0

I would like to use a public / private key to connect to a server which using LDAP for authentification. The issue is that the home folder is only mounted after login via AutoFS. How can I store the public key in the LDAP server for a specific user and linux machine to connect passwordless via SSH.

doom4
  • 101
  • Does this answer your question? SSH key authentication using LDAP – Rob Jul 21 '22 at 14:27
  • 2
    OpenSSH has little know feature called the AuthorizedKeysCommand which allows you to configure your sshd daemon to run a specific help program to retrieve the public keys that you/your users would normally store and deploy in a users ˜/.ssh/authorized_keys file. That helper program can query your LDAP servers. – Rob Jul 21 '22 at 14:29
  • I saw this like but how would a user get the key into the LDAP server after enabling this schema? – doom4 Jul 21 '22 at 14:35
  • 1
    The same way you get other data into your LDAP directory ... Via an LDAP query. Manually create an LDIF or use an ldap browser/management tool that modifies the users account and adds/updates the sshPublicKey attribute. Or make a little web service and you can also do things like expire a public key after a certain time to ensure that users regularly rotate their ssh keys. – Rob Jul 21 '22 at 14:47
  • Thanks Rob. Sorry but I am super new to LDAP. Could you give me an example to check if the server has the scheme already, query a user if an SSH key is added to its profile and the ldif the user would need to generate to add the key. Thanks again for your help. – doom4 Jul 21 '22 at 14:57
  • With almost 100% certainty your current LDAP won't have support for the sshPublicKey attribute yet, as that is nowhere near a standard schema object and extending the schema is not something most LDAP administrators will do at a whim either. Example of an ldif here: https://www.ibm.com/docs/en/external-auth-server/6.0.1?topic=SS4T7T_6.0.1/com.ibm.help.seas.secure.doc/seas_entries_for_ssh_public_key_in_the_ldap_server.html – Rob Jul 21 '22 at 15:06

0 Answers0