Post to ML -> User Made Quick Install Doc. Contribution from John Lane ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ OpenSSH LDAP keystore Patch =========================== NOTE: these notes are a transcript of a specific installation they work for me, your specifics may be different! from John Lane March 17th 2005 john@lane.uk.net This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys from their LDAP record as an alternative to ~/.ssh/authorized_keys. (Assuming here that necessary build stuff is in $BUILD) cd $BUILD/openssh-4.0p1 patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch mkdir -p /var/empty && ./configure --prefix=/usr --sysconfdir=/etc/ssh \ --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" Now do. make && make install Add the following config to /etc/ssh/ssh_config UseLPK yes LpkServers ldap://myhost.mydomain.com LpkUserDN ou=People,dc=mydomain,dc=com We need to tell sshd about the SSL keys during boot, as root's environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. Change the startup code from this: echo "Starting SSH Server..." loadproc /usr/sbin/sshd ;; to this: echo "Starting SSH Server..." LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd ;; Re-start the sshd daemon: /etc/rc.d/init.d/sshd restart Install the additional LDAP schema cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: Add the following to the end of the existing block of schema includes include /etc/openldap/schema/openssh.schema Re-start the LDAP server: /etc/rc.d/init.d/slapd restart To add one or more public keys to a user, eg "testuser" : ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D "uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser append the following to this /tmp/testuser file objectclass: ldapPublicKey sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI 7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key Then do a modify: ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f /tmp/testuser -Z Enter LDAP Password: modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" And check the modify is ok: ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D "uid=testuser,ou=People,dc=mydomain,dc=com" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # # testuser, People, mydomain.com dn: uid=testuser,ou=People,dc=mydomain,dc=com uid: testuser cn: testuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: ldapPublicKey shadowLastChange: 12757 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 9999 gidNumber: 501 homeDirectory: /home/testuser userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z 8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Now start a ssh session to user "testuser" from usual ssh client (e.g. puTTY). Login should succeed. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++