SSH with LDAP authentication (ActiveDirectory) and ssh keys stored in AD
Best option here is to use sssd for this purpose. I use the AltSecurityIdentities to store the keys and join the servers to the domain using realmd.
Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
and under the [sssd] section add:
services = nss, pam, sudo, ssh
Then to the /etc/ssh/sshd_config add:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
Restart both services, and you should be able to login using your AD username and the password stored in the AltSecurityIdentities extended attribute in AD.
Related videos on Youtube
matll42
Updated on September 18, 2022Comments
-
matll42 over 1 year
Environment : Ubuntu 14.04 & 16.04 Servers, Active Directory on Windows Server 2016, Ubuntu 14.04 & 16.04 clients. Ubuntu servers and clients are not on the domain.
Hello everyone,
I'm a little lost with all ways to achieve ldap authentication for ssh. But I can't find a suitable one for me.
My wish : I wan't to connect to my servers by login in with "sAMAccount@serverIP", my SSH keys are stored in my AD (new field added as odiSSHPubKeys). My server well communicate with my AD (ldapsearch query). I achieved that by updating my sshdconfig :
/etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/auth AuthorizedKeysCommandUser root
/usr/bin/auth
#!/bin/bash cn=$1 server=ldap.myad.net #Put your server IP basedn=dc=mydomain,dc=net #Put your basedn port=389 bindUser=myBindUser bindPass=myBindUserPassword #cn=mathieu ldapsearch -LLL -o ldif-wrap=no -x -h $server -p $port -b $basedn -D $bindUser -w $bindPass -s sub "(sAMAccountName=$cn)" | sed -n 's/^[ \t]*odiSSHPubKeys:[ \t]*\(.*\)/\1/p'
When I connect to [email protected], I'm kicked by preauth
/var/log/auth.log
Apr 18 11:56:26 MLL-HV-UBU-16 sshd[9103]: Invalid user mathieu from 192.168.0.114 Apr 18 11:56:26 MLL-HV-UBU-16 sshd[9103]: input_userauth_request: invalid user mathieu [preauth] Apr 18 11:56:26 MLL-HV-UBU-16 sshd[9103]: Connection closed by 192.168.0.114 port 50152 [preauth]
So my problem is that "mathieu" doesn't exist as user on my Ubuntu server. I try to force my cn in my /usr/bin/auth and log with root account ([email protected]) and it works, so my /usr/bin/auth id good.
How can I disable preauth check to let ldap works ?
PS : I don't want a login/password authentication (for this solution, there is a lot of tutos, but not many for ssh keys or old ones).
Thanks for your help
-
Admin almost 7 yearsNot even a clue ? I'll have to do login/password authentication and add my servers in domain in that case :(
-
Admin over 6 yearsSuggest using for TLS based ldap port for this. iirc 389 ain't.
-
Admin over 6 years@FlorianHeigl 389 is, if you use STARTTLS.
-
Admin over 6 years@matll42 You could also just use GSSAPI auth. It uses Kerberos to do passwordless auth and it "just works".
-
-
matll42 about 4 yearsAs I also use Gitlab and all my SSH users are Gitlab users, I'll take a look at this alternative. Thanks
-
tink over 3 yearsKudos for ingenuity, but this actually is the hackish way of doing things. Modifying LDAP appropriately is the way to go ...