How to setup OpenSSH server¶
Precondition¶
This article restricts OpenSSH 6.2 over on Debian systems only.
Note
You can use openssh-ldap package instead of this utility in the distribution based RHEL.
Requirements¶
- Debian Jessie later or Ubuntu Trusty later.
- OpenSSH 6.2 over
- openssh-ldap-pubkey
- Go 1.2 over
Optional¶
- nslcd
Install with nslcd (recommend)¶
When the following precondition is sufficient,
openssh-ldap-pubkey
can loads parameters from /etc/nslcd.conf
.
nslcd
package is installed.- There is
/etc/nslcd.conf
. - Set
root
toAuthorizedKeysCommandUser
of/etc/ssh/sshd_config
.
The parameters are follows.
nslcd.conf | openssh-ldap-pubkey |
---|---|
host , port , tls example.org, 389, false
example.org, 636, true
|
|
base dc=example,dc=org
|
base dc=example,dc=org
|
pam_authz_search (&(objectClass=posixAccount)(uid=$username))
|
filter (&(objectClass=posixAccount)(uid=%s))
|
tls_reqcert never, allow
try, demand, hard
|
skip true
false
|
binddn (option for bind)cn=admin,dc=example,dc=org
|
n/a
|
bindpw (option for bind)examplepassword
|
n/a
|
Download binary.
$ export GOPATH=/path/to/gocode $ go get github.com/mkouhei/openssh-ldap-pubkey $ chmod 0755 /path/to/gocode/bin/openssh-ldap-pubkey $ sudo chown root: /path/to/gocode/bin/openssh-ldap-pubkey
Setup sshd_config.
Appends
AuthorizedKeysCommand
andAuthorizedKeysCommandUser
.AuthorizedKeysCommand /path/to/openssh-ldap-pubkey AuthorizedKeysCommandUser root
Restart sshd.
$ sudo service ssh restart
Install without nslcd¶
If nslcd
is not installed and there is not /etc/nslcd.conf
,
you should prepare wrapper script of openssh-ldap-pubkey
.
Download binary.
$ export GOPATH=/path/to/gocode $ go get github.com/mkouhei/openssh-ldap-pubkey $ chmod 0755 /path/to/gocode/bin/openssh-ldap-pubkey $ sudo chown root: /path/to/gocode/bin/openssh-ldap-pubkey
Prepare wrapper script.
without TLS,
$ sudo bash -c "cat << EOF > /etc/ssh/openssh-ldap-pubkey.sh #!/bin/sh -e /path/to/openssh-ldap-pubkey -host=ldap.example.org -base=dc=example,dc=org $1 EOF $ sudo chmod +x /etc/ssh/openssh-ldap-pubkey.sh
with TLS.
$ sudo bash -c "cat << EOF > /etc/ssh/openssh-ldap-pubkey.sh #!/bin/sh -e /path/to/openssh-ldap-pubkey -host=ldap.example.org -port 636 -base=dc=example,dc=org -tls=true $1 EOF $ sudo chmod +x /etc/ssh/openssh-ldap-pubkey.sh
Setup sshd_config.
Appends
AuthorizedKeysCommand
andAuthorizedKeysCommandUser
.AuthorizedKeysCommand /etc/ssh/openssh-ldap-pubkey.sh AuthorizedKeysCommandUser root
Restart sshd.
$ sudo service ssh restart