Find the answer to your Linux question:
Results 1 to 4 of 4
We use LDAP (Active directory) to authenticate users to our CentOS servers, winbind is used to connect to AD to get the login information etc. Some users require access via ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2013
    Posts
    2

    Question LDAP & Key Authentication


    We use LDAP (Active directory) to authenticate users to our CentOS servers, winbind is used to connect to AD to get the login information etc.

    Some users require access via keys, so we need a way to let a user authenticate and login with their private public key pair.

    Because they are LDAP accounts, they servers do not have a local account for the user so I don't know how this would work.

    Later, I would like to centrally manage the keys, but this is not important for now as long as they can login with the keys.

    Once thing to note is that they would need to use their LDAP password to do anything with sudo.

    Is there something I can do to achieve this mixed authentication method?

    I tried setting up the keys for an LDAP authenticated user once logged in with LDAP username/password, but when I try to login with the key and no password, I see this in /var/log/secure

    Code:
    Dec 11 16:06:54 server1 sshd[4811]: Invalid user test_user from 192.168.200.26
    Dec 11 16:06:54 server1 sshd[4812]: input_userauth_request: invalid user test_user
    I assume the problem is that the user is not local (not in /etc/passwd) so this is why sshd will not attempt to check the user's /home/test_user/.ssh/authorized_keys for the keys
    I added a user into /etc/passwd but this didn't change anything
    Last edited by gbmtw; 12-11-2013 at 05:32 PM.

  2. #2
    Just Joined!
    Join Date
    Sep 2013
    Location
    Alberta, Canada
    Posts
    17
    gbmtw,
    Active directory is more than LDAP. It is a kerberos authentication system which issues authentication tickets which can be used similar to private-key authentication. I am assuming that you are using smb to share resources (folders/files) from these servers. smb uses winbind to authenticate access to the servers shares. Similarly, winbind can be used to provide authentication for ssh access. This is accomplished via the pluggable-authentication-module (PAM) application. I suggest you search the Samba4 documentation for "Using pam_winbind" and try that configuration to provide keyless ssh logins. This topic can get pretty complicated very rapidly but once you get the access working you may want to investigate establishing access controls based on other AD/LDAP fields or sshd access lists to prevent ALL users from ssh'ing to the servers.

  3. #3
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    893
    Since you're using AD as your Directory, Kerberos is already configured. If you want to log into the linux host without being prompted for a password, you can enable SSH login via Kerberos / GSSAPI.

    To enable AD users to have SUDO access, just add the AD group name to /etc/sudoers as you would any other group name, but add the domain.

  4. #4
    Just Joined!
    Join Date
    Dec 2013
    Posts
    2
    Quote Originally Posted by mizzle View Post
    Since you're using AD as your Directory, Kerberos is already configured. If you want to log into the linux host without being prompted for a password, you can enable SSH login via Kerberos / GSSAPI.

    To enable AD users to have SUDO access, just add the AD group name to /etc/sudoers as you would any other group name, but add the domain.
    Thanks for the replies,

    I already have password authentication setup via my AD server using pam_winbind, I have also already setup sudo access as you suggested with AD groups in /etc/sudoers

    What I'm looking at doing is permitting ssh key based login.

    I have found this but it is using an OpenLDAP server, maybe someone knows what the differences would be for integrating this with AD? - I suspect I can just add new attributes to AD but I would need some instructions before attempting it:

    "Another I.T. blog: HOWTO : Configure OpenSSH to Fetch Public Keys from OpenLDAP for Authentication on CentOS"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •