OpenSSH, look up public keys in LDAP!

This project provides a simple script to be used as AuthorizedKeysCommand in OpenSSH server to fetch authorized keys from LDAP. The script is written in Lua and requires just one dependency, lualdap (and Lua interpreter of course).

Not fan of Lua? Then you may try this one written in POSIX shell (but it requires ldapsearch utility and may not work well on some systems) or ssh-ldap-pubkey written in Python.

If you need an utility for users to manage keys stored in LDAP, ssh-ldap-pubkey is what you’re looking for.

Requirements

• Lua 5.1+ or LuaJIT 2.0+

• lualdap (that requires libldap)

Installation

On Alpine Linux

apk add ssh-getkey-ldap

Using git and ./install

git clone -b v0.1.2 https://github.com/jirutka/ssh-getkey-ldap.git
cd ssh-getkey-ldap
./install

Manual

cd /usr/local/bin
wget https://github.com/raw/jirutka/ssh-getkey-ldap/v0.1.2/ssh-getkey-ldap
chown root:root ssh-getkey-ldap
chmod 0755 ssh-getkey-ldap

cd /etc/ssh
wget https://github.com/raw/jirutka/ssh-getkey-ldap/v0.1.2/getkey-ldap.conf
vim getkey-ldap.conf  # read next section

Configuration

The script reads configuration from /etc/ssh/getkey-ldap.conf.

The file format is similar to other UNIX configuration files. Comments begin with a # character and extend to the end of the line; blank lines are ignored. Configuration options consist of an initial keyword followed by a list of values separated by one or more whitespaces. Options may not be continued over multiple lines. Keywords and values are case-sensitive.

The configuration options are as follows:

host

A list of hostnames or IP addresses of hosts running an LDAP server to connect to. Each hostname in the list may include a port number which is separated from the host itself with a colon : character. Default value is localhost.

use_tls

Whether to use TLS (true, or false). Default is false.

binddn

DN to bind when reading the user’s entry. Default is to bind anonymously.

bindpw

Credentials to bind with when reading the user’s entry. Default is none.

base

DN of the search base. Default is empty (i.e. root of the directory).

scope

The search scope; base, onelevel, or subtree. Default is subtree.

timeout

The timeout in seconds. Default is 5.

pubkey_attr

Name of the attribute with SSH pubkeys. Default is sshPublicKey.

Setup OpenSSH server

To configure OpenSSH server to fetch users’ authorized keys from LDAP server:

1. Make sure that you have installed ssh-getkey-ldap in /usr/local/bin (or /usr/bin) with owner root and mode 0755.

2. Add these two lines into /etc/ssh/sshd_config:

   AuthorizedKeysCommand /usr/local/bin/ssh-getkey-ldap
   AuthorizedKeysCommandUser nobody

3. Restart sshd and check log file if there’s no problem.

Note: This method is supported by OpenSSH since version 6.2-p1 (or 5.3 onRedHat). If you have an older version and can’t upgrade, for whatever weird reason, use openssh-lpk patch instead.

Setup LDAP server

Just add the openssh-lpk.schema to your LDAP server, or add an attribute named sshPublicKey to any existing schema which is already defined in people entries. That’s all.

Note: Presumably, you’ve already setup your LDAP server for centralized unix users management, i.e. you have the NIS schema and users in LDAP.

License

This project is licensed under MIT License. For the full text of the license, see the LICENSE file.