openldap & stored ssh keys

  1.  first we have to add a new schema for openldap

ssh_keys.schema

#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau@phear.org>
#
# Based on the proposal of : Mark Ruijter
#

# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME ‘sshPublicKey’
    DESC ‘MANDATORY: OpenSSH Public key’
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME ‘ldapPublicKey’ SUP top AUXILIARY
    DESC ‘MANDATORY: OpenSSH LPK objectclass’
    MUST ( sshPublicKey $ uid )
    )

2. add new schema to slapd.conf

  • include         /etc/openldap/schema/ssh_keys.schema
  • service  slapd restart

3. generate the key + adding the key to ldap db

  • ssh-keygen ==> we’ll have the public/private pairs
  • add the key to ldap
    • create the file => ssh_key_userldap1.ldif
    • dn: uid=usrldap1,ou=People,dc=example1,dc=com
      changetype: modify
      add: objectClass
      objectClass: ldapPublicKey

      add: sshPublicKey
      sshPublicKey: <<content of id_rsa.pub>>
    • add the entry to ldap ==> ldapmodify -x -D “cn=admin,dc=example1,dc=com” -f ssh_key_userldap1.ldif -W

4. edit sshd_config on client computer ( where will will connect with ssh keys )

  • AuthorizedKeysCommand  /usr/local/bin/ldapSSH.sh
    AuthorizedKeysCommandRunAs root
  •  /usr/local/bin/ldapSSH.sh ==>
    • #!/bin/bash
      ldapsearch -x ‘(&(objectClass=ldapPublicKey)(uid='”$1″‘))’ ‘sshPublicKey’ | \
      sed -n ‘/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp’
    •  service sshd restart
  • now, connexion with stored ssh keys in ldap should work.

!!WARNING !!

ubuntu or others clients trying to establish connection and getting this error:  “Agent admitted failure to sign using the key.” please try as following : => SSH_AUTH_SOCK=0 ssh  usrldap1@remote_ip !!

++ error bonus on RH6 <= 6.4 😀 ==> if you get this error  in /var/log/secure” sshd: error: user_key_via_command_allowed2: stat(“/usr/local/bin/ldapSSH.sh “): No such file or directory”

please upgrade ssh rpm to : openssh-5.3p1-94.el6 openssh-server-5.3p1-94.el6

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s