tag:blogger.com,1999:blog-4619978964286106329.post2066151076564666681..comments2023-08-05T12:48:40.934-04:00Comments on Another I.T. blog: HOWTO : Configure OpenSSH to Fetch Public Keys from OpenLDAP for Authentication on CentOSArsehttp://www.blogger.com/profile/04480469285928509022noreply@blogger.comBlogger44125tag:blogger.com,1999:blog-4619978964286106329.post-32523575074933412682017-11-16T08:28:23.626-05:002017-11-16T08:28:23.626-05:00Awesome, thank you!Awesome, thank you!Anonymoushttps://www.blogger.com/profile/04194333433124442150noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-32944911567675841772017-11-15T13:53:29.539-05:002017-11-15T13:53:29.539-05:00Hey Bill,
I've placed all my files in github...Hey Bill, <br /><br />I've placed all my files in github. The whole repo is not very organized at the moment, but the files are there. Try https://github.com/davidrobillard/blog/tree/master/openldap <br />Paths have not yet been updated in the blog, but the file names are the same as they were in dropbox. So one can find them in github too.<br /><br />HTH,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-88675763033687067452017-11-10T09:03:23.611-05:002017-11-10T09:03:23.611-05:00Hey Bill and Unknown, you guys are totally right. ...Hey Bill and Unknown, you guys are totally right. I've been pushing this for too long. I thought about doing an AWS S3 share for the files, but the GitHub approach is very interesting. I'll hopefully have time to do this soon. Please don't hesitate to ping me next week if I have not yet done so during the weekend. Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-31735044027027558482017-11-10T08:12:25.823-05:002017-11-10T08:12:25.823-05:00I concur with "Anonymous06 August, 2017 08:08...I concur with "Anonymous06 August, 2017 08:08." The articles are great, but the fact that the ldif examples are gone. I looked up David's GitHub to see if they had moved there, but there are no Public facing repositories.Anonymoushttps://www.blogger.com/profile/04194333433124442150noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-4253790212295077862017-11-10T07:39:28.677-05:002017-11-10T07:39:28.677-05:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/04194333433124442150noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-47381960496327283452017-08-06T08:08:45.609-04:002017-08-06T08:08:45.609-04:00Hi David,
First of all, these series of openldap ...Hi David,<br /><br />First of all, these series of openldap articles are great, wish I'd found your blog sooner!<br /><br />Just one problem, none of your shared files (configurations, ldifs etc) are available on Dropbox anymore, a 404 page is returned. I presume you have stored all these files in your Public folder which according to this article, https://www.dropbox.com/help/files-folders/public-folder, are no longer public.<br /><br />I fully appreciate that you are busy but it would be great to somehow get these files :)<br /><br />Cheers<br /><br />SimonAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-63271248689126831212016-08-14T23:00:30.512-04:002016-08-14T23:00:30.512-04:00Hello Dave,
I followed through your guide, and I ...Hello Dave,<br /><br />I followed through your guide, and I am facing one simple issue.<br />I cannot log-in my users through the LDAP.<br /><br />See output from my bitvise SSH client down here (I have replaced a few things for privacy)<br /><br />20:38:41.738 Started a new SSH2 session.<br />20:38:41.746 Connecting to SSH2 server "hostname":22.<br />20:38:41.786 Connection established.<br />20:38:41.806 Server version: SSH-2.0-OpenSSH_5.3<br />20:38:41.806 First key exchange started. Cryptographic provider: Windows CNG (x86) with additions<br />20:38:41.953 Received host key from the server. Algorithm: RSA, size: 2048 bits, MD5 fingerprint: FINGERPRINT HERE :: :: ::, Bubble-Babble: xuzit-tibel-pumos-gekig-dyris-tipac-dasyc-puhuh-fuhyc-kyneh-coxix, SHA-256 fingerprint: "FINGERPRINT HERE".<br />20:38:41.984 First key exchange completed using diffie-hellman-group14-sha1. Session encryption: aes256-ctr, integrity: hmac-sha2-256, compression: none.<br />20:38:41.999 Attempting publickey authentication. Testing client key 'Global 1' for acceptance.<br />20:38:42.256 The client key 'Global 1' has been accepted.