user from OpenLdap and add attribut 'sshPublicKey' with PublicKey to this user.
When user try login through the ssh, OpenSSH calls /usr/bin/openssh-ldap-publickey script which in its turn makes request to OpenLdap asking for sshPublicKey attribute value.
Ldap connection parameters are used by openssh-ldap-publickey is taken from /etc/ldap.conf, /etc/pam_ldap.conf or /etc/libnss-ldap.conf file. Keep in mind that 'pam_filter' value from /etc/ldap.conf, /etc/pam_ldap.conf or /etc/libnss-ldap.conf is used by openssh-ldap-publickey.
Basically, it looks similar to this scheme
ssh-client -> ssh-server -> openssh-ldap-publickey -> openldap server -> openldap server is looking for attribute sshPublicKey inside user's entry in Base DN
To implement ldap key authentication support take next steps:
- Setup your system to use ldap authorization
- Add new ldap schema from /usr/share/doc/openssh-ldap-publickey-{version}/openssh-lpk-openldap.schema to your ldap server.
- In case you want take advantage of host based authorization, change your /etc/ldap.conf, /etc/pam_ldap.conf or /etc/libnss-ldap.conf adding:
- Add new object to your user entry - ldapPublicKey
pam_filter |(host=test-server.example.com)(host=\*) - Add next attributes into user entry:
Host: test-server.example.com <- in case of host-based auth
sshPublicKey: ssh-rsa some_public_key_here user@hostname <- put here your public key from ~/.ssh/id_{rsa,dsa}.pub
sshPublicKey: ssh-rsa some_ohter_public_key_here user2@hostname2 <- there can be several sshPublicKey entries in event of you want connect from different computers
- Add new object to your user entry - ldapPublicKey
- Setup openssh with AuthorizedKeysCommand support(openssh-server >= 6.2, Redhat openssh-server >= 5.3)
- Change sshd_config:
AuthorizedKeysCommand /usr/bin/openssh-ldap-publickey
AuthorizedKeysCommandRunAs nobody
if you want store key ONLY in ldap, change next lines
#AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysFile /dev/null
- Download misc/openssh-ldap-publickey.spec to $rpmbuild/SPECS
- Download all source into $rpmbuild/SOURCE. You can do it automatically running:
cd $rpmbuild/SPECS && spectool -gf -C ../SOURCES/ openssh-ldap-publickey.spec - Build package:
rpmbuild -bb openssh-ldap-publickey.spec
- Perl
- Perl module Net::LDAP
- OpenSSH with AuthorizedKeysCommand support:
- mainstream openssh-server >= 6.2
- RedHat/CentOS openssh-server >= 5.3
- Debian 8+ (or 7+ with backports) / Ubuntu 14.04+
apt-get install libnet-ldap-perl
All configuration is read from /etc/ldap.conf, /etc/pam_ldap.conf or /etc/libnss-ldap.conf and currently script uses only those parameters:
uri - uri to ldap
pam_filter - ldap search filter(Optional)
base - ldap base dir
nss_base_passwd - User DN. If not set - nss_base + base
nss_base - filter for user DN, with suffix omitted, ex:ou=People, (Optional)
timeout - ldap connection timeout. Default 10.
binddn - bind dn(Optional)
bindpw - bind dn password(Optional)
openssh_ldap_loglevel - log level. By default the logging is turn off.
openssh_ldap_logfile - logfile using only when debug is on. Default /tmp/openssh-ldap-publickey.log.
For more information about this params refer to ldap.conf man page.
To enable auth set binddn and bindpw in ldap.conf
In order to enable logging you have to setup openssh_ldap_loglevel and openssh_ldap_logfile variables.
-
Script fails with error 255
Symptoms:- return code is 255
- In logs:
```sshd[36009]: error: AuthorizedKeysCommand /etc/ssh/openssh-ldap-publickey returned status 225`` - When running from console:
No such object at /usr/bin/openssh-ldap-publickey line 77.
Cause:
Variable nss_base_passwd in ldap.conf is empty or doesn't set explicitly to users DN.Solution:
Set nss_base_passwd explicitly to users DN.
Example: ou=People,dc=test,dc=com (without prefix ?one or something)
You can find RPM packages here
Check this page to see how to configure AuthorizedKeysCommand in CentOS/RHEL 5.x.