2. 科技
  3. openldap sshkey & 用户自定义属性

openldap sshkey & 用户自定义属性

it2022-05-05  124
openldap sshkey & 用户自定义属性

http://qiita.com/T_Tsan/items/eeb0a9ae9b4cdeb80934 https://www.ossramblings.com/using-ldap-to-store-ssh-public-keys-with-sssd

安装

yum -y install openssh-ldap cp /usr/share/doc/openssh-ldap-6.6.1p1/openssh-lpk-openldap.schema /etc/openldap/schema

服务器加入schema

# /etc/openldap/slapd.conf include /etc/openldap/schema/openssh-lpk-openldap.schema include /etc/openldap/schema/my.schema

重启服务 配置生效

cd /etc/openldap/ rm -rf slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd

生成用户key

ssh-keygen -b 2048 -t rsa -f /tmp/admin01.pem -q -N '' ssh-keygen -b 2048 -t rsa -f /tmp/op01.pem -q -N '' ssh-keygen -b 2048 -t rsa -f /tmp/dev01.pem -q -N ''

用户信息导入

cat << _EOF_ | ldapmodify -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv dn: uid=admin01,ou=people,dc=suntv,dc=tv changetype: modify add: objectClass objectClass: ldapPublicKey - add: sshPublicKey sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtFaqzott45UAn3PwrmleujMJxZtugxH5Hq8UaD5OfhbOsMU1ATAQF48hCreQZXWYr3kqAD61yYzkXuoA57/3VkSGklEtOgTbweJvz2mtEMslFvQxnGqeijEvEdy4BWDZvWIq153/5Rf2hJCQYr8OVKSLfjWqbFxNycbvDfJgxOB8EUZEDIzBXrecYQgnJeYDeDAx0V8aLmb4cK99vsU9XTUAx+59bzuwm+ZqHmQqYIcLvtUm49HZ2eY+O4q6/Y+ov/KvyEW7PzeOaQqz3xTHkQH8TZZBZri/SDxxX5OCpqlz4vMNOqu8Azro4hYOyeILhAltbjDkpU3+kcvXbLoSN ken@ken-ThinkPad-X220 - add: objectClass objectClass: MyAccount - add: active active: 1 - add: access access: ssh dn: uid=op01,ou=people,dc=suntv,dc=tv changetype: modify add: objectClass objectClass: ldapPublicKey - add: sshPublicKey sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFclesnE+mETaKgqvNcfGvK3u2+z8qgzUQgE9I2fgd7lh2sEIR4zxKiSlNW6LN386VWFZ0FkQol5/Y3ZpivPEsqUjOQ5x90bNgrlsqCenLRtsO+uN7oqfzjpTBunq7W9XQ+c4iiCBX6xoHTWjUbIlw9FWkC7dkpMXQHJmbAF57iDsBTMhXrjEzORGSTTBNIO5sz4QEqICxzG4n3YdGGMLUutVDXH1tJWytU1+VUcaSLUyMAGmDB1r+DhUi4vsTb0BZ8V3odSzvC0nuww47ooM0FGb8X1Av7DfcJ3VcEQl5ges+HRqwMxLzSV+GFBurnDXa1SixIWuObRNhaq8Swekr ken@ken-ThinkPad-X220 - add: objectClass objectClass: MyAccount - add: active active: 1 - add: access access: ssh dn: uid=dev01,ou=people,dc=suntv,dc=tv changetype: modify add: objectClass objectClass: ldapPublicKey - add: sshPublicKey sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtFaqzott45UAn3PwrmleujMJxZtugxH5Hq8UaD5OfhbOsMU1ATAQF48hCreQZXWYr3kqAD61yYzkXuoA57/3VkSGklEtOgTbweJvz2mtEMslFvQxnGqeijEvEdy4BWDZvWIq153/5Rf2hJCQYr8OVKSLfjWqbFxNycbvDfJgxOB8EUZEDIzBXrecYQgnJeYDeDAx0V8aLmb4cK99vsU9XTUAx+59bzuwm+ZqHmQqYIcLvtUm49HZ2eY+O4q6/Y+ov/KvyEW7PzeOaQqz3xTHkQH8TZZBZri/SDxxX5OCpqlz4vMNOqu8Azro4hYOyeILhAltbjDkpU3+kcvXbLoSN ken@ken-ThinkPad-X220 - add: objectClass objectClass: MyAccount - add: active active: 1 - add: access access: ssh _EOF_

目标服务器配置

ssh

# /etc/ssh/sssd_config PubkeyAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys # 获取sssd中publickey AuthorizedKeysCommandUser nobody # 7.x # AuthorizedKeysCommandRunAs nobody # 6.x

sssd

cat > /etc/sssd/sssd.conf << _EOF_ [domain/LDAP] debug_level = 9 cache_credentials = True enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps://master.local ldap_backup_uri = ldaps://slave.local ldap_search_base = dc=suntv,dc=tv ldap_user_search_base = ou=people,dc=suntv,dc=tv ldap_group_search_base = ou=group,dc=suntv,dc=tv ldap_sudo_search_base = ou=sudoer,dc=suntv,dc=tv access_provider = ldap ldap_access_order = filter ldap_access_filter = (&(&(active=1)(access=ssh))(|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))) # 用户过滤条件 ldap_user_ssh_public_key = sshPublicKey # 支持ssh public key ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/ca.crt ldap_tls_reqcert = never ldap_id_use_start_tls = false [sssd] domains = LDAP services = nss, pam, sudo, ssh config_file_version = 2 [nss] domains = LDAP filter_users = root filter_groups = root [pam] domains = LDAP [sudo] domains = LDAP [ssh] domains = LDAP ssh_hash_known_hosts = false _EOF_

测试

ssh -i admin01.pem admin01@192.168.1.21 ssh -i op01.pem op01@192.168.1.21 ssh -i dev01.pem dev01@192.168.1.21 ssh -i admin01.pem admin01@192.168.1.22 ssh -i op01.pem op01@192.168.1.22 ssh -i dev01.pem dev01@192.168.1.22

尚未解决问题

ssh支持password和sshkey两种登录方式,我需要只允许root或者指定用户使用password方式登录,其他用户只能用sshkey方式

posted on 2016-10-24 11:53 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/5992402.html

专利

最新回复(0)