<br />20:38:42.256 Attempting publickey authentication. Signing with client key 'Global 1'.<br />20:38:42.469 Authentication succeeded. Additional authentication is required. Remaining authentication methods: 'password'.<br />20:38:44.360 Authentication failed. Remaining authentication methods: 'password'.<br />20:38:57.923 Authentication aborted on user's request.<br />20:38:57.941 The SSH2 session has been terminated.<br /><br />It seems like it can connect, authenticate the public key, but it always fails and crash at the password authentication level.<br /><br />I followed Kevin's comment and added "RequiredAuthentications2 publickey,password" to my sshd conf so that it can authenticate with both factors.<br /><br />Any idea why it cant auth the password ? It's the good one, and i have changed it multiple time to ensure it was..<br /><br />Help would be greatly appreciated !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-91123678471129852312016-07-09T20:51:03.262-04:002016-07-09T20:51:03.262-04:00In reply to this
If you use centOS 6.6, please ad...In reply to this<br /><br />If you use centOS 6.6, please add this to your SSHD.conf. <br /><br />"RequiredAuthentications2 publickey,password"<br /><br />Dave did not mention it, but in order to have public key auth working, you will need to either : Disable password auth, or copy paste this line up there and it will force both Password and Public key auth.<br /><br />GL, <br />KevinAnonymoushttps://www.blogger.com/profile/13296188830520661629noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-6651071762696079812016-06-28T22:23:38.094-04:002016-06-28T22:23:38.094-04:00So actually, looks like " sudo vim /etc/ssh/l...So actually, looks like " sudo vim /etc/ssh/ldap.conf ", that's no longer where the file is, but more likely to be in /etc/openldap/ldap.conf<br /><br />You might want to change that, since that confused me ;)<br /><br />Second thing, i am able to add that "objectClass: ldapPublicKey" to my users, but the other parameter "sshPublicKey" just never sticks. I have tried deleting the user, adding a new one with it in, but it gets deleted by the server somehow. <br /><br />Question : If the user has no sshPublicKey parameter, does the LDAP falls back to only authenticate with user/password ?<br /><br />Because right now that's what mine do, it's only sticked to that.<br /><br />Let me know and thanks a whole lot again !Anonymoushttps://www.blogger.com/profile/13296188830520661629noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-4189595433696632272016-06-28T09:28:20.041-04:002016-06-28T09:28:20.041-04:00Hey there,
About the sshd_config and ldap.conf fi...Hey there,<br /><br />About the sshd_config and ldap.conf files, both of these need to be modified on the client machine (i.e. the one you try to ssh into). The /etc/ssh/sshd_config configures the sshd daemon. In there, the line « AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper » instructs the /usr/sbin/sshd daemon that he can use the « /usr/libexec/openssh/ssh-ldap-wrapper » command to fetch Authorized Keys from another source (here, the OpenLDAP server). In turn, the « /usr/libexec/openssh/ssh-ldap-wrapper » file is a small shell script :<br /><br />#!/bin/sh<br /><br />exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"<br /><br /># EOF<br /><br />That shell script requires the proper configurations found in the /etc/ssh/ldap.conf file. Because in that one, you let the daemon know your OpenLDAP server's hostname, port, connection mechanism, credentials for the bind DN used to contact that OpenLDAP server, the search path, etc.<br /><br />And yes, the /etc/ssh/ldap.conf file does not exist at first. It is installed by the openssh-ldap RPM package. Make sure you have this one installed, otherwise things won't work. See the files it contains :<br /><br />[davidr@client] ~ {1005}$ rpm -ql openssh-ldap<br />/usr/libexec/openssh/ssh-ldap-helper<br />/usr/libexec/openssh/ssh-ldap-wrapper<br />/usr/share/doc/openssh-ldap-5.3p1<br />/usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys<br />/usr/share/doc/openssh-ldap-5.3p1/ldap.conf<br />/usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema<br />/usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-sun.schema<br />/usr/share/man/man5/ssh-ldap.conf.5.gz<br />/usr/share/man/man8/ssh-ldap-helper.8.gz<br /><br />To test if you can fetch OpenSSH public keys from the OpenLDAP server, connect to the client machine and simply run the wrapper manually. Like this :<br /><br />[davidr@client] ~ {1006}$ /usr/libexec/openssh/ssh-ldap-wrapper davidr<br />ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA[...truncated...]PKQ1YIl0q81iomLwJwnhwWYzfQbQyUtKprdg6pobUVSf+76D1Svjqv9PbimAD6nw== davidr@workstation<br /><br />If that doesn't work, then you have an issue somewhere. It might be in the configuration found in /etc/ssh/ldap.conf or in the OpenLDAP server itself or an ACL to fetch the public key. If we look at the OpenLDAP server to see the public key, it looks like this :<br /><br />[davidr@server] ~ {1020}$ sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=davidr,ou=users,dc=example,dc=com sshPublicKey<br /><br />SASL/EXTERNAL authentication started<br />SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth<br />SASL SSF: 0<br />dn: cn=davidr,ou=users,dc=example,dc=com<br />sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA[...truncated...]PKQ1YIl0q81iomLwJwnhwWYzfQbQyUtKprdg6pobUVSf+76D1Svjqv9PbimAD6nw== davidr@workstation<br /><br />HTH,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-64749621360066706222016-06-27T20:17:20.105-04:002016-06-27T20:17:20.105-04:00Hey David,
I was able to finally add the Pubkey p...Hey David, <br />I was able to finally add the Pubkey parameter to the config database !<br /><br />Using your Access helped me get access to upload that to my config database.<br /><br />I finalized your guide. However, I am not able to log-in using Public/Private Key yet. It simply just do not ask / deny me. I only log-in using user/password and it works.. while this shouldn't.<br /><br />Question : <br />sudo vim /etc/ssh/sshd_config<br />AND<br />sudo vim /etc/ssh/ldap.conf<br /><br />Do you do these steps on the Client machine (the one that you want to authenticate users to the LDAP server), or on the LDAP server itself ?<br /><br />I have applied both these on my client machine (There was no /etc/ssh/ldap.conf file yet.. ?)<br /><br />I feel like something is missing to activate Public Private key.<br /><br />Let me know !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-69930955348453538612016-06-27T10:35:05.205-04:002016-06-27T10:35:05.205-04:00Humm, the olcAccess output in the above comment is...Humm, the olcAccess output in the above comment is not good. OpenLDAP ACL are very sensitive to how they are written with regards to the line breaks. Don't simply copy and paste this. Make sure you use the proper OpenLDAP tools to edit your ACLs (which is via LDIF files and, yes, it can be quite a pain).Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-27581809720739412752016-06-27T10:33:21.093-04:002016-06-27T10:33:21.093-04:00Hey Kevin,
Do you have the dn: cn={14}openssh-lpk...Hey Kevin,<br /><br />Do you have the dn: cn={14}openssh-lpk-openldap,cn=schema,cn=config shema installed? You can run an ldapsearch on « -b cn=config dn » to see if it's there. It's required for this to work of course. Just checking :)<br /><br />Now, the ACL I have on the cn=config database is this :<br /><br />sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b olcDatabase={0}config,cn=config olcAccess<br /><br />olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa<br /> l,cn=auth" manage by dn.base="cn=admin,dc=example,dc=<br /> com" manage by dn.regex="uid=.*/admin,cn=example.com,<br /> cn=gssapi,cn=auth" manage by * none<br /><br />Make sure you have a full backup of your environment before you start playing with ACLs as you can lock yourself out. Also, for some reason I have yet to understand, sometimes OpenLDAP will change your ACL entries from normal, readable text to what looks like the result of a hash function. That makes editing and debugging really, really hard once that's done. It sort of happens when the number of ACL lines and the size of it become big. If someone knows why this happens, kindly let me know!<br /><br />Good luck!<br /><br />HTH,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-33264670064208032562016-06-26T12:06:56.385-04:002016-06-26T12:06:56.385-04:00Hello David,
It was indeed empty, thanks.
