SSH/LDAP migration

Why migrate?
Originally, Gentoo used OpenSSH LDAP public key patch (OpenSSH-LPK patch set) from Eric Auge. However, this patch is dead and doesn't work anymore with OpenSSH 7.7 or newer because auth_parse_options function was removed in OpenSSH via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3.

Since the creation of the OpenSSH-LPK patch set, OpenSSH has changed a lot. With the release of OpenSSH 6.2_p1 in 2013-03-22, a new sshd option called "AuthorizedKeysCommand" was implemented which supports fetching authorized_keys from a command in addition to (or instead of) from the filesystem. Thanks to this feature, we no longer need to patch OpenSSH itself. Instead we can move LDAP lookup into an own package which is developed and maintained independently of OpenSSH.

In Gentoo we added package which will provides a wrapper which can be used by "AuthorizedKeysCommand" option and also provides tools to manage keys in LDAP.

Step 2: Update ldap.conf
Compare your existing ldap.conf against ldap.conf provided by the wrapper and update your configuration in case something is missing or needs to be updated:

Step 3: Verify that your configuration is working
If your current user has keys stored in LDAP, just run

or

to verify that your or Larry's keys are available like expected.

Step 4: Update OpenSSH configuration
Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.

Add the following: AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper

Step 5: Restart sshd
As last step don't forget to restart your sshd so that your updated configuration will be used. When you are using OpenRC you do

When you are using systemD you do