SSH Public Keys in OpenLDAP

A central key store

© 2015 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. Introduction
    2. The OpenLDAP schema
    3. OpenSSH to OpenlDAP glue
    4. How to add a key
    5. Tests


Make sure your OpenSSH server supports the AuthorizedKeysCommand option. With this option in the sshd_config file one can call an additional script that gets the public key from LDAP (or anywhere for that matter).

The OpenLDAP schema

We provide our adjusted LDAP schema here, since the one we found on the Internet required a sshPublicKey attribute when adding the objectClass, since we want to roll out our users with objectClasses provided and add attributes at will, we changed the schema so the uid is mandatory, but the sshPublicKey is optional: openssh-ldap.schema

OpenSSH to OpenlDAP glue

To tigh OpenSSH to OpenLDAP we use an external command. This command will be a shell script we created and placed somewhere on the system. Our examples will use /usr/local/bin/fetchSSHKeysFromLDAP for the file name. This script will fetch the keys from LDAP and provide them to the SSH-server.

To fetch the sshPublicKey from LDAP we use the following script, adjust the -x if needed:


ldapsearch -x '(&(objectClass=ldapPublicKey)(uid='"$1"'))' 'sshPublicKey' | \
    sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Install the script somewhere on your system and make it executable (chmod 0500).

Make sure your /etc/ldap/ldap.conf or /etc/openldap/ldap.conf file is configured to point to the right LDAP server(s). Our example looks like this:

BASE	dc=example,dc=com
URI	ldap://

Add the following lines to your sshd_config file:

AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP
# AuthorizedKeysCommandUser nobody
# AuthorizedKeysCommandRunAs root
If you are running on CentOS 7 comment out the AuthorizedKeysCommandRunAs line, and when you are running on a Debian-based system use AuthorizedKeysCommandUser. For CentOS 7 we only got run as root functional, no other user seemed to work, your milage may vary.

The last thing to correct is the ownership of the script. Set it to the appropriate user (root or nobody).

How to add a key

Generate a public and private key on the workstation that you want to use to access the server and check the content of the created file:

ssh-keygen -t rsa
cat ~/.ssh/
Create an LDIF-file with something like this where the sshPublicKey is the content from your file:
dn: cn=dleeuw,ou=People,dc=example,dc=com
changeType: modify
add: objectClass
objectClass: ldapPublicKey
add: sshPublicKey
	BPYWJ8mBdRecVfcY+/jZDSe2Phgfzgf3cRTvs3tF dleeuw@WORKSTATION
Of course the key is one long line, but for readability we cut it into a couple shorter lines. Now you can use ldapmodify to add the data to the account in LDAP.


You first test should be the script:

/usr/local/bin/fetchSSHKeysFromLDAP dleeuw
You should of course change the username to the one you used. The output of the script should be identical to the output of your file.

The last test is to log in from a remote computer to the one you want to access:

ssh -i ~/.ssh/rsa_id
This should ask you for your passphrase and when you enter the passphrase correctly log you in to the server.