Red Hat Bugzilla – Bug 1288659
[RFE] auth_provider = pubkey
Last modified: 2015-12-13 09:31:08 EST
Is it possible to add a feature where SSSD can be given a private key and then use it while reading LDAP attribute for a public key to grant/deny access?
$ ldapsearch -LLL -x -h ldap.example.com -b dc=redhat,dc=com uid=striker sshpubkey
ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/5Js6lNAGIVas9GcJo4uPkNUh
Example ldapsearch command was mis-typed:
$ ldapsearch -LLL -x -h ldap.example.com -b dc=example,dc=com uid=striker sshpubkey
Can you describe the use-case in more details? Please note that you should never give a private key to any service!
Why is sss_ssh_authorizedkeys not sufficient for your use-case?
+1 for ssh integration with sssd.
I assume that only one user is associated with ssh public key.
and you can achieve the same with IPA HBAC rules or with simple access provider.
The 2nd one is not so flexible, because it is stored in sssd.conf and not in ldap.
Sumit, do we not already give private keys to SSHD? This would essentially work in the same way as SSHD, but instead of having the public keys locally on the machine, they would be read from LDAP, which would require SSSD.
(In reply to Striker Leggette from comment #4)
> Sumit, do we not already give private keys to SSHD?
no, the private key is used on the client to crypt something and this encrypted message is send to SSHD on the target, which then decrypts it with the help of the public key.
> This would essentially
> work in the same way as SSHD, but instead of having the public keys locally
> on the machine, they would be read from LDAP, which would require SSSD.
(In reply to Sumit Bose from comment #5)
> no, the private key is used on the client to crypt something and this
> encrypted message is send to SSHD on the target, which then decrypts it with
> the help of the public key.
Do you believe it would be possible to gain the same functionality with SSSD, pulling a public key from an LDAP attribute instead of a local file on the system?
As mentioned in comment #1 this is already possible with sss_ssh_authorizedkeys. If the public keys are stored in LDAP in a different attribute than sshPublicKey you should add ldap_user_ssh_public_key=yourAttributeName to sssd.conf, see man sssd-ldap for details.
Please reports bug if any :-)
(In reply to Sumit Bose from comment #7)
> As mentioned in comment #1 this is already possible with
> sss_ssh_authorizedkeys. If the public keys are stored in LDAP in a different
> attribute than sshPublicKey you should add
> ldap_user_ssh_public_key=yourAttributeName to sssd.conf, see man sssd-ldap
> for details.
Ah. I didn't realize that was what this was for. Will open other BZs in case of bugs. Thanks for the replies.
Closing according to the last comment. Please open a new bug if the SSH integration doesn't work for you..
Just wanted to say thanks for pointing me in the right direction. :)
config_file_version = 2
services = nss, pam, ssh
domains = example.com
filter_groups = root
filter users = root
id_provider = ldap
ldap_uri = ldap://ldap.example.com/
ldap_search_base = dc=example,dc=com
override_homedir = /home/%u
auth_provider = ldap
ldap_user_ssh_public_key = ipaSshPubKey
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
Subsystem sftp /usr/libexec/openssh/sftp-server