Using LDAP to Store SSH Public Keys with SSSD

Previously I used Puppet to manage distributing SSH public keys for our administrative users to each desktop. Now I'm changing that to store their keys in OpenLDAP. It's actually pretty easy if you're using SSSD for managing the computer's security setup.

Start by preparing OpenLDAP

Add the following LDIF file into your server schema. If you run multiple servers with replication, you must add this to each one individually.

dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
  uid ) )

You can add it to an OLC configured OpenLDAP server using something like the following while you are root:

ldapadd -Y EXTERNAL -H ldapi:/// -f addpubkeys.ldif

Once the schema is available, use your favorite tool to add the "ldapPublicKey" objectClass to each user who will have keys. This will require you add at least one sshPublicKey entry. You can add multiple in case your user's have multiple source devices like a tablet or laptop that have a different set of keys.

Next, add the option to your /etc/sssd/sssd.conf file:

[sssd]
config_file_version = 2
services = nss,pam,ssh
...

Finally, configure the SSH Server

The final step is to add a couple of lines to your /etc/ssh/sshd_config file. Using "sudo nano /etc/ssh/sshd_config" just add the following to the end:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root

Now when a user attempts to SSH to that machine, Open-SSH Server will ask SSSD for a list of the user's public keys. SSSD will pull those keys from OpenLDAP.