Index of /pdp/ndpf/files/packages/mkgroup-sshlpk
Name Last modified Size
README.txt 2017-06-10 21:21 5.0K
mkgroup-dnlist 2022-01-23 16:04 5.4K
mkgroup-sshlpk 2022-01-23 16:04 8.0K
mkgroup-sshlpk-1.8-3.noarch.rpm 2017-06-10 21:25 9.5K
mkgroup-sshlpk-1.8-3.src.rpm 2017-06-10 21:25 43K
mkgroup-sshlpk-1.8.src.tgz 2017-06-10 21:25 41K
mkgroup-sshlpk-1.11-1.noarch.rpm 2021-03-07 10:23 12K
mkgroup-sshlpk-1.11-1.src.rpm 2021-03-07 10:23 15K
mkgroup-sshlpk-1.11-3.noarch.rpm 2021-03-23 14:22 12K
mkgroup-sshlpk-1.11-3.src.rpm 2021-03-23 14:22 15K
mkgroup-sshlpk-1.11-4.noarch.rpm 2021-04-06 08:23 13K
mkgroup-sshlpk-1.11.src.tgz 2021-03-23 14:22 13K
mkgroup-sshlpk_1.11-1.deb 2021-03-07 10:23 8.8K
mkhomedir-sshlpk 2022-01-23 16:04 1.7K
openssh-lpk.schema 2008-12-19 09:19 554
sshlpk-akfgen 2022-01-23 16:04 2.8K
sshlpk-list 2022-01-23 16:04 1.2K
SSH with LDAP Public Keys - a basic toolbox
-------------------------------------------
The "mkgroup-sshlpk" (for "SSH Ldap Public Keys") is a set of two scripts
that ease the integration of using directories of users in LDAP for logging
in with SSH:
mkgroup-sshlpk - generate SSH authorized keys files based on LDAP groups
and users, including filtering on (DN-based) groups and
attribute filters
sshlpk-akfgen - generate dynamically per-user authorized keys files for
use with the AuthorizedKeysCommand directive in the ssh
server config
The LDAP directory should follow RFC2307 guidance, the popular "openssh-lpk"
schema (Mark Ruijter et al.), and use either the groupofNames or
groupOfUniqueNames structure for members (uniqueMembers). Some defaults are
set to correspond to the deployment at Nikhef, but all can trivially be
changed using command-line options or the default config file (akfgen).
mkgroup-sshlpk
--------------
Generate a list of all unique sshPublicKeys for all members of the
directory groups or uids specified on the command line.
Usage: ./mkgroup-sshlpk [-h] [-c|--comand strin] [-H uri] [-b DITbase] [-o file]
[-f] [-v[v]] RDN [RDN ...]
-h Display this help text
--uid|-u Retrieve also sshPublicKeys for uids besides also groups
--filter=s Use an LDAP filter to limit results (applies recursively)
(default: (objectclass=*))
NOTE: explicitly listed entries must all match filter
-H uri Connect to LDAP server at <uri>
(default: ldaps://ldap.nikhef.nl/)
-b base Search base DIT for groups
(default: dc=farmnet,dc=nikhef,dc=nl)
-c prfx Prefix pre-pended to each line written. Any text in the
original sshPublicKey attribute before the tokens " ssh-.sa "
or " \d+ \d+ " is replaced.
In the prefix itself, @UID@, @GID@, @UIDNUMBER@ are replaced
-o file Writing list of sshPublicKeys to <file>
(only when at least one sshPublicKey is retrieved, unless
-f is also specified)
-f Force writing even if the list of keys is empty
-q Quiet: do not warn about missing entries
-U Add uidName and uidNumber as comment at and of each line
RDN name of groups (or uids) to traverse for members (list)
NOTE: it will search through the whole directory for these
group names or uids (provided there are keys there)
Example:
mkgroup-sshlpk systemAdministrators
mkgroup-sshlpk -u systemAdministrators z66
mkgroup-sshlpk -u systemAdministrators z66
mkgroup-sshlpk -c 'command="svnserve -t -r /project/srv/svn --tunnel-user=@UID@",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' -o ~svn/.ssh/authorized_keys nDPFSubversionUsers
mkgroup-sshlpk -H ldaps://ldap.example.org/ -b dc=example,dc=org -o /root/.ssh/authorized_keys privilegedUsers
and of course "mkgroup-sshlpk -q -u \*" will retrieve all keys from the
directory ...
Dependencies:
perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps
sshlpk-akfgen
-------------
This tool - by its nature of generating output that must look like an ssh
authorized_keys file - takes configuration from a configuration file
(default: /usr/local/etc/sshlpk-akfgen.conf)
The script includes a couple of safeguards to ensure that root (and
similar users, as specified in the configuration file directive anchored
regex $localaccounts) can login even if ldap is down and will ALWAYS use a
local file, not LDAP. That's also safer for security reasons not to have
unexpected ldap-based root login - if somebody manages to make a "uid=root"
user in LDAP ...
Use this command via the sshd_config file directives:
AuthorizedKeysCommand /usr/local/sbin/sshlpk-akfgen
AuthorizedKeysCommandUser root
AuthorizedKeysFile /dev/null
note that this needs root privs to read the local file for root login as
per the description above. If you don't run this as root, it will not be
able to read the (local) $HOME/.ssh/authorized_keys file for root (usually
under /root/).
Example /usr/local/etc/sshlpk-akfgen.conf:
$localaccounts = '(root|apache)';
$ldapurl = 'ldaps://ldap.example.org/';
$ldapbase = 'dc=example,dc=org';
$localkeysfile = '%h/.ssh/authorized_keys';
$loginfo="authpriv.info";
By default, it will use the "/bin/logger" command to write its actions
and failures to syslog, and expand "%u" and "%h" in the localkeysfile
template.
License
-------
Copyright 2008-2017 David Groep, Nikhef
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this work except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.