OpenSSH 6.2.x and LDAP authentication


Since the release of OpenSSH 6.2, two new configuration parameters have been added:

  • AuthorizedKeysCommand
  • AuthorizedKeysCommandUser

These parameters allow to create any kind of authentication method for OpenSSH, including LDAP authentication, and therefore patches like the LPK patch for OpenSSH are not required anymore.
The only thing the script needs to do is return either an empty string or the public key of the user.

In our example below, we have created an extra check which will verify if a user is in a certain group.
The script is a very simple Bash script and can be rewritten to any kind of script or program, important is what it returns to STDOUT.

# $Id: ldap_ssh_key.sh 138 2013-09-14 08:24:39Z jmorano $
# Check if the user is in the right group 
#  and afterwards retrieve the SSH public key from LDAP
# Logs directly in Syslog
# sshd_config for OpenSSH 6.2 or higher:
#  AuthorizedKeysCommand /usr/local/bin/ldap_keys.sh
#  AuthorizedKeysCommandUser nobody


# load local configuration if available
if [ -f /etc/example/ldap.cfg ]; then
    . /etc/example/ldap.cfg


if id "${SSH_USER}" | egrep -q "${ALLOWED_GROUP}";
	logger -t sshd -p info "User $SSH_USER is a member of the group"
	logger -t sshd -p warn "User $SSH_USER is not allowed to log in, access denied"
	exit 0

KEY=$(ldapsearch -o ldif-wrap=no -S sshPublicKey -c -h "${LDAP_SERVER}" -b "${BASE_DN}" -x -LLL "uid=${SSH_USER}" sshPublicKey | grep -v 'dn:' | perl -pe 's/sshPublicKey: //;')

logger -t sshd -p info "Sent LDAP SSH public key for user $SSH_USER"
echo "${KEY}"

  1. Hi,

    What prerequisites are required for this to work, I assume I need some kind of ldap application installing for the queries to the LDAP server to work?


    1. Really? I have it like this:

      root@machine01:~ # grep Authorized /etc/ssh/sshd_config 
      AuthorizedKeysCommand /usr/bin/ldap_ssh_key.sh
      AuthorizedKeysCommandUser nobody
      root@machine01:~ # ls -ltr /usr/bin/ldap_ssh_key.sh
      -rwxr-xr-x 1 root root 1077 Jun  6 10:06 /usr/bin/ldap_ssh_key.sh
      root@machine01:~ # uname -a
      Linux machine01 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u1 x86_64 GNU/Linux
      root@machine01:~ # 

      Works fine …

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Post

Secure Password Generator in Perl

Next Post

A simple TCP server written in Perl

Related Posts