OpenSSH 6.2.x and LDAP authentication

Since the release of OpenSSH 6.2, two new configuration parameters have been added:

  • AuthorizedKeysCommand
  • AuthorizedKeysCommandUser

These parameters allow to create any kind of authentication method for OpenSSH, including LDAP authentication, and therefore patches like the LPK patch for OpenSSH are not required anymore.
The only thing the script needs to do is return either an empty string or the public key of the user.

In our example below, we have created an extra check which will verify if a user is in a certain group.
The script is a very simple Bash script and can be rewritten to any kind of script or program, important is what it returns to STDOUT.

#!/bin/bash
# $Id: ldap_ssh_key.sh 138 2013-09-14 08:24:39Z jmorano $
#
# Check if the user is in the right group 
#  and afterwards retrieve the SSH public key from LDAP
# Logs directly in Syslog
#
#
# sshd_config for OpenSSH 6.2 or higher:
#
#  AuthorizedKeysCommand /usr/local/bin/ldap_keys.sh
#  AuthorizedKeysCommandUser nobody
# 

LDAP_SERVER="ldap-server"
BASE_DN="ou=users,dc=company,dc=example,dc=com"
ALLOWED_GROUP="6667"

# load local configuration if available
if [ -f /etc/example/ldap.cfg ]; then
    . /etc/example/ldap.cfg
fi

SSH_USER=$1

if id "${SSH_USER}" | egrep -q "${ALLOWED_GROUP}";
then
	logger -t sshd -p info "User $SSH_USER is a member of the group"
else 
	logger -t sshd -p warn "User $SSH_USER is not allowed to log in, access denied"
	echo 
	exit 0
fi


KEY=$(ldapsearch -o ldif-wrap=no -S sshPublicKey -c -h "${LDAP_SERVER}" -b "${BASE_DN}" -x -LLL "uid=${SSH_USER}" sshPublicKey | grep -v 'dn:' | perl -pe 's/sshPublicKey: //;')

logger -t sshd -p info "Sent LDAP SSH public key for user $SSH_USER"
echo "${KEY}"


Comments

OpenSSH 6.2.x and LDAP authentication — 11 Comments

  1. Hi,

    What prerequisites are required for this to work, I assume I need some kind of ldap application installing for the queries to the LDAP server to work?

    Thanks

  2. Pingback: Arch LinuxでAuthorizedKeysCommandにLDAPに登録されている公開鍵を回答するスクリプトを設定する | netanote.com

    • Really? I have it like this:

      root@machine01:~ # grep Authorized /etc/ssh/sshd_config 
      AuthorizedKeysCommand /usr/bin/ldap_ssh_key.sh
      AuthorizedKeysCommandUser nobody
      root@machine01:~ # ls -ltr /usr/bin/ldap_ssh_key.sh
      -rwxr-xr-x 1 root root 1077 Jun  6 10:06 /usr/bin/ldap_ssh_key.sh
      root@machine01:~ # uname -a
      Linux machine01 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u1 x86_64 GNU/Linux
      root@machine01:~ # 
      

      Works fine …

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.