SSH + LDAP + Public key authentication - can it be done?

D

dvdmandt

Is it possible to use public key authentication together with ldap accounts?

I've setup LDAP authentication for SSH, so that all accounts are in LDAP. This is done using pretty much the way described in the handbook. That means sshd uses pam and pam_ldap to authenticate people. This works great, so there's no problem with the ldap config.

I figured I should be able to do something like this

$ ssh-keygen
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ ssh localhost

And not have to use my password. But it still asks for my password. This got me thinking.. Is what I want even possible? If the userdata is stored in ldap, such as the homedir (which you need to find the authorized_keys), you may need to bind to find the homedir, but to bind, you need the password..? Can I get around this somehow?
 
dvdmandt said:
I figured I should be able to do something like this

$ ssh-keygen
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ ssh localhost

And not have to use my password. But it still asks for my password.
Click to expand...
Did you set a password on the key? If so, it's that password that's being asked, not the account's password.
 
If I were you I'd turn on debug logging in /etc/ssh/sshd_config; that should tell you why the public key authentication isn't working. It could be as simple as directory permissions...

Thanks Andy.

PS debug info will be logged to /var/log/auth.log
 
As are insinuated here, there are a couple of things to check. First of all, sshd doesn't know anything about LDAP specifically, it's just using the library calls for getting user information. If you are using nss_ldap for directory services, a good way to check it is with the id(1) tool:
% id -P

This should give you a line that looks like it belongs in /etc/passwd.

Then you need to check your directory permissions, check that you do not have group or world writable on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys. Otherwise sshd will helpfully not authenticate you and it won't tell you why.
 
Hi, thank you everyone. It was because of permissions. I had homedirs group-writeable (using ACL) which sshd didn't like.
 
You must log in or register to reply here.
Back
Top