Environment : Ubuntu 14.04 & 16.04 Servers, Active Directory on Windows Server 2016, Ubuntu 14.04 & 16.04 clients. Ubuntu servers and clients are not on the domain.
Hello everyone,
I'm a little lost with all ways to achieve ldap authentication for ssh. But I can't find a suitable one for me.
My wish : I wan't to connect to my servers by login in with "sAMAccount@serverIP", my SSH keys are stored in my AD (new field added as odiSSHPubKeys).
My server well communicate with my AD (ldapsearch query). I achieved that by updating my sshdconfig :
/etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/auth
AuthorizedKeysCommandUser root
/usr/bin/auth
#!/bin/bash
cn=$1
server=ldap.myad.net #Put your server IP
basedn=dc=mydomain,dc=net #Put your basedn
port=389
bindUser=myBindUser
bindPass=myBindUserPassword
#cn=mathieu
ldapsearch -LLL -o ldif-wrap=no -x -h $server -p $port -b $basedn -D $bindUser -w $bindPass -s sub "(sAMAccountName=$cn)" | sed -n 's/^[ \t]*odiSSHPubKeys:[ \t]*\(.*\)/\1/p'
When I connect to mathieu@192.168.0.231, I'm kicked by preauth
/var/log/auth.log
Apr 18 11:56:26 MLL-HV-UBU-16 sshd[9103]: Invalid user mathieu from 192.168.0.114
Apr 18 11:56:26 MLL-HV-UBU-16 sshd[9103]: input_userauth_request: invalid user mathieu [preauth]
Apr 18 11:56:26 MLL-HV-UBU-16 sshd[9103]: Connection closed by 192.168.0.114 port 50152 [preauth]
So my problem is that "mathieu" doesn't exist as user on my Ubuntu server.
I try to force my cn in my /usr/bin/auth and log with root account (root@192.168.0.231) and it works, so my /usr/bin/auth id good.
How can I disable preauth check to let ldap works ?
PS : I don't want a login/password authentication (for this solution, there is a lot of tutos, but not many for ssh keys or old ones).
Thanks for your help
Best Answer
Best option here is to use sssd for this purpose. I use the AltSecurityIdentities to store the keys and join the servers to the domain using realmd.
Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
and under the [sssd] section add:
Then to the /etc/ssh/sshd_config add:
Restart both services, and you should be able to login using your AD username and the password stored in the AltSecurityIdentities extended attribute in AD.