SSH Key with SSSD/LDAP
DISTRO: RHEL/CentOS VERSION: 6.7 Portability: Should work on any distribution using sssd rather than traditional ldap-client packages.
So if you have recently joined the Cool Kids Club of the server admin world, you may now have an awesome LDAP server of your own to handle all your authentication needs. Now, you may be sitting there thinking, “As awesome as LDAP is, I wish it was just a little more awesome.” To which I’d say “how much more awesome do you want it?” and you’d reply “awesome enough to handle ssh pub/private key authentication” to which i’d say “HOLD ONTO YOUR SOCKS TIMMY!”(also in this scenario your name is timmy) ” BECAUSE IT DOES!”
Now on the Server side, you’ll need to add in an additional schema, this is usually pretty simple, but depending on how you initial configuration went, you’ll have to look up that method on your own, in my case I use Fusion directory, which is as simple as:
# ON the LDAP server yum install fusiondirectory-plugin-ssh fusiondirectory-plugin-ssh-schema fusiondirectory-insert-schema -i /etc/openldap/schema/fusiondirectory/openssh-lpk.schema
Now on the client, you’ll need to make a couple quick adjustments to your configurations. These are simple, and take no effort at all. Do note that the client adjustments will be the same regardless of what type of ldap server you are using. The only thing that matters is that you are using sssd as your client connection to that server.
First up edit /etc/ssh/sshd_config with your favorite editor, mine is vim
PubkeyAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandRunAs nobody
then edit /etc/sssd/sssd.conf
and add “ssh” to your services line, like so:
[sssd] services = nss, sudo, ssh, pam, autofs config_file_version = 2 enumerate = true
now simply restart your services
service sssd restart service sshd restart
and you should be in good shape!
As an additional note, you can look up the public key’s tied to an account by issuing: