Firstly let me say, this guide is targeted at Debian Squeeze, although it will work on Wheezy. No warranty implied if you lock yourself out of a server, be sure to have a KVM or something if you are attempting this on a production sever.
At the end of this you should have a server that can be authenticated via LDAP and with support for SSH Keys delivered over LDAP. What is not covered in this is setting up the LDAP server and IPSec (or SSL) for securing transport.
This should not be attempted unless you have a solid grasp of the fundamentals as LDAP and PAM can be an absolute pain to debug.
Steps:
1. Upgrade OpenSSH
2. Install LDAP components.
3. LDAP configuration
4. Configure OpenSSH
Step 1. OpenSSH
Debian comes with a version of OpenSSH that is too old to include support for getting authorized keys from an executed command. So we need to upgrade it to the latest.
You will need a working compiler (build-essential) and the openssl library and headers.
wget http://openbsd.mirrors.pair.com/OpenSSH/portable/openssh-6.2p2.tar.gz
tar -zxvf openssh-*.tar.gz
cd openssh-6.2p2
./configure --with-md5-passwords --sbindir=/usr/sbin --with-pam
make
make install
Or just run this script file: http://www.x4b.net/files/openssh-build.sh
Step 2. Install LDAP components
apt-get install libnss-ldapd ldap-utils libpam0g-dev
Step 3. Configuration Files
There is alot of configuration required to get LDAP working if you are interested in the meaning of these files, consult a manual.
You will need to edit/replace the following files. Take care to replace the bindpw etc in all files.
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
/etc/nscd.conf
/etc/nslcd.conf
/etc/nsswitch.conf
/etc/ldap/ldap.conf Configuration files can be found rar'ed here: http://x4b.net/files/ldap.rar
Restart nslcd and nscd
If everything is as expected "getent passwd user" where user is a user defined via LDAP should return a user entry.
Step 4. Configure OpenSSH
add the following lines to /etc/ssh/sshd_config for LDAP ssh keys
AuthorizedKeysCommand /var/LDAP/ldap-keys.sh
AuthorizedKeysCommandUser root
Create the file /var/LDAP/ldap-keys.sh and ensure it has execute permission
ldapsearch -H ${uri} \
-w "${bindpw}" -D "${binddn}" \
-b "${base}" \
'(objectClass=posixAccount)(uid='"$1"')' \
'sshPublicKey' \
| sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' Add the following to /etc/defaults/ssh to ensure OpenSSH looks for its configuration at the Debian path
SSHD_OPTS=" -f /etc/ssh/sshd_config" Conclusion
Restart OpenSSH and hope for the best. If you do have an issue your current open session should remain open allowing you to fix it.
At the end of this you should have a server that can be authenticated via LDAP and with support for SSH Keys delivered over LDAP. What is not covered in this is setting up the LDAP server and IPSec (or SSL) for securing transport.
This should not be attempted unless you have a solid grasp of the fundamentals as LDAP and PAM can be an absolute pain to debug.
Steps:
1. Upgrade OpenSSH
2. Install LDAP components.
3. LDAP configuration
4. Configure OpenSSH
Step 1. OpenSSH
Debian comes with a version of OpenSSH that is too old to include support for getting authorized keys from an executed command. So we need to upgrade it to the latest.
You will need a working compiler (build-essential) and the openssl library and headers.
wget http://openbsd.mirrors.pair.com/OpenSSH/portable/openssh-6.2p2.tar.gz
tar -zxvf openssh-*.tar.gz
cd openssh-6.2p2
./configure --with-md5-passwords --sbindir=/usr/sbin --with-pam
make
make install
Or just run this script file: http://www.x4b.net/files/openssh-build.sh
Step 2. Install LDAP components
apt-get install libnss-ldapd ldap-utils libpam0g-dev
Step 3. Configuration Files
There is alot of configuration required to get LDAP working if you are interested in the meaning of these files, consult a manual.
You will need to edit/replace the following files. Take care to replace the bindpw etc in all files.
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
/etc/nscd.conf
/etc/nslcd.conf
/etc/nsswitch.conf
/etc/ldap/ldap.conf Configuration files can be found rar'ed here: http://x4b.net/files/ldap.rar
Restart nslcd and nscd
If everything is as expected "getent passwd user" where user is a user defined via LDAP should return a user entry.
Step 4. Configure OpenSSH
add the following lines to /etc/ssh/sshd_config for LDAP ssh keys
AuthorizedKeysCommand /var/LDAP/ldap-keys.sh
AuthorizedKeysCommandUser root
Create the file /var/LDAP/ldap-keys.sh and ensure it has execute permission
ldapsearch -H ${uri} \
-w "${bindpw}" -D "${binddn}" \
-b "${base}" \
'(objectClass=posixAccount)(uid='"$1"')' \
'sshPublicKey' \
| sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' Add the following to /etc/defaults/ssh to ensure OpenSSH looks for its configuration at the Debian path
SSHD_OPTS=" -f /etc/ssh/sshd_config" Conclusion
Restart OpenSSH and hope for the best. If you do have an issue your current open session should remain open allowing you to fix it.
Last edited by a moderator:
