We need password less ssh login, so here i have tried to make the keys centralized by storing them in LDAP
LDAP Server Setup
[root@ldap]# yum install openldap{,-clients,-devel,} nss_ldap
make entry in /etc/hosts
192.168.1.3 directory.domain.com
Run this Command and copy output
[root@ldap]# slappasswd
Note: Enter desired password here
pass:
confirm:
Output will like this, copy it
{SSHA}AuOU1S01Nj+gQ9FIHf8gCompENETugiT
Now edit slapd.conf
[root@ldap]# vi /etc/openldap/slapd.conf
check for this similar entry and edit as follows
database bdb
suffix "dc=directory,dc=domain,dc=com"
rootdn "cn=Manager,dc=directory,dc=domain,dc=com"
rootpw {SSHA}AuOU1S01Nj+gQ9FIHf8gCompENETugiT #(paste the encrypted password here)
directory /var/lib/ldap
[root@ldap]# service ldap start
Create a file named /etc/openldap/init.ldif and below line
dn: cn=Manager,dc=directory,dc=domain,dc=com
ou: People
description: All People in Organisation
objectClass: organizationalUnit
dn: ou=People,dc=directory,dc=domain,dc=com
ou: People
objectclass: organizationalUnit
dn: ou=Groups,dc=directory,dc=domain,dc=com
ou: Groups
description: All People in Organisation
objectClass: organizationalUnit
now you have to add that file in LDAP server
[root@ldap]# ldapadd -x -D "cn=Manager,dc=directory,dc=domain,dc=com" -W -f /etc/openldap/init.ldif
It will now ask for password, paste or type the password that you typed for "slappasswd"
Now import any user from linux passwd file
[root@ldap]# useradd manish
[root@ldap]# passwd manish
[root@ldap]# grep manish /etc/passwd > passwd.manish
[root@ldap]# /usr/share/openldap/migration/migrate_passwd.pl passwd.manish manish.ldif
[root@ldap]# ldapadd -x -D "cn=Manager,dc=directory,dc=domain,dc=com" -W -f manish.ldif
It will ask for the rootdn passwd, provide that.
TEST LDAP SERVER: On LDAP Server
[root@ldap]# ldapsearch -x -b "dc=directory,dc=domain,dc=com"
------------------------------------------------------------------------------------------
LDAP Client Setup
[root@ldap-client]# yum install nss_ldap openldap-clients
make entry in /etc/hosts
192.168.1.3 directory.domain.com
now run this command: (This is to enable client authentication on SSH logins using LDAP server)
[root@ldap-client]# authconfig --useshadow --usemd5 --enableldap --enableldapauth --ldapserver=directory.domain.com --ldapbasedn="dc=directory,dc=domain,dc=com" --enablemkhomedir --updateall
Edit /etc/ldap.conf and add below lines
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
uri ldap://directory.ibnlive.com/
base dc=directory,dc=ibnlive,dc=com
edit /etc/openldap/ldap.conf and add below lines
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
uri ldap://directory.ibnlive.com/
base dc=directory,dc=ibnlive,dc=com
Now Test LDAP Client for auth:
1: ldapsearch -x (if successful the also run 2 one)
2: getent passwd | grep manish (though the user manish do not exists in client system, you should get answer for this)
3: ssh -l manish 192.168.1.3
4: su - manish (though the user manish do not exists in client system, you should get login for this)
TLS (LDAP Server) – Secure LDAP Server
[root@ldap]# mkdir /etc/ssl/openldap/
[root@ldap]# cd /etc/ssl/openldap/
[root@ldap]# openssl genrsa -out ldap.key 2048
[root@ldap]# openssl req -new -key ldap.key -out ldap.csr
[root@ldap]# openssl genrsa -out ca.key 2048
[root@ldap]# openssl req -new -x509 -days 3650 -key ca.key -out ca.cert
[root@ldap]# openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 3650
[root@ldap]# openssl x509 -in ldap.cert -text -noout
Edit /etc/openldap/slapd.conf on LDAP Server, append these lines: (If there is already below entries, comment that)
TLSCertificateFile /etc/ssl/openldap/ldap.cert
TLSCertificateKeyFile /etc/ssl/openldap/ldap.key
TLSCACertificateFile /etc/ssl/openldap/ca.cert
Now edit /etc/openldap/ldap.conf on LDAP CLIENT: remove all lines... and enter these
HOST directory.domain.com
PORT 636
tls_cacertdir /etc/openldap/cacerts
TLS_REQCERT demand
pam_password md5
uri ldap://directory.domain.com/ ldaps://directory.domain.com:636
base dc=directory,dc=domain,dc=com
[root@ldap]# rm -rf /etc/ldap.conf
[root@ldap]# ln -s /etc/openldap/ldap.conf /etc/ldap.conf
------------------------------------------------------------------------------------------
Replication: LDAP Server to LDAP Standby Client Server
On Second Server: (Standby)
1. Follow the same above procedure for LDAP.
2. Create /etc/rsyncd.conf and enter below lines
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[ldap_standby]
path=/var/lib/ldap/
comment=ldap sync
uid = root
gid = root
read only = no
list = no
auth users = root
secrets file = /etc/ldap-admin
strict modes = false
Save and exit
Now create a file /etc/ldap-admin
[root@ldap-standby]# echo "root:syncldapadmin" > /etc/ldap-admin
[root@ldap-standby]# rsync --daemon
Now add this in /etc/rc.local at end
[root@ldap-standby]# vi /etc/rc.local
rsync --daemon
Now edit /etc/sysconfig/iptables and add below line before "COMMIT"
[root@ldap-standby]# vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 873 -j ACCEPT
save and exit
[root@ldap-standby]# /etc/init.d/iptables restart
This is done
Now on LDAP Server.
create a file under /etc/ by name pass-ldap
[root@ldap]# echo "syncldapadmin" > /etc/pass-ldap
[root@ldap]# chmod 700 /etc/pass-ldap
now add a line in crontab
[root@ldap]# crontab -e
* * * * * /usr/bin/rsync -az /var/lib/ldap/ root@::ldap_standby/
save and exit
------------------------------------------------------------------------------------------
SSH Keys – LDAP Store
[root@ldap]#yum -y install gcc openldap-devel pam-devel zlib-devel openssl-devel
[root@ldap]#wget -qO - http://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/openssh-5.4p1.tar.gz | tar zxf -
[root@ldap]#cd openssh-5.4p1
[root@ldap]#wget -q http://openssh-lpk.googlecode.com/svn/trunk/patch/contrib/contrib-openssh-lpk-5.4p1-0.3.13.patch
[root@ldap]#patch < contrib-openssh-lpk-5.4p1-0.3.13.patch
[root@ldap]#./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam
If error comes for pam, the issue this command
[root@ldap]#yum install pam-devel
[root@ldap]#make
Now take backup of /etc/init.d/sshd and /etc/ssh/
[root@ldap]#mkdir –p /opt/sshback
[root@ldap]#mv /etc/init.d/sshd /opt/sshnack/
[root@ldap]#mv /etc/ssh /opt/sshback/
[root@ldap]#yum -y erase openssh-server
[root@ldap]#make install
[root@ldap]#cp /opt/sshback/sshd /etc/init.d/
Now edit the “sshd_config”
[root@ldap]#vi /etc/ssh/sshd_config
UseLPK yes
LpkLdapConf /etc/openldap/ldap.conf
LpkServers ldap://localhost/
LpkUserDN ou=People,dc=domain,dc=com
LpkGroupDN ou=Groups,dc=domain,dc=com
LpkBindDN cn=Manager,dc=domain,dc=com
LpkBindPw controlman
LpkServerGroup tech
LpkForceTLS no
LpkSearchTimelimit 3
LpkBindTimelimit 3
LpkPubKeyAttr sshPublicKey
Now add a group in ldap
Create a file maingroup.ldif and add below lines, and add all users in that file as below
dn: cn=tech,ou=Groups dc=domain,dc=com
cn: tech
gidnumber: 504
memberuid: user1
memberuid: user2
memberuid: user3
memberuid: user4
objectclass: posixGroup
[root@ldap]#ldapadd -x -D "cn=Manager,dc=domain,dc=com " -w -f maingroup.ldif
It should display like this:
adding new entry "cn=web18,ou=Groups,dc=domain,dc=com"
[root@ldap]#mkdir -p /var/empty/sshd/etc
[root@ldap]#wget -q http://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema -O /etc/openldap/schema/openssh-lpk_openldap.schema
Now edit the slapd.conf
[root@ldap]#vi /etc/openldap/slapd.conf
Include /etc/openldap/schema/openssh-lpk_openldap.schema
Save and exit
------------------------------------------------------------------------------------------
PHPLDAPADMIN (frontend for LDAP Management)
Download phpldapadmin from
[root@ldap]#wget http://downloads.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpldapadmin%2Ffiles%2Fphpldapadmin-php5%2F1.2.2%2F&ts=1331543024&use_mirror=nchc
[root@ldap]#unzip phpldapadmin-1.2.2.zip
[root@ldap]#mv phpldapadmin /var/www/html/
[root@ldap]#chown wwwrun:www /var/www/html/phpldapadmin
Now go to phpldapadmin/config/
[root@ldap]#mv config.php.example config.php
now access that from browser:
http:///phpldapadmin/
user: cn=Manager,dc=domain,dc=com
pass:
------------------------------------------------------------------------------------------
Now log into phpLDAPadmin and browse to the user you want to attach an SSH key to:
Now, under the user's "objectClass" entry, click "Add Value":
You should now see the following screen:
Select "ldapPublicKey" from the list and then hit "Add new ObjectClass".
Now that the ldapPublicKey ObjectClass is available to this user, you can add the sshPublicKey attribute to the user and paste their key in. Just hit "Add new attribute" as shown below, and you will get a dropdown menu.
In the dropdown menu, select "sshPublicKey" and you will see the dropdown change into the following:
Paste the user's key in here, then hit "Update Object", and that's it! You're done...the user now has their Public SSH key stored in your LDAP directory, and as long as their companion private key is available on the machine they're connecting from, they will never need to use a password to log into any machine that's pointed at your LDAP server.
Now restart SSHD and ldap app.
# /etc/init.d/sshd restart
#/etc/init.d/ldap restart
Generate public keys: (do not provide any password)
# ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): …
Enter same passphrase again: …
# cat ~/.ssh/id_rsa.pub
Expecting: like below
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoLpYk/1bOPiQC8tP0aB7g5YfcmniEAdEEitGwRrjc3XZptLQm3syl11bXdGbBCXb8JT1r3R8OVsnN3Ml/zTy3f7GBIWDH47ytyBxhQcMaCYk9Kk6pG6jbJCoikkxYggD0BexeVCK8qNyi9uohLh6PWCWRX29wF2zqiRjWyy5t8WK8oBgahdx18nqRoQRxyLsk0YIiff8n/WFQ3lWW2H2AlHWRus5cLVZ6J1safgLChOX5BIGt4A/UHsKdXHJd/zcSt+xkEXO7WqzIlMF/hh62NdfV2oR2AQuhAvGcYeDJhMLqbf3GqBdhL/zBF+pxhu8IU/7wPBjpJV865XRI0/JTQ== root@vm-machine
Above line has to copy in sshpublic keys.
sir my ldapadmin dont have the option ldappublic key option in the list
ReplyDeletei m trying to set active dir using ldap and kerberos .
can u pls help me
blazetango@gmail.com
have you downloaded the schema
ReplyDeleteopenssh-lpk_openldap.schema
download that, include in slapd.conf and restart ldap service
is it can be implemented on 389-ds?
ReplyDeleteI do not have idea... have to check this...
ReplyDeleteno worries, thank you, i will test it too and share it what is the result
ReplyDeleteyes, it can be implemented on centos ds as well...
ReplyDeletei share it on my blog :
http://sugizo.wordpress.com/2012/05/09/centos-store-ssh-key-in-centos-ds-directory-server/
Steve van: The link about centos ds seems to be private,Please is it possible to view that link
ReplyDeleteManish
ReplyDeleteThanks much for sharing this article.
The mentioned LDAP authentication in the article seems good for linux servers and actually I want to implement SSO(Single Sign On) in my office network where currently we have Windows Active Directory(AD) server authenticating windows login and we have obsolete RCS (Revision Control System) server where we will update group,shadow,password files for every linux users and this will replicated on all linux servers(preferably Redhat Linux servers) plus we have also key based authentication instead of using regular password.
These windows/linux Production servers are located in diversified Datacenters.
In the above scenario probably we are thinking like while creating the users in the Windows AD server itself we should have some mechanism which says that users should access to linux servers as well and the same login needs to be used for both windows and linux logins and on top of this we need to have key based authentication for the linux users alone.
May I please ask for any help / suggestions in this scenario.
Thanks
Karthik
Sure, i will try my best, pal.
ReplyDeleteThis was grreat to read
ReplyDelete