涛子 - 简单就是美

成单纯魁增,永继振国兴,克复宗清政,广开家必升
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
  428 随笔 :: 0 文章 :: 19 评论 :: 22万 阅读
openldap sshkey & 用户自定义属性

http://qiita.com/T_Tsan/items/eeb0a9ae9b4cdeb80934
https://www.ossramblings.com/using-ldap-to-store-ssh-public-keys-with-sssd

安装

yum -y install openssh-ldap
cp /usr/share/doc/openssh-ldap-6.6.1p1/openssh-lpk-openldap.schema /etc/openldap/schema

服务器加入schema

# /etc/openldap/slapd.conf
include     /etc/openldap/schema/openssh-lpk-openldap.schema
include     /etc/openldap/schema/my.schema

重启服务 配置生效

cd /etc/openldap/
rm -rf slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

生成用户key

ssh-keygen -b 2048 -t rsa -f /tmp/admin01.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/op01.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/dev01.pem -q -N ''

用户信息导入

cat << _EOF_ | ldapmodify -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv
dn: uid=admin01,ou=people,dc=suntv,dc=tv
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtFaqzott45UAn3PwrmleujMJxZtugxH5Hq8UaD5OfhbOsMU1ATAQF48hCreQZXWYr3kqAD61yYzkXuoA57/3VkSGklEtOgTbweJvz2mtEMslFvQxnGqeijEvEdy4BWDZvWIq153/5Rf2hJCQYr8OVKSLfjWqbFxNycbvDfJgxOB8EUZEDIzBXrecYQgnJeYDeDAx0V8aLmb4cK99vsU9XTUAx+59bzuwm+ZqHmQqYIcLvtUm49HZ2eY+O4q6/Y+ov/KvyEW7PzeOaQqz3xTHkQH8TZZBZri/SDxxX5OCpqlz4vMNOqu8Azro4hYOyeILhAltbjDkpU3+kcvXbLoSN ken@ken-ThinkPad-X220
-
add: objectClass
objectClass: MyAccount
-
add: active
active: 1
-
add: access
access: ssh

dn: uid=op01,ou=people,dc=suntv,dc=tv
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFclesnE+mETaKgqvNcfGvK3u2+z8qgzUQgE9I2fgd7lh2sEIR4zxKiSlNW6LN386VWFZ0FkQol5/Y3ZpivPEsqUjOQ5x90bNgrlsqCenLRtsO+uN7oqfzjpTBunq7W9XQ+c4iiCBX6xoHTWjUbIlw9FWkC7dkpMXQHJmbAF57iDsBTMhXrjEzORGSTTBNIO5sz4QEqICxzG4n3YdGGMLUutVDXH1tJWytU1+VUcaSLUyMAGmDB1r+DhUi4vsTb0BZ8V3odSzvC0nuww47ooM0FGb8X1Av7DfcJ3VcEQl5ges+HRqwMxLzSV+GFBurnDXa1SixIWuObRNhaq8Swekr ken@ken-ThinkPad-X220
-
add: objectClass
objectClass: MyAccount
-
add: active
active: 1
-
add: access
access: ssh

dn: uid=dev01,ou=people,dc=suntv,dc=tv
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtFaqzott45UAn3PwrmleujMJxZtugxH5Hq8UaD5OfhbOsMU1ATAQF48hCreQZXWYr3kqAD61yYzkXuoA57/3VkSGklEtOgTbweJvz2mtEMslFvQxnGqeijEvEdy4BWDZvWIq153/5Rf2hJCQYr8OVKSLfjWqbFxNycbvDfJgxOB8EUZEDIzBXrecYQgnJeYDeDAx0V8aLmb4cK99vsU9XTUAx+59bzuwm+ZqHmQqYIcLvtUm49HZ2eY+O4q6/Y+ov/KvyEW7PzeOaQqz3xTHkQH8TZZBZri/SDxxX5OCpqlz4vMNOqu8Azro4hYOyeILhAltbjDkpU3+kcvXbLoSN ken@ken-ThinkPad-X220
-
add: objectClass
objectClass: MyAccount
-
add: active
active: 1
-
add: access
access: ssh
_EOF_

目标服务器配置

ssh

# /etc/ssh/sssd_config
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys # 获取sssd中publickey
AuthorizedKeysCommandUser nobody # 7.x
# AuthorizedKeysCommandRunAs nobody # 6.x

sssd

cat > /etc/sssd/sssd.conf << _EOF_ 
[domain/LDAP]
debug_level = 9
cache_credentials = True
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap

ldap_uri = ldaps://master.local
ldap_backup_uri = ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_user_search_base = ou=people,dc=suntv,dc=tv
ldap_group_search_base = ou=group,dc=suntv,dc=tv
ldap_sudo_search_base = ou=sudoer,dc=suntv,dc=tv

access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (&(&(active=1)(access=ssh))(|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))) # 用户过滤条件
ldap_user_ssh_public_key = sshPublicKey # 支持ssh public key

ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

[sssd]
domains = LDAP
services = nss, pam, sudo, ssh
config_file_version = 2

[nss]
domains = LDAP
filter_users = root
filter_groups = root

[pam]
domains = LDAP

[sudo]
domains = LDAP

[ssh]
domains = LDAP
ssh_hash_known_hosts = false
_EOF_

测试

ssh -i admin01.pem admin01@192.168.1.21
ssh -i op01.pem op01@192.168.1.21
ssh -i dev01.pem dev01@192.168.1.21

ssh -i admin01.pem admin01@192.168.1.22
ssh -i op01.pem op01@192.168.1.22
ssh -i dev01.pem dev01@192.168.1.22

尚未解决问题

ssh支持password和sshkey两种登录方式,我需要只允许root或者指定用户使用password方式登录,其他用户只能用sshkey方式

posted on   北京涛子  阅读(847)  评论(0编辑  收藏  举报
编辑推荐:
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
阅读排行:
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构
· AI与.NET技术实操系列(六):基于图像分类模型对图像进行分类
历史上的今天:
2014-10-24 piranha配置
点击右上角即可分享
微信分享提示
SQL AI 助手