OpenSSH 6.2.x and LDAP authentication

Since the release of OpenSSH 6.2, two new configuration parameters have been added:

• AuthorizedKeysCommand
• AuthorizedKeysCommandUser

These parameters allow to create any kind of authentication method for OpenSSH, including LDAP authentication, and therefore patches like the LPK patch for OpenSSH are not required anymore.
The only thing the script needs to do is return either an empty string or the public key of the user.

In our example below, we have created an extra check which will verify if a user is in a certain group.
The script is a very simple Bash script and can be rewritten to any kind of script or program, important is what it returns to STDOUT.

#!/bin/bash
# $Id: ldap_ssh_key.sh 138 2013-09-14 08:24:39Z jmorano $
#
# Check if the user is in the right group 
#  and afterwards retrieve the SSH public key from LDAP
# Logs directly in Syslog
#
#
# sshd_config for OpenSSH 6.2 or higher:
#
#  AuthorizedKeysCommand /usr/local/bin/ldap_keys.sh
#  AuthorizedKeysCommandUser nobody
# 

LDAP_SERVER="ldap-server"
BASE_DN="ou=users,dc=company,dc=example,dc=com"
ALLOWED_GROUP="6667"

# load local configuration if available
if [ -f /etc/example/ldap.cfg ]; then
    . /etc/example/ldap.cfg
fi

SSH_USER=$1

if id "${SSH_USER}" | egrep -q "${ALLOWED_GROUP}";
then
	logger -t sshd -p info "User $SSH_USER is a member of the group"
else 
	logger -t sshd -p warn "User $SSH_USER is not allowed to log in, access denied"
	echo 
	exit 0
fi


KEY=$(ldapsearch -o ldif-wrap=no -S sshPublicKey -c -h "${LDAP_SERVER}" -b "${BASE_DN}" -x -LLL "uid=${SSH_USER}" sshPublicKey | grep -v 'dn:' | perl -pe 's/sshPublicKey: //;')

logger -t sshd -p info "Sent LDAP SSH public key for user $SSH_USER"
echo "${KEY}"