ssh public key authentication with LDAP

One of my recent projects required me to build a solution which can store ssh public keys on a LDAP server, and then to authenticate users against those keys. This was an RnD project which I had to to do lot of R and lot of D (sign…..). After much effort and a little bit of  hacking, I finally managed to complete the project, and thought of posting it here.

First of all you need to have a good understanding ( a picture) on your mind about what exactly we are going to do. LDAP based authentication already exists, there’s nothing new. When a user tries to ssh to a server, the server fetches user credentials and some other information like login shell, home directory, groups etc from the LDAP server. So if the password which user enters matches the password that LDAP server provides, the user is authenticated. So, what are we going to do if its already there …?

Instead of using passwords we are going to use ssh public keys to authenticate the user. See the below picture for a better understanding

To do this I’m going to use Ubuntu 12.04 x64

Lets start implementing.

LDAP Server Configuration

lets install a fresh LDAP server , issue the below commands

apt-get install slapd ldap-utils libpam-ldap nscd

Now you need to add openssh-ldap schema to this LDAP server, to do this

first create a temporary file to store the schema

vi /tmp/openssh-ldap.schema

then, copy and paste the below content to that file

attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key' 
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MUST ( sshPublicKey $ uid ) 
 )

To add this schema in to our LDAP server, issue the below command

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/openssh-ldap.schema

Now you need to populate the LDAP server, use a software like Apache directory Studio (https://directory.apache.org/studio/) to connect to the server.

You need to create posix accounts in order for nss to recognize them, the uid of your posix account will be the username when you login

Create a LDAP directory tree structure and put some users, use sshPublicKey attribute to store the public key

Client Configuration

First we need to modify the SSH server configurations

SSH server cant alone fetch the users public key from LDAP server, what it can do is, it can run our own script when a user tries to log in.

So we will create a script which will fetch the ssh public key from the server, then configure the ssh to run this script whenever a user tries to login

Now lets create the script

Create a file

vi /usr/bin/auth

Put the below content to the file

#!/bin/bash

cn=$1 
server=127.0.0.1 #Put your server IP  
basedn=ou=user,dc=ldap,dc=abccrop,dc=org #Put your basedn
port=389 

ldapsearch -x -h $server -p $port -b $basedn -s sub "(objectclass=posixaccount)(cn=$cn)" | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Now change ssh server config,

open /etc/ssh/sshd_config and append the below two lines at the end

vi /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/auth
AuthorizedKeysCommandUser root

Now lets configure nss to fetch user details such as home directories, login shells etc from LDAP

Open /etc/nsswitch.conf and edit it like below

passwd: ldap compat
group:  ldap compat
shadow: ldap compat

hosts:    files
networks: files

protocols: db files
services:  db files
ethers:    db files
rpc:       db files

netgroup: nis

One final step

To automatically create home directories when users log in,

create a file

vi /usr/share/pam-configs/my_mkhomedir

Put the below content

Name: activate mkhomedir
Default:  yes
Priority: 900
Session-Type: Additional
Session: required
pam_mkhomedir.so umask=0022 skel=/etc/skel

Now restart nscd

service nscd restart

All done, now log in as a LDAP user and check if it works

good luck….!!!!

Advertisement

Privacy Settings