Index of /pdp/ndpf/files/packages/mkgroup-sshlpk

Icon  Name                             Last modified      Size  
[TXT] README.txt                       2025-04-21 16:24  8.3K  
[   ] mkgroup-dnlist                   2022-01-23 16:04  5.4K  
[   ] mkgroup-sshlpk                   2022-01-23 16:04  8.0K  
[   ] mkgroup-sshlpk-1.8-3.noarch.rpm  2017-06-10 21:25  9.5K  
[   ] mkgroup-sshlpk-1.8-3.src.rpm     2017-06-10 21:25   43K  
[   ] mkgroup-sshlpk-1.8.src.tgz       2017-06-10 21:25   41K  
[   ] mkgroup-sshlpk-1.11-1.noarch.rpm 2021-03-07 10:23   12K  
[   ] mkgroup-sshlpk-1.11-1.src.rpm    2021-03-07 10:23   15K  
[   ] mkgroup-sshlpk-1.11-3.noarch.rpm 2021-03-23 14:22   12K  
[   ] mkgroup-sshlpk-1.11-3.src.rpm    2021-03-23 14:22   15K  
[   ] mkgroup-sshlpk-1.11-4.noarch.rpm 2021-04-06 08:23   13K  
[   ] mkgroup-sshlpk-1.11.src.tgz      2021-03-23 14:22   13K  
[   ] mkgroup-sshlpk-1.12-1.noarch.rpm 2025-04-21 16:24   21K  
[   ] mkgroup-sshlpk-1.12-1.src.rpm    2025-04-21 16:24  176K  
[   ] mkgroup-sshlpk-1.12.src.tgz      2025-04-21 16:24  169K  
[   ] mkgroup-sshlpk_1.11-1.deb        2021-03-07 10:23  8.8K  
[   ] mkgroup-sshlpk_1.12-1.deb        2025-04-21 16:31   13K  
[   ] mkgroup-sshlpk_1.12-1.tgz        2025-04-21 16:31   14K  
[   ] mkhomedir-sshlpk                 2022-01-23 16:04  1.7K  
[   ] openssh-lpk.schema               2008-12-19 09:19  554   
[   ] sshlpk-akfgen                    2022-01-23 16:04  2.8K  
[   ] sshlpk-list                      2022-01-23 16:04  1.2K  

SSH with LDAP Public Keys - a basic toolbox
-------------------------------------------

The "mkgroup-sshlpk" (for "SSH Ldap Public Keys") is a set of two scripts
that ease the integration of using directories of users in LDAP for logging
in with SSH:

 mkgroup-sshlpk - generate SSH authorized keys files based on LDAP groups
                  and users, including filtering on (DN-based) groups and
                  attribute filters

 sshlpk-akfgen  - generate dynamically per-user authorized keys files for
                  use with the AuthorizedKeysCommand directive in the ssh
                  server config

The LDAP directory should follow RFC2307 guidance, the popular "openssh-lpk"
schema (Mark Ruijter et al.), and use either the groupofNames or
groupOfUniqueNames structure for members (uniqueMembers). Some defaults are
set to correspond to the deployment at Nikhef, but all can trivially be
changed using command-line options or the default config file (akfgen).

A few utilities, such as mkhomedir-sshlpk, mkgroup-dnlist and sshlpk-list,
do not yet support authenticated binding. Version 1.12 added support for
authenticated (machine) binding to the main generators.


mkgroup-sshlpk
--------------
Generate a list of all unique sshPublicKeys for all members of the
directory groups or uids specified on the command line.

Usage: /usr/local/sbin/mkgroup-sshlpk.ed2025 [-h] [-c|--comand strin] [-H uri] [-b DITbase] [-o file]
          [-f] [-v[v]] RDN [RDN ...]
  -h         Display this help text
  --uid|-u   Retrieve also sshPublicKeys for uids besides also groups
  --filter=s Use an LDAP filter to limit results (applies recursively)
               (default: (objectclass=*))
               NOTE: explicitly listed entries must all match filter
  -H uri     Connect to LDAP server at <uri>
               (default: ldaps://ldap.nikhef.nl/)
  -b base    Search base DIT for groups
               (default: dc=farmnet,dc=nikhef,dc=nl)
  -c prfx    Prefix pre-pended to each line written. Any text in the
             original sshPublicKey attribute before the tokens " ssh-.sa "
             or " \d+ \d+ " is replaced. In the prefix itself, @UID@,
             @GID@, @UIDNUMBER@ are replaced
  -o file    Writing list of sshPublicKeys to <file>
             (only when at least one sshPublicKey is retrieved, unless
             -f is also specified)
  -f         Force writing even if the list of keys is empty
  -q         Quiet: do not warn about missing entries
  -U         Add uidName and uidNumber as comment at and of each line
  -C cfgfile Config file (default: /usr/local/etc/mkgroup-sshlpk.conf)
             file should be in-line perl syntax
  -D binddn
             bind as <binddn> (set to _NSS to read from sssd.conf)
  -y bindpwfile
        read the bind password from the file <bindpwfile>
        (it can also be set in config file with '$ldapbindpw=""'
         but then protect the config file!)
  --sssd-config|S <file>
        Read LDAP bindDN and password (plaintext) from sssd config <file>
        SSSD parsing is only used when option is set (in config or argument)
  --sssd-domain <domain>
        Within the sssd config file, read data from domain <domain>


