Product
Introducing License Enforcement in Socket
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
This project provides an utility to manage SSH public keys stored in LDAP and also a script for OpenSSH server to load authorized keys from LDAP.
When you have dozen of servers it becomes difficult to manage your authorized keys. You have to
copy all your public keys to ~/.ssh/authorized_keys
on every server you want to login to. And
what if you someday change your keys?
It’s a good practice to use some kind of a centralized user management, usually an LDAP server. There you have user’s login, uid, e-mail, … and password. What if we could also store public SSH keys on LDAP server? With this utility it’s easy as pie.
If you need just a lightweight utility for OpenSSH server to load authorized keys from LDAP,
then you can use ssh-getkey-ldap written in Lua
or this one written in POSIX shell
(but it requires ldapsearch
utility and may not work well on some systems).
You can install both Python modules from PyPI. python-ldap requires additional system dependencies – OpenLDAP. Refer to Stack Overflow for distribution-specific information.
pip install ssh-ldap-pubkey
apk add ssh-ldap-pubkey
Note: The package is currently in the (official) community repository; make sure that you have community in /etc/apk/repositories
.
List SSH public keys stored in LDAP for the current user:
ssh-ldap-pubkey list
List SSH public keys stored in LDAP for the specified user:
ssh-ldap-pubkey list -u flynn
Add the specified SSH public key for the current user to LDAP:
ssh-ldap-pubkey add ~/.ssh/id_rsa.pub
Remove SSH public key(s) of the current user that matches the specified pattern:
ssh-ldap-pubkey del flynn@grid
Specify LDAP URI and base DN on command line instead of configuration file:
ssh-ldap-pubkey list -b ou=People,dc=encom,dc=com -H ldaps://encom.com -u flynn
As the LDAP manager, add SSH public key to LDAP for the specified user:
ssh-ldap-pubkey add -D cn=Manager,dc=encom,dc=com -u flynn ~/.ssh/id_rsa.pub
Show help for other options:
ssh-ldap-pubkey --help
Configuration is read from /etc/ldap.conf — file used by LDAP nameservice switch library and the LDAP PAM module. An example file is included in etc/ldap.conf. The following subset of parameters are used:
ldap://localhost
.pam_login_attribute=<login>
). Default is
objectclass=posixAccount.ldaps://
), leave this empty.ldapPublicKey
.sshPublicKey
).The only required parameter is nss_base_passwd or base, others have sensitive defaults. You
might want to define uri parameter as well. These parameters can be also defined/overriden
with --bind
and --uri
options on command line.
For more information about these parameters refer to ldap.conf man page.
To configure OpenSSH server to fetch users’ authorized keys from LDAP server:
Make sure that you have installed ssh-ldap-pubkey and ssh-ldap-pubkey-wrapper in
/usr/bin
with owner root
and mode 0755
.
Add these two lines to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper
AuthorizedKeysCommandUser nobody
Restart sshd and check log file if there’s no problem.
Note: This method is supported by OpenSSH since version 6.2-p1 (or 5.3 onRedHat). If you have an older version and can’t upgrade, for whatever weird reason, use openssh-lpk patch instead.
Just add the openssh-lpk.schema to your LDAP server, or add an attribute named sshPublicKey
to any existing schema which is already defined in people entries. That’s all.
Note: Presumably, you’ve already set up your LDAP server for centralized unix users management, i.e. you have the NIS schema and users in LDAP.
This project is licensed under MIT license.
FAQs
Utility to manage SSH public keys stored in LDAP.
We found that ssh-ldap-pubkey demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
Product
We're launching a new set of license analysis and compliance features for analyzing, managing, and complying with licenses across a range of supported languages and ecosystems.
Product
We're excited to introduce Socket Optimize, a powerful CLI command to secure open source dependencies with tested, optimized package overrides.