SSH Key with SSSD/LDAP
DISTRO: RHEL/CentOS VERSION: 6.7 Portability: Should work on any distribution using sssd rather than traditional ldap-client packages.
So if you have recently joined the Cool Kids Club of the server admin world, you may now have an awesome LDAP server of your own to handle all your authentication needs. Now, you may be sitting there thinking, “As awesome as LDAP is, I wish it was just a little more awesome.” To which I’d say “how much more awesome do you want it?” and you’d reply “awesome enough to handle ssh pub/private key authentication” to which i’d say “HOLD ONTO YOUR SOCKS TIMMY!”(also in this scenario your name is timmy) ” BECAUSE IT DOES!”
Now on the Server side, you’ll need to add in an additional schema, this is usually pretty simple, but depending on how you initial configuration went, you’ll have to look up that method on your own, in my case I use Fusion directory, which is as simple as:
# ON the LDAP server yum install fusiondirectory-plugin-ssh fusiondirectory-plugin-ssh-schema fusiondirectory-insert-schema -i /etc/openldap/schema/fusiondirectory/openssh-lpk.schema
Now on the client, you’ll need to make a couple quick adjustments to your configurations. These are simple, and take no effort at all. Do note that the client adjustments will be the same regardless of what type of ldap server you are using. The only thing that matters is that you are using sssd as your client connection to that server.
First up edit /etc/ssh/sshd_config with your favorite editor, mine is vim
PubkeyAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandRunAs nobody
then edit /etc/sssd/sssd.conf
and add “ssh” to your services line, like so:
[sssd] services = nss, sudo, ssh, pam, autofs config_file_version = 2 enumerate = true
now simply restart your services
service sssd restart service sshd restart
and you should be in good shape!
As an additional note, you can look up the public key’s tied to an account by issuing:
/usr/bin/sss_ssh_authorizedkeys <username>
Eric Lin September 11, 2018 - 6:44 am
Hey!
Your article is so helpful!
But I have a problem now that is I am running OpenLdap + Fusiondirectory on debian which doesn’t have sssd. Now I’ve installed “fusiondirectory-plugin-ssh fusiondirectory-plugin-ssh-schema” and I am quite confused about what is next step. Could you show me some hints?
Cheers
Brandon.Graves September 22, 2018 - 10:33 am
Hi Eric,
Sorry for the long delay. I don’t get many legitimate comments so I’m out of the habit of checking them. Have you found a solution to your problem? If not, what are you using in lieu of sssd? I’m not too familiar with Debian systems, so I’m not sure what its primary authentication handler is these day’s.