Althoug...Hello David,<br /><br />It was indeed empty, thanks.<br />Although, now attempting the same thing gives me this :<br /><br />ldapmodify -axZWD cn=admin,dc=domain,dc=com -f ~/ldap/openssh-ldap.ldif<br />Enter LDAP Password:<br />adding new entry "cn=openssh-openldap,cn=schema,cn=config"<br />ldap_add: Other (e.g., implementation specific) error (80)<br /><br />Can i have a snippet of your " /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif " <br /><br />I think there is issue with how i can access this database, and i would like to see how you manage to do yours.<br /><br />Thanks,<br />KevinAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-67157124527081446602016-06-26T07:08:16.917-04:002016-06-26T07:08:16.917-04:00Hey,
This looks like an ACL issue on the cn=confi...Hey,<br /><br />This looks like an ACL issue on the cn=config database. What do these look like? And what error message do you see in the logs when this happens?<br /><br />HTH, <br /><br />DA+ Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-5037643676343910922016-06-26T00:34:04.093-04:002016-06-26T00:34:04.093-04:00ldapmodify -axZWD cn=admin,dc=domain,dc=com -f ~/l...ldapmodify -axZWD cn=admin,dc=domain,dc=com -f ~/ldap/openssh-ldap.ldif<br />Enter LDAP Password:<br />adding new entry "cn=openssh-openldap,cn=schema,cn=config"<br />ldap_add: Insufficient access (50)<br /><br />Any idea why this would happen ? <br />Everything is working fine as far as it goes. I am able to serve up people with my LDAP server, and i have added OU and tested, admin account can do anything (Its the rootDN). Why do I face insufficient access on this step ? (Running centos 6.6 final)<br /><br />Let me know !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-70941790953682484482016-04-19T14:26:27.293-04:002016-04-19T14:26:27.293-04:00My pleasure. Glad you liked it :)My pleasure. Glad you liked it :)Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-88615578349572610592016-04-19T14:23:45.092-04:002016-04-19T14:23:45.092-04:00Awesome! Thank you.Awesome! Thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-44687127965587492102016-02-19T04:46:41.169-05:002016-02-19T04:46:41.169-05:00Thanks for your suggestions.Thanks for your suggestions.Premhttps://www.blogger.com/profile/00740705129184800860noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-79934288396640227222016-02-18T20:48:05.265-05:002016-02-18T20:48:05.265-05:00Hey Prem,
I honestly don't know? But maybe yo...Hey Prem,<br /><br />I honestly don't know? But maybe you can check if the ssh_ldap_wrapper is a script? If so, then you might be able to edit it.<br /><br />But maybe it's more easy to use iptables to filter out unwanted IP addresses from reaching TCP port 22. Or just let the known ones reach it.<br /><br />I'm sorry I can't help you more. Good luck!<br /><br />DA+Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-16188272574858775392016-02-18T17:28:30.826-05:002016-02-18T17:28:30.826-05:00Hi David,
Is there a way to get $RHOST (remote ho...Hi David,<br /><br />Is there a way to get $RHOST (remote host id) and send it as parameter to ssh_ldap_wrapper, to do IP validation along with getting public key.<br /><br />Thank You,<br />PremPremhttps://www.blogger.com/profile/00740705129184800860noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-77988194126173544532016-02-12T11:58:31.241-05:002016-02-12T11:58:31.241-05:00Thanks DavidThanks DavidPremhttps://www.blogger.com/profile/00740705129184800860noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-32556257448767401112016-02-12T11:28:07.420-05:002016-02-12T11:28:07.420-05:00Hey Prem,
Once a user has logged in via SSH, the ...Hey Prem,<br /><br />Once a user has logged in via SSH, the only way to control the mkdir command is by leveraging UNIX permissions or ACL.<br /><br />Check the chmod(1) and setfacl(1) commands and man pages.<br /><br />I would suggest trying to solve your use cases with UNIX permissions before trying your luck with ACLs.<br /><br />Good luck,<br /><br />DavidArsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-25665167360593327142016-02-12T08:31:33.504-05:002016-02-12T08:31:33.504-05:00Hi David, Is there a way to restrict the sftp/ssh ...Hi David, Is there a way to restrict the sftp/ssh users using Mkdir or rmdir commands?. I would really appreciate if can you provide some pointers.Premhttps://www.blogger.com/profile/00740705129184800860noreply@blogger.comtag:blogger.com,1999:blog-4619978964286106329.post-31998530332842345762015-11-23T09:07:17.147-05:002015-11-23T09:07:17.147-05:00Great! Great! Arsehttps://www.blogger.com/profile/04480469285928509022noreply@blogger.com