This project provides an utility to manage SSH public keys stored in LDAP and also a script for
OpenSSH server to load authorized keys from LDAP, in addition to those in ~/.ssh/authorized_keys
.
When you have dozen of servers it becomes difficult to manage your authorized keys. You have to
copy all your public keys to ~/.ssh/authorized_keys
on every server you want to login to. And
what if you someday change your keys?
It’s a good practice to use some kind of a centralized user management, usually an LDAP server. There you have user’s login, uid, e-mail, … and password. What if we could also store public SSH keys on LDAP server? With this utility it’s easy as pie.
If you need just a lightweight utility for OpenSSH server to load authorized keys from LDAP,
then you can use ssh-getkey-ldap written in Lua
or this one written in POSIX shell
(but it requires ldapsearch
utility and may not work well on some systems).
- Python 3.6+
- python-ldap 3.x
- docopt 0.6.x
You can install both Python modules from PyPI. python-ldap requires additional system dependencies – OpenLDAP. Refer to Stack Overflow for distribution-specific information.
pip install ssh-ldap-pubkey
apk add ssh-ldap-pubkey
Note: The package is currently in the (official) community repository; make sure that you have community in /etc/apk/repositories
.
List SSH public keys stored in LDAP for the current user:
ssh-ldap-pubkey list
List SSH public keys stored in LDAP for the specified user:
ssh-ldap-pubkey list -u flynn
Add the specified SSH public key for the current user to LDAP:
ssh-ldap-pubkey add ~/.ssh/id_rsa.pub
Remove SSH public key(s) of the current user that matches the specified pattern:
ssh-ldap-pubkey del flynn@grid
Specify LDAP URI and base DN on command line instead of configuration file:
ssh-ldap-pubkey list -b ou=People,dc=encom,dc=com -H ldaps://encom.com -u flynn
As the LDAP manager, add SSH public key to LDAP for the specified user:
ssh-ldap-pubkey add -D cn=Manager,dc=encom,dc=com -u flynn ~/.ssh/id_rsa.pub
Show help for other options:
ssh-ldap-pubkey --help
Configuration is read from /etc/ldap.conf — file used by LDAP nameservice switch library and the LDAP PAM module. An example file is included in etc/ldap.conf. The following subset of parameters are used:
- uri ... URI(s) of the LDAP server(s) to connect to, separated by a space. The URI scheme may
be ldap, or ldaps. Default is
ldap://localhost
. - nss_base_passwd ... distinguished name (DN) of the search base.
- base ... distinguished name (DN) of the search base. Used when nss_base_passwd is not set.
- scope ... search scope; sub, one, or base (default is sub).
- referrals ... should client automatically follow referrals returned by LDAP servers (default is on)?
- pam_filter ... filter to use when searching for the user’s entry, additional to the login
attribute value assertion (
pam_login_attribute=<login>
). Default is objectclass=posixAccount. - pam_login_attribute ... the user ID attribute (default is uid).
- ldap_version ... LDAP version to use (default is 3).
- sasl ... enable SASL and specify mechanism to use (currently only GSSAPI is supported).
- binddn ... distinguished name (DN) to bind when reading the user’s entry (default is to bind anonymously).
- bindpw ... credentials to bind with when reading the user’s entry (default is none).
- ssl ... LDAP SSL/TLS method; off, on, or start_tls. If you use LDAP over SSL (i.e. URI
ldaps://
), leave this empty. - timelimit ... search time limit in seconds (default is 10).
- bind_timelimit ... bind/connect time limit in seconds (default is 10). If multiple URIs are specified in uri, then the next one is tried after this timeout.
- tls_cacertdir ... path of the directory with CA certificates for LDAP server certificate verification.
- pubkey_class ... objectClass that should be added/removed to/from the user’s entry when adding/removing first/last public key and the pubkey_attr is mandatory for this class.
This is needed for the original openssh-lpk.schema (not for the one in this repository).
Default is
ldapPublicKey
. - pubkey_attr ... name of LDAP attribute used for SSH public keys (default is
sshPublicKey
).
The only required parameter is nss_base_passwd or base, others have sensitive defaults. You
might want to define uri parameter as well. These parameters can be also defined/overriden
with --bind
and --uri
options on command line.
For more information about these parameters refer to ldap.conf man page.
To configure OpenSSH server to fetch users’ authorized keys from LDAP server:
-
Make sure that you have installed ssh-ldap-pubkey and ssh-ldap-pubkey-wrapper in
/usr/bin
with ownerroot
and mode0755
. -
Add these two lines to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper AuthorizedKeysCommandUser nobody
-
Restart sshd and check log file if there’s no problem.
Note: This method is supported by OpenSSH since version 6.2-p1 (or 5.3 onRedHat). If you have an older version and can’t upgrade, for whatever weird reason, use openssh-lpk patch instead.
Just add the openssh-lpk.schema to your LDAP server, or add an attribute named sshPublicKey
to any existing schema which is already defined in people entries. That’s all.
Note: Presumably, you’ve already set up your LDAP server for centralized unix users management, i.e. you have the NIS schema and users in LDAP.
This project is licensed under MIT license.