Re: Migrating from pam-ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Philip Prindeville <philipp_subx [at] redfish-solutions.com>
To: Norman Gray <gray [at] nxg.name>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Migrating from pam-ldap
Date: Wed, 15 Nov 2023 19:41:40 -0700


> On Nov 15, 2023, at 10:34 AM, Norman Gray <gray@nxg.name> wrote:
> 
> 
> Philip, hello.
> 
> On 15 Nov 2023, at 17:16, Philip Prindeville wrote:
> 
>> Is there a how-to that covers authenticating Ssh not by password, but by 
>> public keys (if they're stored in LDAP)?
> 
> Not quite a howto, but the instructions are in sshd_config, if you know the 
> keyword to search for them.
> 
>     AuthorizedKeysCommand
>             Specifies a program to be used to look up the user's public keys.
>             The program must be owned by root, not writable by group or
>             others and specified by an absolute path.  Arguments to
>             AuthorizedKeysCommand accept the tokens described in the TOKENS
>             section.  If no arguments are specified then the username of the
>             target user is used.
> 
>             The program should produce on standard output zero or more lines
>             of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)).
>             AuthorizedKeysCommand is tried after the usual AuthorizedKeysFile
>             files and will not be executed if a matching key is found there.
>             By default, no AuthorizedKeysCommand is run.
> 
> You set AuthorizedKeysCommand to a program which takes a username as 
> argument, and which prints zero or more lines containing (in effect) the 
> contents of a .ssh/authorized_keys command.  That's a generic mechanism -- 
> the program/script can get the keys from multiple places, including an LDAP 
> directory.
> 
> There are various scripts to do this which you should be able to find on the 
> web, or write.  The ones I initially found seemed fragile (if I recall 
> correctly, a key stored in the directory with an inadvertent trailing space, 
> would mess things up).  I felt a little bit uncomfortable with a simple 
> script here (probably unnecessarily) and wrote a program to do it.  But in 
> retrospect, I'm sure a script would be fine.
> 
> Have fun,
> 
> Norman


Thanks for pointing me at that.  Despite having banged on sshd for years 
(including adding DSCP support and a NetConf subsystem) I'd completely ignored 
the AuthorizedKeysCommand!

-Philip

Migrating from pam-ldap, Philip Prindeville
- Re: Migrating from pam-ldap, Norman Gray
  - Re: Migrating from pam-ldap, Philip Prindeville
- Re: Migrating from pam-ldap, Arthur de Jong
  - Re: Migrating from pam-ldap, Philip Prindeville

Prev by Date: Re: Migrating from pam-ldap
Next by Date: Re: Migrating from pam-ldap
Previous by thread: Re: Migrating from pam-ldap
Next by thread: Re: Migrating from pam-ldap