Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.4

Exit Print View

Updated: June 2019

Secure Shell and Remote Public Keys

The Secure Shell server (sshd) can retrieve user account information, including ssh public keys, from an external directory, such as OpenLDAP. Access is granted if the ssh client successfully authenticates against any one of the user's public keys that are stored the LDAP directory.

In Oracle Solaris, the helper application /usr/lib/ssh/ssh-pubkey-ldap retrieves the key. The administrator specifies the application in the /etc/ssh/sshd_config file and also configures the sshPublicKey schema in LDAP to recognize the request.

Secure Shell Keywords for Using Remote Public Keys

The ssh-pubkey-ldap application enables the OpenSSH server to query an OpenLDAP server for user account information, such as an ssh public key. The addition of sshPublicKey schema to the LDAP configuration file, and the addition of two keywords to the sshd_config file connect OpenSSH with the LDAP server.

ssh-pubkey-ldap interacts with the name service configuration as a client of an already existing external LDAP directory server. The application uses standard Oracle Solaris LDAP commands to determine whether to use the ldap or ldaps protocol and which LDAP server to contact to retrieve the user's ssh public key.

This application retrieves the public key in the same format as the keys are stored in public keys files.

Note -  By default, no AuthorizedKeysCommand is run.

OpenLDAP Configuration for Secure Shell Use of Public Keys

    For OpenLDAP and Secure Shell to interact, the following conditions must be in place:

  • The LDAP server must have the OpenSSH server as a client.

  • The OpenLDAP server's schema must include an OpenSSH public key attribute named sshPublicKey and an object for a user's LDAP public key.

For an example extended schema configuration and how to connect OpenLDAP with Secure Shell, see How to Set Up Secure Shell User Authentication From Public Keys Stored in LDAP.