The Secure Shell server (sshd) can retrieve user account information, including ssh public keys, from an external directory, such as OpenLDAP. Access is granted if the ssh client successfully authenticates against any one of the user's public keys that are stored the LDAP directory.
In Oracle Solaris, the helper application /usr/lib/ssh/ssh-pubkey-ldap retrieves the key. The administrator specifies the application in the /etc/ssh/sshd_config file and also configures the sshPublicKey schema in LDAP to recognize the request.
The ssh-pubkey-ldap application enables the OpenSSH server to query an OpenLDAP server for user account information, such as an ssh public key. The addition of sshPublicKey schema to the LDAP configuration file, and the addition of two keywords to the sshd_config file connect OpenSSH with the LDAP server.
See OpenLDAP Configuration for Secure Shell Use of Public Keys for the LDAP schema that enable the connection on the LDAP server.
The two keywords that enable the connection on the OpenSSH server are:
AuthorizedKeysCommand – Specifies the absolute path of the application, /usr/lib/ssh/ssh-pubkey-ldap.
The only AuthorizedKeysCommand keyword token that ssh-pubkey-ldap accepts is %u, a username. If the caller does not specify a user, the application uses the username of the target ssh client user.
AuthorizedKeysCommandUser – Specifies daemon as the caller of the application. For more information about the daemon account, see Special System Accounts in Securing Systems and Attached Devices in Oracle Solaris 11.4.
ssh-pubkey-ldap interacts with the name service configuration as a client of an already existing external LDAP directory server. The application uses standard Oracle Solaris LDAP commands to determine whether to use the ldap or ldaps protocol and which LDAP server to contact to retrieve the user's ssh public key.
This application retrieves the public key in the same format as the keys are stored in public keys files.
For OpenLDAP and Secure Shell to interact, the following conditions must be in place:
The LDAP server must have the OpenSSH server as a client.
The OpenLDAP server's schema must include an OpenSSH public key attribute named sshPublicKey and an object for a user's LDAP public key.
For an example extended schema configuration and how to connect OpenLDAP with Secure Shell, see How to Set Up Secure Shell User Authentication From Public Keys Stored in LDAP.