SSH/LDAP migration

Why migrate?
Originally, Gentoo used OpenSSH LDAP public key patch (OpenSSH-LPK patch set) from Eric Auge. However, this patch is dead and doesn't work anymore with OpenSSH 7.7 or newer because auth_parse_options function was removed in OpenSSH via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3.

Since the creation of the OpenSSH-LPK patch set, OpenSSH has changed a lot. With the release of OpenSSH 6.2_p1 in 2013-03-22, a new sshd option called "AuthorizedKeysCommand" was implemented which supports fetching authorized_keys from a command in addition to (or instead of) from the filesystem. Thanks to this feature, we no longer need to patch OpenSSH itself. Instead we can move LDAP lookup into an own package which is developed and maintained independently of OpenSSH.

In Gentoo we added package which provides a wrapper that can be used by "AuthorizedKeysCommand" option and also provides tools to manage keys in LDAP.

Step 2: Update ldap.conf
Compare the existing file against  provided by the wrapper and update the configuration in case something is missing or needs to be updated:

Step 3: Verify that your configuration is working
If the current user has keys stored in LDAP, run:

Or, to verify that the current user or Larry's keys are available like expected, run:

Step 4: Update OpenSSH configuration
Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.

Add the following line somewhere:

Step 5: Restart sshd
As last step don't forget to restart the ssh daemon so that the updated configuration will be used.

With OpenRC:

With systemd:

sakcl
Maybe, written in Rust and created by Gentoo developer , is a better alternative for your needs. Please follow this guide how to migrate to sakcl.

Step 2: Create sakcl.conf
An example of this file's contents are:

Step 3: Verify that your configuration is working
To verify that Larry's keys are available like expected, run:

Step 4: Update OpenSSH configuration
Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.

Add the following line somewhere:

Step 5: Restart sshd
As last step don't forget to restart the ssh daemon so that the updated configuration will be used.

With OpenRC:

With systemd: