Howto OpenSSH + LDAP on Debian

splitice

Just a little bit crazy...
Verified Provider
Firstly let me say, this guide is targeted at Debian Squeeze, although it will work on Wheezy. No warranty implied if you lock yourself out of a server, be sure to have a KVM or something if you are attempting this on a production sever.

At the end of this you should have a server that can be authenticated via LDAP and with support for SSH Keys delivered over LDAP. What is not covered in this is setting up the LDAP server and IPSec (or SSL) for securing transport.

This should not be attempted unless you have a solid grasp of the fundamentals as LDAP and PAM can be an absolute pain to debug.

Steps:

1. Upgrade OpenSSH

2. Install LDAP components.

3. LDAP configuration

4. Configure OpenSSH

Step 1. OpenSSH

Debian comes with a version of OpenSSH that is too old to include support for getting authorized keys from an executed command. So we need to upgrade it to the latest.

You will need a working compiler (build-essential) and the openssl library and headers.

wget http://openbsd.mirrors.pair.com/OpenSSH/portable/openssh-6.2p2.tar.gz
tar -zxvf openssh-*.tar.gz
cd openssh-6.2p2


./configure --with-md5-passwords --sbindir=/usr/sbin --with-pam
make
make install
Or just run this script file: http://www.x4b.net/files/openssh-build.sh
Step 2. Install LDAP components

apt-get install libnss-ldapd  ldap-utils libpam0g-dev 

Step 3. Configuration Files

There is alot of configuration required to get LDAP working if you are interested in the meaning of these files, consult a manual.

You will need to edit/replace the following files. Take care to replace the bindpw etc in all files.

 /etc/pam.d/common-account

/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
/etc/nscd.conf
/etc/nslcd.conf
/etc/nsswitch.conf
/etc/ldap/ldap.conf Configuration files can be found rar'ed here: http://x4b.net/files/ldap.rar

Restart nslcd and nscd

If everything is as expected "getent passwd user" where user is a user defined via LDAP should return a user entry.

Step 4. Configure OpenSSH

add the following lines to /etc/ssh/sshd_config for LDAP ssh keys

AuthorizedKeysCommand /var/LDAP/ldap-keys.sh
AuthorizedKeysCommandUser root 
Create the file /var/LDAP/ldap-keys.sh and ensure it has execute permission

ldapsearch -H ${uri} \
-w "${bindpw}" -D "${binddn}" \
-b "${base}" \
'(objectClass=posixAccount)(uid='"$1"')' \
'sshPublicKey' \
| sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' Add the following to /etc/defaults/ssh to ensure OpenSSH looks for its configuration at the Debian path

SSHD_OPTS=" -f /etc/ssh/sshd_config" Conclusion

Restart OpenSSH and hope for the best. If you do have an issue your current open session should remain open allowing you to fix it.
 
Last edited by a moderator:

HalfEatenPie

The Irrational One
Retired Staff
I hid the other one because it seemed like it was a double post.  If it wasn't then let me know.

Nice Tutorial by the way! :)
 

splitice

Just a little bit crazy...
Verified Provider
Sorry what?

The problem I refer to in that code block is obvious if you try and stick that code in a code block the code block glitches.

EDIT: Found the trick its an incompatibility with tabs
 
Last edited by a moderator:
Top