SSH/LDAP migration
Why migrate?
Originally, Gentoo used OpenSSH LDAP public key patch (OpenSSH-LPK patch set) from Eric Auge. However, this patch is dead and doesn't work anymore with OpenSSH 7.7 or newer because auth_parse_options() function was removed in OpenSSH via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3.
Since the creation of the OpenSSH-LPK patch set, OpenSSH has changed a lot. With the release of OpenSSH 6.2_p1 in 2013-03-22, a new sshd option called "AuthorizedKeysCommand" was implemented which supports fetching authorized_keys from a command in addition to (or instead of) from the filesystem. Thanks to this feature, we no longer need to patch OpenSSH itself. Instead we can move LDAP lookup into an own package which is developed and maintained independently of OpenSSH.
In Gentoo we added sys-auth/ssh-ldap-pubkey package which provides a wrapper that can be used by "AuthorizedKeysCommand" option and also provides tools to manage keys in LDAP.
How to migrate
Step 1: Install wrapper of your choice
The main guide will focus on using sys-auth/ssh-ldap-pubkey as drop-in replacement for LPK patch set. However, there are alternatives which maybe a better fit for your needs. Please see "Alternatives".
root #emerge --ask sys-auth/ssh-ldap-pubkeyStep 2: Update ldap.conf
Compare the existing /etc/ldap.conf file against ldap.conf provided by the wrapper and update the configuration in case something is missing or needs to be updated:
user $diff -u /etc/ldap.conf /usr/share/doc/ssh-ldap-pubkey-*/examples/ldap.confStep 3: Verify that your configuration is working
If the current user has keys stored in LDAP, run:
user $ssh-ldap-pubkey listOr, to verify that the current user or Larry's keys are available like expected, run:
user $ssh-ldap-pubkey list -u larryIf these commands don't retrieve any keys, you need to check the LDAP configuration before proceeding!
Step 4: Update OpenSSH configuration
Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.
root #nano /etc/ssh/sshd_configAdd the following line somewhere:
/etc/ssh/sshd_configAuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper
Step 5: Restart sshd
As last step don't forget to restart the ssh daemon so that the updated configuration will be used.
With OpenRC:
root #/etc/init.d/sshd restartWith systemd:
root #systemctl restart sshd.serviceAlternatives
sakcl
Maybe sys-auth/sakcl, written in Rust and created by Gentoo developer Doug Goldstein (Cardoe) , is a better alternative for your needs. Please follow this guide how to migrate to sakcl.
Step 1: Install sakcl
root #emerge --ask sys-auth/sakclStep 2: Create sakcl.conf
An example of this file's contents are:
/etc/sakcl.conf uri = "ldaps://ldap.host.name"
base = "ou=Users,dc=company,dc=com"
# basedn and bindpw are optional parameters
basedn = "dn=serviceacct,ou=Users,dc=company,dc=com"
basspw = "12345"
scope = "one|subtree|base"
# filter will have any * replaced with the username supplied
# otherwise it is passed directly to the LDAP search
filter = "(&(objectClass=posixAccount)(uid=*))"
attr = "attribute-with-ssh-public-key"
Step 3: Verify that your configuration is working
To verify that Larry's keys are available like expected, run:
user $sakcl larryIf these commands don't retrieve any keys, you need to check the LDAP configuration before proceeding!
Step 4: Update OpenSSH configuration
Now you need to update your sshd's configuration so that it will use the new wrapper to fetch authorized_keys from LDAP.
root #nano /etc/ssh/sshd_configAdd the following line somewhere:
/etc/ssh/sshd_configAuthorizedKeysCommand /usr/bin/sakcl
Step 5: Restart sshd
As last step don't forget to restart the ssh daemon so that the updated configuration will be used.
With OpenRC:
root #/etc/init.d/sshd restartWith systemd:
root #systemctl restart sshd.service