SSH/LDAP migration

From Gentoo Wiki
< SSH
Jump to: navigation, search
This article has some todo items:

Why migrate?

Originally, Gentoo used OpenSSH LDAP public key patch (OpenSSH-LPK patch set) from Eric Auge. However, this patch is dead and doesn't work anymore with OpenSSH 7.7 or newer because auth_parse_options() function was removed in OpenSSH via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3.

Since the creation of the OpenSSH-LPK patch set, OpenSSH has changed a lot. With the release of OpenSSH 6.2_p1 in 2013-03-22, a new sshd option called "AuthorizedKeysCommand" was implemented which supports fetching authorized_keys from a command in addition to (or instead of) from the filesystem. Thanks to this feature, we no longer need to patch OpenSSH itself. Instead we can move LDAP lookup into an own package which is developed and maintained independently of OpenSSH.

In Gentoo we added sys-auth/ssh-ldap-pubkey package which provides a wrapper that can be used by "AuthorizedKeysCommand" option and also provides tools to manage keys in LDAP.

How to migrate

Step 1: Install wrapper of your choice

Note
The main guide will focus on using sys-auth/ssh-ldap-pubkey as drop-in replacement for LPK patch set. However, there are alternatives which maybe a better fit for your needs. Please see "Alternatives".
root #emerge --ask sys-auth/ssh-ldap-pubkey

Step 2: Update ldap.conf

Compare the existing /etc/ldap.conf file against ldap.conf provided by the wrapper and update the configuration in case something is missing or needs to be updated:

user $diff -u /etc/ldap.conf /usr/share/doc/ssh-ldap-pubkey-*/examples/ldap.conf

Step 3: Verify that your configuration is working

If the current user has keys stored in LDAP, run:

user $ssh-ldap-pubkey list

Or, to verify that the current user or Larry's keys are available like expected, run:

user $ssh-ldap-pubkey list -u larry
Warning
If these commands don't retrieve any keys, you need to check the LDAP configuration before proceeding!

Step 4: Update OpenSSH configuration

Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.

root #nano /etc/ssh/sshd_config

Add the following line somewhere:

FILE /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper

Step 5: Restart sshd

As last step don't forget to restart the ssh daemon so that the updated configuration will be used.

With OpenRC:

root #/etc/init.d/sshd restart

With systemd:

root #systemctl restart sshd.service

Alternatives

sakcl

Maybe sys-auth/sakcl, written in Rust and created by Gentoo developer Doug Goldstein (Cardoe) , is a better alternative for your needs. Please follow this guide how to migrate to sakcl.

Step 1: Install sakcl

root #emerge --ask sys-auth/sakcl

Step 2: Create sakcl.conf

An example of this file's contents are:

FILE /etc/sakcl.conf
    uri = "ldaps://ldap.host.name"
    base = "ou=Users,dc=company,dc=com"
    # basedn and bindpw are optional parameters
    basedn = "dn=serviceacct,ou=Users,dc=company,dc=com"
    basspw = "12345"
    scope = "one|subtree|base"
    # filter will have any * replaced with the username supplied
    # otherwise it is passed directly to the LDAP search
    filter = "(&(objectClass=posixAccount)(uid=*))"
    attr = "attribute-with-ssh-public-key"

Step 3: Verify that your configuration is working

To verify that Larry's keys are available like expected, run:

user $sakcl larry
Warning
If these commands don't retrieve any keys, you need to check the LDAP configuration before proceeding!

Step 4: Update OpenSSH configuration

Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.

root #nano /etc/ssh/sshd_config

Add the following line somewhere:

FILE /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sakcl

Step 5: Restart sshd

As last step don't forget to restart the ssh daemon so that the updated configuration will be used.

With OpenRC:

root #/etc/init.d/sshd restart

With systemd:

root #systemctl restart sshd.service