Re: Migrating from pam-ldap

[Norman Gray <gray [at] nxg.name>]

Philip, hello.

On 15 Nov 2023, at 17:16, Philip Prindeville wrote:

> Is there a how-to that covers authenticating Ssh not by password, but by 
> public keys (if they're stored in LDAP)?

Not quite a howto, but the instructions are in sshd_config, if you know the 
keyword to search for them.

     AuthorizedKeysCommand
             Specifies a program to be used to look up the user's public keys.
             The program must be owned by root, not writable by group or
             others and specified by an absolute path.  Arguments to
             AuthorizedKeysCommand accept the tokens described in the TOKENS
             section.  If no arguments are specified then the username of the
             target user is used.

             The program should produce on standard output zero or more lines
             of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)).
             AuthorizedKeysCommand is tried after the usual AuthorizedKeysFile
             files and will not be executed if a matching key is found there.
             By default, no AuthorizedKeysCommand is run.

You set AuthorizedKeysCommand to a program which takes a username as argument, 
and which prints zero or more lines containing (in effect) the contents of a 
.ssh/authorized_keys command.  That's a generic mechanism -- the program/script 
can get the keys from multiple places, including an LDAP directory.

There are various scripts to do this which you should be able to find on the 
web, or write.  The ones I initially found seemed fragile (if I recall 
correctly, a key stored in the directory with an inadvertent trailing space, 
would mess things up).  I felt a little bit uncomfortable with a simple script 
here (probably unnecessarily) and wrote a program to do it.  But in retrospect, 
I'm sure a script would be fine.

Have fun,

Norman


-- 
Norman Gray  :  https://nxg.me.uk