2

I would like to enable the following: Linux ec2 instances in AWS that perform LDAP authentication of users who have no home directory currently on the box. I have a working openLDAP in AWS for the task

Once LDAP authenticated:

  • The user's home directory will get created
  • The user's public ssh key is retrieved from their sshPublicKey attribute in LDAP and they can only log on if their local sshPrivateKey matches

I know how to do LDAP auth OR retrieval of public key via an ldapsearch but I want to do both.

The scenario I am trying to mitigate against is when an employee leaves the company: I can just disable their account in openLDAP and even if their public key exists on machines, they won't be able to use them because they will also fail ldap auth.

I've hunted round on StackExchanges and don't think I've found what I'm looking for. The closest I've come is

SSH key authentication using LDAP

Combination of SSH key auth, and two-factor authentication

Spangen
  • 121
  • 5
  • What do you use to LDAPize your linux box? nslcd (nss-pam-ldapd), nss-pam-ldap or something else? You can easily disable user by changing `loginShell` to `/bin/false` or `/usr/sbin/nologin` in LDAP if you're reading this attribute. – Jakub Jindra Mar 29 '19 at 09:56
  • Thanks @JakubJindra. I wanted to use ssh as well as ldapAuth to act as an additional factor of authentication so requiring ssh key as well as user/pass. Would disabling the user as you described apply in this scenario too? My proof of concept with ldap auth only was nss-pam-ldap – Spangen Mar 29 '19 at 10:02
  • If the user exists only in LDAP database and not in file database `/etc/passwd`, it will be the same. He would be able to authenticate, but then his loginShell won't let him in. Better approach is use one LDAP attribute to differentiate enabled and disabled users. And filter by this attribute. The user will simply disappear from the system. – Jakub Jindra Mar 29 '19 at 10:07
  • Thanks, but I'm still not clear how I go about setting up both LDAP auth *and* the retrieval of the user's ssh public key . Sorry if I'm not asking the question in the right way. Basically is both authentication using LDAP user/pass and also ssh pub/priv key able to be applied together, if so how? – Spangen Mar 29 '19 at 10:19
  • OK, I'll try to sumarize it in the answer for you. – Jakub Jindra Mar 29 '19 at 10:21
  • Thank you so much – Spangen Mar 29 '19 at 10:22

1 Answers1

0

Authentication

There's AuthorizedKeysCommand and AuthorizedKeysCommandUser in sshd_config(5) since OpenSSH 6.2. You need that to authenticate user against his/her sshPublicKey which is stored in LDAP. You don't even need ldapsearch to get the sshPublicKey - curl can do it too, since it's knows the ldap protocol.

When AuthorizedKeysCommand is defined but the command won't return any public key, openssh server continues with AuthorizedKeysFile and then with PasswordAuthentication.

On AWS EC2 the PasswordAuthentication is disabled so If You really want it, You need to enable it in config. But I wouldn't recommend PasswordAuthentication at all today.

Small recap: you want these options in /etc/ssh/sshd_config: AuthorizedKeysFile, AuthorizedKeysCommand, AuthorizedKeysCommandUser and PasswordAuthentication.

Disabling user

As mentioned in discussion under the question: You can either use loginShell ldap attribute and modify it's value to /bin/false or /usr/sbin/nologin or use another attribute and add it into search query. This differs depending on Your setup.

What's Your setup? nslcd (nss-pam-ldapd), nss-pam-ldap, sssd or something else?

Jakub Jindra
  • 113
  • 5
  • Thanks Jakub, but this still seems only to do ssh auth of the user. Not validating their user/password against ldap, followed by ssh auth on the retrieved key. Maybe what I'm considering just isn't possible – Spangen Mar 29 '19 at 12:42
  • So You want to authenticate by pubkey from ldap even after that using using ldap password? I think It's possible using pam configuration. But editing pam can be dangerous. – Jakub Jindra Mar 29 '19 at 12:52
  • Yes, as it says in the title `Require both LDAP authentication *and* ssh auth` Thanks for your suggestions – Spangen Mar 29 '19 at 13:02
  • OK, then try following solution: https://security.stackexchange.com/a/130116/202480 – Jakub Jindra Mar 29 '19 at 13:13