Using LDAP for SSH key authentication

August 12, 2017

Reading time ~1 minute

Intro

I stumbled across openssh-ldap-publickey while looking to setup SSH keys in LDAP and found the setup to be a breeze. The project provides a wrapper for OpenSSH to store public keys inside the OpenLDAP entry. Here I will document the steps I went through to get SSH key auth working with OpenLDAP.

LDAP SSH Steps

  1. First install some dependencies. Here are the Arch Linux package names and designated repos.

Update 09/22/17: For those on Arch Linux, I created an Arch PKGBUILD that can be used to install openssh-ldap-publickey and dependencies.

community/perl-net-ldap-server 0.43-3 [installed]
  Perl extension for LDAP server side protocol handling

aur/pear-net-ldap2 2.2.0-3 [installed] (1) (0.41)
  Object oriented interface for searching and manipulating LDAP-entries

aur/pear-net-ldap3 1.0.4-2 [installed] (1) (0.41)
  Object oriented interface for searching and manipulating LDAP-entries
  1. Load openssh-lpk-openldap.schema into OpenLDAP.

Inside sshd_config we have a couple of options

  1. Use authorized_keys and LDAP: AuthorizedKeysFile .ssh/authorized_keys
  2. Use only LDAP: AuthorizedKeysFile /dev/null

  3. Include these two lines
    AuthorizedKeysCommand /usr/local/bin/openssh-ldap-publickey
    AuthorizedKeysCommandUser nobody

LDAP SSH Users

A typical LDAP People record can now have a new objectClass ldapPublicKey and attribute sshPublicKey in which case a user's public key can be attached to the sshPublicKey attribute.

comments powered by Disqus

Splunk Enterprise (Free) LDAP auth in Apache

Intro I have used Splunk for years and still use Splunk Enterprise at work and for my own use as part of the Free license group. With Splunk…… Continue reading

LDAP Mail Distribution Groups with Postfix

Published on May 01, 2018

Increase email security with S/MIME

Published on September 03, 2017