ViewVC logotype

Contents of /trunk/nl.nikhef.ndpf.tools/mkgroup-sshlpk/README.txt

Parent Directory Parent Directory | Revision Log Revision Log

Revision 3192 - (show annotations) (download)
Sat Jun 10 19:25:16 2017 UTC (4 years, 7 months ago) by davidg
File MIME type: text/plain
File size: 5148 byte(s)
Now with a completer readme

1 SSH with LDAP Public Keys - a basic toolbox
2 -------------------------------------------
4 The "mkgroup-sshlpk" (for "SSH Ldap Public Keys") is a set of two scripts
5 that ease the integration of using directories of users in LDAP for logging
6 in with SSH:
8 mkgroup-sshlpk - generate SSH authorized keys files based on LDAP groups
9 and users, including filtering on (DN-based) groups and
10 attribute filters
12 sshlpk-akfgen - generate dynamically per-user authorized keys files for
13 use with the AuthorizedKeysCommand directive in the ssh
14 server config
16 The LDAP directory should follow RFC2307 guidance, the popular "openssh-lpk"
17 schema (Mark Ruijter et al.), and use either the groupofNames or
18 groupOfUniqueNames structure for members (uniqueMembers). Some defaults are
19 set to correspond to the deployment at Nikhef, but all can trivially be
20 changed using command-line options or the default config file (akfgen).
23 mkgroup-sshlpk
24 --------------
25 Generate a list of all unique sshPublicKeys for all members of the
26 directory groups or uids specified on the command line.
28 Usage: ./mkgroup-sshlpk [-h] [-c|--comand strin] [-H uri] [-b DITbase] [-o file]
29 [-f] [-v[v]] RDN [RDN ...]
30 -h Display this help text
31 --uid|-u Retrieve also sshPublicKeys for uids besides also groups
32 --filter=s Use an LDAP filter to limit results (applies recursively)
33 (default: (objectclass=*))
34 NOTE: explicitly listed entries must all match filter
35 -H uri Connect to LDAP server at <uri>
36 (default: ldaps://ldap.nikhef.nl/)
37 -b base Search base DIT for groups
38 (default: dc=farmnet,dc=nikhef,dc=nl)
39 -c prfx Prefix pre-pended to each line written. Any text in the
40 original sshPublicKey attribute before the tokens " ssh-.sa "
41 or " \d+ \d+ " is replaced.
42 In the prefix itself, @UID@, @GID@, @UIDNUMBER@ are replaced
43 -o file Writing list of sshPublicKeys to <file>
44 (only when at least one sshPublicKey is retrieved, unless
45 -f is also specified)
46 -f Force writing even if the list of keys is empty
47 -q Quiet: do not warn about missing entries
48 -U Add uidName and uidNumber as comment at and of each line
50 RDN name of groups (or uids) to traverse for members (list)
51 NOTE: it will search through the whole directory for these
52 group names or uids (provided there are keys there)
54 Example:
55 mkgroup-sshlpk systemAdministrators
56 mkgroup-sshlpk -u systemAdministrators z66
57 mkgroup-sshlpk -u systemAdministrators z66
58 mkgroup-sshlpk -c 'command="svnserve -t -r /project/srv/svn --tunnel-user=@UID@",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty' -o ~svn/.ssh/authorized_keys nDPFSubversionUsers
59 mkgroup-sshlpk -H ldaps://ldap.example.org/ -b dc=example,dc=org -o /root/.ssh/authorized_keys privilegedUsers
61 and of course "mkgroup-sshlpk -q -u \*" will retrieve all keys from the
62 directory ...
64 Dependencies:
65 perl-LDAP, and perl-IO-Socket-SSL & perl-Net-SSLeay for ldaps
69 sshlpk-akfgen
70 -------------
71 This tool - by its nature of generating output that must look like an ssh
72 authorized_keys file - takes configuration from a configuration file
73 (default: /usr/local/etc/sshlpk-akfgen.conf)
75 The script includes a couple of safeguards to ensure that root (and
76 similar users, as specified in the configuration file directive anchored
77 regex $localaccounts) can login even if ldap is down and will ALWAYS use a
78 local file, not LDAP. That's also safer for security reasons not to have
79 unexpected ldap-based root login - if somebody manages to make a "uid=root"
80 user in LDAP ...
82 Use this command via the sshd_config file directives:
83 AuthorizedKeysCommand /usr/local/sbin/sshlpk-akfgen
84 AuthorizedKeysCommandUser root
85 AuthorizedKeysFile /dev/null
86 note that this needs root privs to read the local file for root login as
87 per the description above. If you don't run this as root, it will not be
88 able to read the (local) $HOME/.ssh/authorized_keys file for root (usually
89 under /root/).
91 Example /usr/local/etc/sshlpk-akfgen.conf:
93 $localaccounts = '(root|apache)';
94 $ldapurl = 'ldaps://ldap.example.org/';
95 $ldapbase = 'dc=example,dc=org';
96 $localkeysfile = '%h/.ssh/authorized_keys';
97 $loginfo="authpriv.info";
99 By default, it will use the "/bin/logger" command to write its actions
100 and failures to syslog, and expand "%u" and "%h" in the localkeysfile
101 template.
104 License
105 -------
106 Copyright 2008-2017 David Groep, Nikhef
108 Licensed under the Apache License, Version 2.0 (the "License");
109 you may not use this work except in compliance with the License.
110 You may obtain a copy of the License at
112 http://www.apache.org/licenses/LICENSE-2.0
114 Unless required by applicable law or agreed to in writing, software
115 distributed under the License is distributed on an "AS IS" BASIS,
116 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
117 See the License for the specific language governing permissions and
118 limitations under the License.

ViewVC Help
Powered by ViewVC 1.1.28