SSH key authentication using LDAP
Solution 1:
Update LDAP to include the OpenSSH-LPK schema
We first need to update LDAP with a schema to add the sshPublicKey attribute for users:
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)
Create a script that queries LDAP for a user's public key:
The script should output the public keys for that user, example:
ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Update sshd_config to point to the script from the previous step
AuthorizedKeysCommand /path/to/scriptAuthorizedKeysCommandUser nobody
Bonus: Update sshd_config to allow password authentication from internal RFC1918 networks as seen in this question:
Only allow password authentication to SSH server from internal network
Useful links:
- https://github.com/AndriiGrytsenko/openssh-ldap-publickey
- Private key authentication with pam_ldap
EDIT: Added user nobody as suggested TRS-80
Solution 2:
This is not a full answer, just an addition to c4urself's answer. I would have added this as a comment, but I don't have sufficient reputation to comment, so please don't downvote!
This is the script I'm using for the AuthorizedKeysCommand (based on c4urself's version). It works regardless of whether the value is returned in base64 encoding or not. This can be especially useful if you want to store multiple authorized keys in LDAP -- simply seperate the keys with newline characters, similar to the authorized_keys file.
#!/bin/bash
set -eou pipefail
IFS=$'\n\t'
result=$(ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey')
attrLine=$(echo "$result" | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;/sshPublicKey:/p')
if [[ "$attrLine" == sshPublicKey::* ]]; then
echo "$attrLine" | sed 's/sshPublicKey:: //' | base64 -d
elif [[ "$attrLine" == sshPublicKey:* ]]; then
echo "$attrLine" | sed 's/sshPublicKey: //'
else
exit 1
fi
Solution 3:
For anyone getting the error when running the ldapsearch:
sed: 1: "/^ /{H;d};": extra characters at the end of d command
as I was (on FreeBSD), the fix is to change the first sed command to:
/^ /{H;d;};
(adding a semicolon after the 'd').
Solution 4:
Just wanted to share my "method", my client side is Debian/Ubuntu Specific, but my Server side is basically the same as above, but with a little more "HowTo:"
Server :
Enable Public Key Attribute :
Credit :
https://blog.shichao.io/2015/04/17/setup_openldap_server_with_openssh_lpk_on_ubuntu.html
cat << EOL >~/openssh-lpk.ldif
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)
EOL
Now use this to add ldif :
ldapadd -Y EXTERNAL -H ldapi:/// -f ~/openssh-lpk.ldif
Adding a user with SSH public key in phpLDAPadmin
First, create a user with the “Generic: User Account” template. Then, go to the “objectClass” attribute section, click “add value”, and choose the “ldapPublicKey” attribute. After you submit, go back to the user edit page, click “Add new attribute” on the top part, and choose “sshPublicKey”, paste the public key into the text area, and finally click “Update Object”."
sshPublicKey Attribute not showing - OpenLDAP PHPLDAP SSH Key Auth
Ubuntu Client :
apt-get -y install python-pip python-ldap
pip install ssh-ldap-pubkey
sh -c 'echo "AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config' && service ssh restart
Create Test Keys :
ssh-keygen -t rsa