How to Set Up Secure Shell User Authentication From Public Keys Stored in LDAP

Language:

The following procedure enables the user's public key to be retrieved from the LDAP server. The user must have a public/private key pair.

Before You Begin

You have configured LDAP as the system name service for user accounts. For information, see the ldapclient (8) man page.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Modify the Secure Shell server with two new keywords.
Add the AuthorizedKeysCommand and AuthorizedKeysCommandUser entries to the /etc/ssh/sshd_config configuration file. For example:
```
#
	# This is the sshd server system-wide configuration file.  See
	# sshd_config(5) for more information.
	#
	...
	AuthorizedKeysCommand /usr/lib/ssh/ssh-pubkey-ldap
	AuthorizedKeysCommandUser daemon
```
Note - In configurations where read access to the LDAP server is tightly controlled, you might need to specify root rather than daemon as the value of AuthorizedKeysCommandUser.

If a key supplied by the AuthorizedKeysCommand keyword does not successfully authenticate the user, then public key authentication continues by using the usual AuthorizedKeysFile setting or the default keys files. For more information, see the ssh-pubkey-ldap (8) man page.
Modify the LDAP server to accept user queries from the Secure Shell server.
1. Make sure that your LDAP configuration file includes entries that enable connections from Secure Shell.
  Your /etc/openldap/ldap.conf file must point to the appropriate LDAP servers. Also, your OpenSSH server must be a client of those LDAP systems. For example:
```
#
# LDAP Defaults
#
...
BASE	dc=example,dc=com
URI	ldap://ldap.example.com
```
2. Add the following sshPublicKey entries to the /etc/openldap/slapd.conf file.
```
-------------------------------------- # octetString SYNTAX
	attributetype (
		1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC
		'MANDATORY: OpenSSH Public key' EQUALITY
		octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

	# printableString SYNTAX yes|no
	objectclass ( 
		1.3.6.1.4.1.24552.500.1.1.2.0 
		NAME 'ldapPublicKey'
		SUP top 
		AUXILIARY
		DESC 'MANDATORY: OpenSSH LPK objectclass'
		MUST uid
		MAY sshPublicKey )
```
  sshPublicKey is the name of the default ssh public key attribute name for the LDAP schema.
  
  Tip - If your OpenLDAP server already has an LDAP public key object and an attribute name is defined, then create an attribute alias from its name to sshPublicKey.
3. Restart slapd to load the changes.
```
$ svcadm restart slapd
```
Add users' public keys to their LDAP attributes.
For example, add jdoe's Secure Shell public key to the LDAP server:
1. Create an LDIF file called jdoe_publickey.ldif with the following content:
```
dn: cn=jdoe,ou=People,dc=oracle,dc=com
changeType: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
ssh-rsa AAAAB3NKey [email protected]
```
2. Add the LDIF file to the LDAP server configuration.
  Use the LDAP protocol that connects you to your OpenLDAP server, in this instance, ldap://:
```
$ ldapmodify -a -x -D "cn=admin,dc=example,dc=com" -w <password> -H \
           ldap:// -f jdoe_publickey.ldif
```
(Optional) Test that jdoe can successfully authenticate to Secure Shell.
1. On the user's system, ensure that the public key for LDAP is not present in the user's authorized_keys file.
```
# mv /home/jdoe/.ssh/authorized_keys /home/jdoe/.ssh/dontuse_authorized_keys
```
2. Test jdoe's Secure Shell connection.
```
jdoe$ ssh
```