  RDN   name of groups (or uids) to traverse for members (list)
             NOTE: it will search through the whole directory for these
             group names or uids (provided there are keys there)

Dependencies:
  perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps

Example:
  mkgroup-sshlpk systemAdministrators
  mkgroup-sshlpk -u systemAdministrators z66
  mkgroup-sshlpk -u -U systemAdministrators z66
  mkgroup-sshlpk -c 'command="svnserve -t -r /project/srv/svn --tunnel-user=@UID@",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' -o ~svn/.ssh/authorized_keys nDPFSubversiveUsers
  mkgroup-sshlpk -H ldaps://ldap.example.org/ -b dc=example,dc=org -o /root/.ssh/authorized_keys privilegedUsers
  mkgroup-sshlpk -S /etc/sssd/sssd.conf -y /usr/local/etc/sshlpk-akfgen.passwd -o /root/.ssh/authorized_keys privilegedUsers

and of course "mkgroup-sshlpk -q -u \*" will retrieve all keys from the
directory ...



sshlpk-akfgen
-------------
This tool - by its nature of generating output that must look like an ssh
authorized_keys file - takes configuration from a configuration file
(default: /usr/local/etc/sshlpk-akfgen.conf)

The script includes a couple of safeguards to ensure that root (and
similar users, as specified in the configuration file directive anchored
regex $localaccounts) can login even if ldap is down and will ALWAYS use a
local file, not LDAP. That's also safer for security reasons not to have
unexpected ldap-based root login - if somebody manages to make a "uid=root"
user in LDAP ...

Use this command via the sshd_config file directives:
   AuthorizedKeysCommand     /usr/local/sbin/sshlpk-akfgen
   AuthorizedKeysCommandUser root
   AuthorizedKeysFile        /dev/null
note that this needs root privs to read the local file for root login as
per the description above. If you don't run this as root, it will not be
able to read the (local) $HOME/.ssh/authorized_keys file for root (usually
under /root/).
Alternatively, use the sshd_config native mechanisms to use the 
AuthorizedKeysCommand ONLY for non-root users, using appropropiate Match
stanzas (with AuthorizedKeysCommand only for "Users *,!root")


Usage: sshlpk-akfgen.ed2025 [-v] [-configfile perlish-config] [-H ldap-url] [-b baseDN]
  [-f filter] [--akfile AKFile-pattern] [--sssd-config|S file] [--sssd-domain]
  [--binddn|D DN] [--bindpwfile|P file] [-L non-ldap-accounts-regex]
  ([--filter_user uid|_NSS)*] [-F syslogfacility] [-u uid] [uid]

  -C cfgfile    Config file in perl syntax
  -H ldapurl    LDAP URL (default: ldaps://ldap.nikhef.nl/)
                set to '_NSS' to use the first value from sssd domain
  -b basedn     LDAP DIT Base DN (default: dc=farmnet,dc=nikhef,dc=nl) or '_NSS'
  --akfile pat  AuthorizedKeysFile-pattern (only tokens %h and %u recognised)
                default: %h/.ssh/authorized_keys
  -u uid        username to search for (takes precedence over ARGV[0])

Advanced options
  --sssd-config|S <file>
        Read LDAP bindDN and password (plaintext) from sssd config <file>
        SSSD parsing is only used when option is set (in config or argument)
  --sssd-domain <domain>
        Within the sssd config file, read data from domain <domain>
  --filter_user <uid>
        add <uid> also to the list of users that use local (non-LDAP) lookup
        like the "-L" localaccounts regex. The token '_NSS' is expended
        to the filter_users list in the 'nss' section of sssd.conf if an
        sssd configuration file is provided (which typically includes
        'root,ldap'). Typical usage '-L _NSS'
  -localaccounts-rexeg regex
        accounts that will not be LDAP looked-up (anchored regex,
        default: '(root)')
  -D binddn
        bind to directory as <binddn> (set to _NSS to read from sssd.conf)
  -y bindpwfile
        read the bind password from the file <bindpwfile>
        (it can also be set in config file with '$ldapbindpw=""'
         but then protect the config file!)
  --prefix|P options-string
        prepend each line in the output with '<options-string><SP>' followed
        by the ssh key. The following tokens are expanded:
            @UID@         uid of the user as specified in the arguments
            %u, %U, %h, %l  uid, uidnumber, homedirectory, loginshell
        Typical use:
            -P 'command="/usr/bin/yes bye @UID@",no-port-forwarding'



Example /usr/local/etc/sshlpk-akfgen.conf:

 $localaccounts = '(root|apache)';
 @localaccountslist = ( '_NSS' ); 
 $ldapurl       = 'ldaps://ldap.example.org/';
 $ldapbase      = 'dc=example,dc=org';
 $localkeysfile = '%h/.ssh/authorized_keys';
 $logfacility   = 'authpriv';

It uses the Sys::Syslog to write to syslog for auditing purposes.



License
-------
Copyright 2008-2025 David Groep, Nikhef

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this work except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.