/[pdpsoft]/trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/README.txt
ViewVC logotype

Diff of /trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/README.txt

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 3191 by davidg, Mon Jan 5 08:20:21 2009 UTC revision 3192 by davidg, Sat Jun 10 19:25:16 2017 UTC
# Line 1  Line 1 
1    SSH with LDAP Public Keys - a basic toolbox
2    -------------------------------------------
3    
4    The "mkgroup-sshlpk" (for "SSH Ldap Public Keys") is a set of two scripts
5    that ease the integration of using directories of users in LDAP for logging
6    in with SSH:
7    
8     mkgroup-sshlpk - generate SSH authorized keys files based on LDAP groups
9                      and users, including filtering on (DN-based) groups and
10                      attribute filters
11    
12     sshlpk-akfgen  - generate dynamically per-user authorized keys files for
13                      use with the AuthorizedKeysCommand directive in the ssh
14                      server config
15    
16    The LDAP directory should follow RFC2307 guidance, the popular "openssh-lpk"
17    schema (Mark Ruijter et al.), and use either the groupofNames or
18    groupOfUniqueNames structure for members (uniqueMembers). Some defaults are
19    set to correspond to the deployment at Nikhef, but all can trivially be
20    changed using command-line options or the default config file (akfgen).
21    
22    
23    mkgroup-sshlpk
24    --------------
25  Generate a list of all unique sshPublicKeys for all members of the  Generate a list of all unique sshPublicKeys for all members of the
26  directory groups specified on the command line.  directory groups or uids specified on the command line.
27    
28  Usage: ./mkgroup-sshlpk [-h] [-H uri] [-b DITbase] [-o file] [-f] [-v[v]]  Usage: ./mkgroup-sshlpk [-h] [-c|--comand strin] [-H uri] [-b DITbase] [-o file]
29  groupRDN [groupRDN]            [-f] [-v[v]] RDN [RDN ...]
30    -h       Display this help text    -h         Display this help text
31    -H uri   Connect to LDAP server at <uri>    --uid|-u   Retrieve also sshPublicKeys for uids besides also groups
32               (default: ldaps://teugel.nikhef.nl/)    --filter=s Use an LDAP filter to limit results (applies recursively)
33    -b base  Search base DIT for groups                 (default: (objectclass=*))
34               (default: ou=DirectoryGroups,dc=farmnet,dc=nikhef,dc=nl)                 NOTE: explicitly listed entries must all match filter
35    -c prfx  Prefix pre-pended to each line written. Any text in the    -H uri     Connect to LDAP server at <uri>
36             original sshPublicKey attribute before the tokens " ssh-.sa "                 (default: ldaps://ldap.nikhef.nl/)
37             or " d+ d+ " is replaced.    -b base    Search base DIT for groups
38    -o file  Writing list of sshPublicKeys to <file>                 (default: dc=farmnet,dc=nikhef,dc=nl)
39             (only when at least one sshPublicKey is retrieved, unless    -c prfx    Prefix pre-pended to each line written. Any text in the
40             -f is also specified)               original sshPublicKey attribute before the tokens " ssh-.sa "
41    -f       Force writing even if the list of keys is empty               or " \d+ \d+ " is replaced.
42                 In the prefix itself, @UID@, @GID@, @UIDNUMBER@ are replaced
43      -o file    Writing list of sshPublicKeys to <file>
44                 (only when at least one sshPublicKey is retrieved, unless
45                 -f is also specified)
46      -f         Force writing even if the list of keys is empty
47      -q         Quiet: do not warn about missing entries
48      -U         Add uidName and uidNumber as comment at and of each line
49    
50    groupRDN   name of groups to traverse for members (list)    RDN   name of groups (or uids) to traverse for members (list)
51                 NOTE: it will search through the whole directory for these
52                 group names or uids (provided there are keys there)
53    
54  Example:  Example:
55    ./mkgroup-sshlpk systemAdministrators nDPFPrivilegedUsers    mkgroup-sshlpk systemAdministrators
56      mkgroup-sshlpk -u systemAdministrators z66
57      mkgroup-sshlpk -u systemAdministrators z66
58      mkgroup-sshlpk -c 'command="svnserve -t -r /project/srv/svn --tunnel-user=@UID@",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' -o ~svn/.ssh/authorized_keys nDPFSubversionUsers
59      mkgroup-sshlpk -H ldaps://ldap.example.org/ -b dc=example,dc=org -o /root/.ssh/authorized_keys privilegedUsers
60    
61    and of course "mkgroup-sshlpk -q -u \*" will retrieve all keys from the
62    directory ...
63    
64  Dependencies:  Dependencies:
65    perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps (0)    perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps
66    
67    
68    
69    sshlpk-akfgen
70    -------------
71    This tool - by its nature of generating output that must look like an ssh
72    authorized_keys file - takes configuration from a configuration file
73    (default: /usr/local/etc/sshlpk-akfgen.conf)
74    
75    The script includes a couple of safeguards to ensure that root (and
76    similar users, as specified in the configuration file directive anchored
77    regex $localaccounts) can login even if ldap is down and will ALWAYS use a
78    local file, not LDAP. That's also safer for security reasons not to have
79    unexpected ldap-based root login - if somebody manages to make a "uid=root"
80    user in LDAP ...
81    
82    Use this command via the sshd_config file directives:
83       AuthorizedKeysCommand     /usr/local/sbin/sshlpk-akfgen
84       AuthorizedKeysCommandUser root
85       AuthorizedKeysFile        /dev/null
86    note that this needs root privs to read the local file for root login as
87    per the description above. If you don't run this as root, it will not be
88    able to read the (local) $HOME/.ssh/authorized_keys file for root (usually
89    under /root/).
90    
91    Example /usr/local/etc/sshlpk-akfgen.conf:
92    
93     $localaccounts = '(root|apache)';
94     $ldapurl       = 'ldaps://ldap.example.org/';
95     $ldapbase      = 'dc=example,dc=org';
96     $localkeysfile = '%h/.ssh/authorized_keys';
97     $loginfo="authpriv.info";
98    
99    By default, it will use the "/bin/logger" command to write its actions
100    and failures to syslog, and expand "%u" and "%h" in the localkeysfile
101    template.
102    
103    
104    License
105    -------
106    Copyright 2008-2017 David Groep, Nikhef
107    
108    Licensed under the Apache License, Version 2.0 (the "License");
109    you may not use this work except in compliance with the License.
110    You may obtain a copy of the License at
111    
112        http://www.apache.org/licenses/LICENSE-2.0
113    
114    Unless required by applicable law or agreed to in writing, software
115    distributed under the License is distributed on an "AS IS" BASIS,
116    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
117    See the License for the specific language governing permissions and
118    limitations under the License.

Legend:
Removed from v.3191  
changed lines
  Added in v.3192

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28