2

Users created on AD can login to Linux with a password. I would like to replace this password login with ssh-key. So far, I've made a custom attribute and placed the public key in it and able to fetch it on Linux with a script. I would like to put this key in the /home/user/.ssh/authorised_key whenever a new user is created.

Is there an event or some config file that I can use to trigger my script?

Note: SSSD is creating the user and home directory whenever a user login for the first time.

Shahzaib Khan
  • 21
  • 2

1 Answers1

2

Rather than copying the public key from your Active Directory to a ~/.ssh/authorized_keys file you can configure openssh to directly validate against AD instead.

OpenSSH supports the AuthorizedKeysCommand directive for your sshd_config that allows you to specify a program to be used to look up the user's public key instead before attempting to reading it from a (local) file. For instance:

 AuthorizedKeysCommand /path/to/script %u

where /path/to/script takes a for example username as a commandline argument and which then on standard output must return zero or more lines of authorized_keys output.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • That is a nice way of implementing this. But I'm not sure how to provide the username to the script. AuthorizedKeysCommand /root/script.sh In the script.sh, I've to provide the username against which I'll fetch the ssh key. – Shahzaib Khan Mar 26 '19 at 10:10
  • The SSH daemon provides the expansion of `%u` (and other % variables) and will call your script with the username the ssh client attempting to log in provides. You have to create/ modify your script to take a username as a commandline argument , in a bash script something like `./script -u USERNAME` and then in the script use something like `getopts` to parse the commandline argument to make a username available in your script for further processing – HBruijn Mar 26 '19 at 10:28
  • Thank you for your response. I've followed your instructions and I'm getting this error : Mar 26 12:07:08 key-test sshd[14967]: error: AuthorizedKeysCommand /var/local/ssh_gen.sh harry failed, status 1 – Shahzaib Khan Mar 26 '19 at 12:10
  • while running the script manually gives me the key : [root@key-test local]# /var/local/ssh_gen.sh harry > ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAlabPqn5b2u8q/RdSA4fb85076dTfM3zf4KIPXYcVhGevG/HR//ft0oMMqEEYSjvCr75cd95G6TTbdHbxMUfm26gmNN8EdsMCSpM0gJid8wOSGqmjZcaBgu7GMWdSSoRhkAQJtIvToiwHDSkgU2Am7miL/VIvePlW6c/3RSclKfJtHUG8yWF4EBUhhydVKIUiQMM2KlZJGx6FN2P6RoWJYVRNmN502yqk2p1uNQ5GfbUgBoIQ7DlBUbvbhdksz0QE8NlJqB0g1iuCC4FqgUlFpasEhldci0VBsRbl65jYknhVl6/yHzfXOTCjVIXOIqvvMKU8HGHfBr1+nQWrsDpE3Q== rsa-key-20190322 – Shahzaib Khan Mar 26 '19 at 12:10
  • The permissions on the script are : -rwxr-xr-x. 1 root root 404 Mar 26 12:05 ssh_gen.sh – Shahzaib Khan Mar 26 '19 at 12:12
  • And the sshd_config file is set as this: AuthorizedKeysCommand /var/local/ssh_gen.sh %u AuthorizedKeysCommandUser nobody – Shahzaib Khan Mar 26 '19 at 12:13