Update LDAP to include the OpenSSH-LPK schema
We first need to update LDAP with a schema to add the sshPublicKey
attribute for users:
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)
Create a script that queries LDAP for a user’s public key:
The script should output the public keys for that user, example:
ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Update sshd_config
to point to the script from the previous step
AuthorizedKeysCommand /path/to/script
AuthorizedKeysCommandUser nobody
Bonus: Update sshd_config
to allow password authentication from internal RFC1918 networks as seen in this question:
Only allow password authentication to SSH server from internal network
Useful links:
- https://github.com/AndriiGrytsenko/openssh-ldap-publickey
- Private key authentication with pam_ldap
EDIT: Added user nobody
as suggested TRS-80