openldap & stored ssh keys

  1.  first we have to add a new schema for openldap


# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <>
# Based on the proposal of : Mark Ruijter

# octetString SYNTAX
attributetype ( NAME ‘sshPublicKey’
    DESC ‘MANDATORY: OpenSSH Public key’
    EQUALITY octetStringMatch
    SYNTAX )
# printableString SYNTAX yes|no
objectclass ( NAME ‘ldapPublicKey’ SUP top AUXILIARY
    DESC ‘MANDATORY: OpenSSH LPK objectclass’
    MUST ( sshPublicKey $ uid )

2. add new schema to slapd.conf

  • include         /etc/openldap/schema/ssh_keys.schema
  • service  slapd restart

3. generate the key + adding the key to ldap db

  • ssh-keygen ==> we’ll have the public/private pairs
  • add the key to ldap
    • create the file => ssh_key_userldap1.ldif
    • dn: uid=usrldap1,ou=People,dc=example1,dc=com
      changetype: modify
      add: objectClass
      objectClass: ldapPublicKey

      add: sshPublicKey
      sshPublicKey: <<content of>>
    • add the entry to ldap ==> ldapmodify -x -D “cn=admin,dc=example1,dc=com” -f ssh_key_userldap1.ldif -W

4. edit sshd_config on client computer ( where will will connect with ssh keys )

  • AuthorizedKeysCommand  /usr/local/bin/
    AuthorizedKeysCommandRunAs root
  •  /usr/local/bin/ ==>
    • #!/bin/bash
      ldapsearch -x ‘(&(objectClass=ldapPublicKey)(uid='”$1″‘))’ ‘sshPublicKey’ | \
      sed -n ‘/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp’
    •  service sshd restart
  • now, connexion with stored ssh keys in ldap should work.


ubuntu or others clients trying to establish connection and getting this error:  “Agent admitted failure to sign using the key.” please try as following : => SSH_AUTH_SOCK=0 ssh  usrldap1@remote_ip !!

++ error bonus on RH6 <= 6.4 😀 ==> if you get this error  in /var/log/secure” sshd: error: user_key_via_command_allowed2: stat(“/usr/local/bin/ “): No such file or directory”

please upgrade ssh rpm to : openssh-5.3p1-94.el6 openssh-server-5.3p1-94.el6


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s