Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.4

Exit Print View

Updated: June 2019

How to Set Up Secure Shell User Authentication From Public Keys Stored in LDAP

The following procedure enables the user's public key to be retrieved from the LDAP server. The user must have a public/private key pair.

Before You Begin

You have configured LDAP as the system name service for user accounts. For information, see the ldapclient (8) man page.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Modify the Secure Shell server with two new keywords.

    Add the AuthorizedKeysCommand and AuthorizedKeysCommandUser entries to the /etc/ssh/sshd_config configuration file. For example:

    	# This is the sshd server system-wide configuration file.  See
    	# sshd_config(5) for more information.
    	AuthorizedKeysCommand /usr/lib/ssh/ssh-pubkey-ldap
    	AuthorizedKeysCommandUser daemon

    Note -  In configurations where read access to the LDAP server is tightly controlled, you might need to specify root rather than daemon as the value of AuthorizedKeysCommandUser.

    If a key supplied by the AuthorizedKeysCommand keyword does not successfully authenticate the user, then public key authentication continues by using the usual AuthorizedKeysFile setting or the default keys files. For more information, see the ssh-pubkey-ldap (8) man page.

  2. Modify the LDAP server to accept user queries from the Secure Shell server.
    1. Make sure that your LDAP configuration file includes entries that enable connections from Secure Shell.

      Your /etc/openldap/ldap.conf file must point to the appropriate LDAP servers. Also, your OpenSSH server must be a client of those LDAP systems. For example:

      # LDAP Defaults
      BASE	dc=example,dc=com
      URI	ldap://ldap.example.com
    2. Add the following sshPublicKey entries to the /etc/openldap/slapd.conf file.
      -------------------------------------- # octetString SYNTAX
      	attributetype ( NAME 'sshPublicKey' DESC
      		'MANDATORY: OpenSSH Public key' EQUALITY
      		octetStringMatch SYNTAX )
      	# printableString SYNTAX yes|no
      	objectclass ( 
      		NAME 'ldapPublicKey'
      		SUP top 
      		DESC 'MANDATORY: OpenSSH LPK objectclass'
      		MUST uid
      		MAY sshPublicKey )

      sshPublicKey is the name of the default ssh public key attribute name for the LDAP schema.

      Tip  -  If your OpenLDAP server already has an LDAP public key object and an attribute name is defined, then create an attribute alias from its name to sshPublicKey.
    3. Restart slapd to load the changes.
      $ svcadm restart slapd
  3. Add users' public keys to their LDAP attributes.

    For example, add jdoe's Secure Shell public key to the LDAP server:

    1. Create an LDIF file called jdoe_publickey.ldif with the following content:
      dn: cn=jdoe,ou=People,dc=oracle,dc=com
      changeType: modify
      add: objectClass
      objectClass: ldapPublicKey
      add: sshPublicKey
      ssh-rsa AAAAB3NKey jdoe@example.com
    2. Add the LDIF file to the LDAP server configuration.

      Use the LDAP protocol that connects you to your OpenLDAP server, in this instance, ldap://:

      $ ldapmodify -a -x -D "cn=admin,dc=example,dc=com" -w <password> -H \
                 ldap:// -f jdoe_publickey.ldif
  4. (Optional) Test that jdoe can successfully authenticate to Secure Shell.
    1. On the user's system, ensure that the public key for LDAP is not present in the user's authorized_keys file.
      # mv /home/jdoe/.ssh/authorized_keys /home/jdoe/.ssh/dontuse_authorized_keys
    2. Test jdoe's Secure Shell connection.
      jdoe$ ssh