I stumbled across openssh-ldap-publickey while looking to setup SSH keys in LDAP and found the setup to be a breeze. The project provides a wrapper for OpenSSH to store public keys inside the OpenLDAP entry. Here I will document the steps I went through to get SSH key auth working with OpenLDAP.
LDAP SSH Steps
- First install some dependencies. Here are the Arch Linux package names and designated repos.
Update 09/22/17: For those on Arch Linux, I created an Arch PKGBUILD that can be used to install
openssh-ldap-publickey and dependencies.
community/perl-net-ldap-server 0.43-3 [installed] Perl extension for LDAP server side protocol handling aur/pear-net-ldap2 2.2.0-3 [installed] (1) (0.41) Object oriented interface for searching and manipulating LDAP-entries aur/pear-net-ldap3 1.0.4-2 [installed] (1) (0.41) Object oriented interface for searching and manipulating LDAP-entries
sshd_config we have a couple of options
Use only LDAP:
- Include these two lines
AuthorizedKeysCommand /usr/local/bin/openssh-ldap-publickey AuthorizedKeysCommandUser nobody
LDAP SSH Users
A typical LDAP
People record can now have a new objectClass
ldapPublicKey and attribute
sshPublicKey in which case a user's public key can be attached to the