A central key store
© 2015 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
Make sure your OpenSSH server supports the AuthorizedKeysCommand option. With this option in the sshd_config file one can call an additional script that gets the public key from LDAP (or anywhere for that matter).
We provide our adjusted LDAP schema here, since the one we found on the Internet required a sshPublicKey attribute when adding the objectClass, since we want to roll out our users with objectClasses provided and add attributes at will, we changed the schema so the uid is mandatory, but the sshPublicKey is optional: openssh-ldap.schema
To tigh OpenSSH to OpenLDAP we use an external command. This command will be a shell script we created and placed somewhere on the system. Our examples will use /usr/local/bin/fetchSSHKeysFromLDAP for the file name. This script will fetch the keys from LDAP and provide them to the SSH-server.
To fetch the sshPublicKey from LDAP we use the following script, adjust the -x if needed:
#!/bin/sh
ldapsearch -x '(&(objectClass=ldapPublicKey)(uid='"$1"'))' 'sshPublicKey' | \
sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Install the script somewhere on your system and make it executable (chmod 0500).
Make sure your /etc/ldap/ldap.conf or /etc/openldap/ldap.conf file is configured to point to the right LDAP server(s). Our example looks like this:
BASE dc=example,dc=com URI ldap://ldap.example.com
Add the following lines to your sshd_config file:
AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP # AuthorizedKeysCommandUser nobody # AuthorizedKeysCommandRunAs rootIf you are running on CentOS 7 comment out the AuthorizedKeysCommandRunAs line, and when you are running on a Debian-based system use AuthorizedKeysCommandUser. For CentOS 7 we only got run as root functional, no other user seemed to work, your milage may vary.
The last thing to correct is the ownership of the script. Set it to the appropriate user (root or nobody).
Generate a public and private key on the workstation that you want to use to access the server and check the content of the created file:
ssh-keygen -t rsa cat ~/.ssh/id_rsa.pubCreate an LDIF-file with something like this where the sshPublicKey is the content from your id_rsa.pub file:
dn: cn=dleeuw,ou=People,dc=example,dc=com changeType: modify add: objectClass objectClass: ldapPublicKey - add: sshPublicKey sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAABBDAQABAFFBAQDX9uIBEySOR6tASa4RIgUo6TTO i+o3hIWkxJGlfajHQY9f73LONotAPKgDfEdvrvY+0pW3zXe3pmr4GhQzP2c1EMYmwVdkkQ Ltn/FHFICLHCyihN2byMe14v4iv1em6XXLqVB7cbxi2XKHHfa50tqgeEJTIRVbFVht9WCd HQ9VUvwnCUda6wDt3E1q+tAaUOldrfFl3KR4LQThOUOEOtaG1eU2Q/fk1j5qLMH2sDtzYn Tp2MgLVAElC7XH9QDWz4+I3uxeYOweUhvBnBx+Ti2ZkzZjchRbkawa4v/woySmWove7nzp BPYWJ8mBdRecVfcY+/jZDSe2Phgfzgf3cRTvs3tF dleeuw@WORKSTATIONOf course the key is one long line, but for readability we cut it into a couple shorter lines. Now you can use ldapmodify to add the data to the account in LDAP.
You first test should be the script:
/usr/local/bin/fetchSSHKeysFromLDAP dleeuwYou should of course change the username to the one you used. The output of the script should be identical to the output of your id_rsa.pub file.
The last test is to log in from a remote computer to the one you want to access:
ssh -i ~/.ssh/rsa_id dleeuw@login.example.comThis should ask you for your passphrase and when you enter the passphrase correctly log you in to the server.