This project provides a simple script to be used as AuthorizedKeysCommand
in OpenSSH server to fetch authorized keys from LDAP.
The script is written in Lua and requires just one dependency, lualdap (and Lua interpreter of course).
Not fan of Lua?
Then you may try this one written in POSIX shell (but it requires ldapsearch
utility and may not work well on some systems) or ssh-ldap-pubkey written in Python.
If you need an utility for users to manage keys stored in LDAP, ssh-ldap-pubkey is what you’re looking for.
-
Lua 5.1+ or LuaJIT 2.0+
-
lualdap (that requires libldap)
git clone -b v0.1.2 https://github.com/jirutka/ssh-getkey-ldap.git
cd ssh-getkey-ldap
./install
The script reads configuration from /etc/ssh/getkey-ldap.conf
.
The file format is similar to other UNIX configuration files.
Comments begin with a #
character and extend to the end of the line; blank lines are ignored.
Configuration options consist of an initial keyword followed by a list of values separated by one or more whitespaces.
Options may not be continued over multiple lines.
Keywords and values are case-sensitive.
The configuration options are as follows:
- host
-
A list of hostnames or IP addresses of hosts running an LDAP server to connect to. Each hostname in the list may include a port number which is separated from the host itself with a colon
:
character. Default value is localhost. - use_tls
-
Whether to use TLS (true, or false). Default is false.
- binddn
-
DN to bind when reading the user’s entry. Default is to bind anonymously.
- bindpw
-
Credentials to bind with when reading the user’s entry. Default is none.
- base
-
DN of the search base. Default is empty (i.e. root of the directory).
- scope
-
The search scope; base, onelevel, or subtree. Default is subtree.
- timeout
-
The timeout in seconds. Default is 5.
- pubkey_attr
-
Name of the attribute with SSH pubkeys. Default is sshPublicKey.
To configure OpenSSH server to fetch users’ authorized keys from LDAP server:
-
Make sure that you have installed
ssh-getkey-ldap
in/usr/local/bin
(or/usr/bin
) with ownerroot
and mode0755
. -
Add these two lines into
/etc/ssh/sshd_config
:AuthorizedKeysCommand /usr/local/bin/ssh-getkey-ldap AuthorizedKeysCommandUser nobody
-
Restart sshd and check log file if there’s no problem.
Note: This method is supported by OpenSSH since version 6.2-p1 (or 5.3 onRedHat). If you have an older version and can’t upgrade, for whatever weird reason, use openssh-lpk patch instead.
Just add the openssh-lpk.schema to your LDAP server, or add an attribute named sshPublicKey
to any existing schema which is already defined in people entries.
That’s all.
Note: Presumably, you’ve already setup your LDAP server for centralized unix users management, i.e. you have the NIS schema and users in LDAP.
This project is licensed under MIT License. For the full text of the license, see the LICENSE file.