• openldap sshkey & 用户自定义属性


    http://qiita.com/T_Tsan/items/eeb0a9ae9b4cdeb80934
    https://www.ossramblings.com/using-ldap-to-store-ssh-public-keys-with-sssd

    安装

    yum -y install openssh-ldap
    cp /usr/share/doc/openssh-ldap-6.6.1p1/openssh-lpk-openldap.schema /etc/openldap/schema
    

    服务器加入schema

    # /etc/openldap/slapd.conf
    include     /etc/openldap/schema/openssh-lpk-openldap.schema
    include     /etc/openldap/schema/my.schema
    

    重启服务 配置生效

    cd /etc/openldap/
    rm -rf slapd.d/*
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    chown -R ldap:ldap /etc/openldap/slapd.d
    systemctl restart slapd
    

    生成用户key

    ssh-keygen -b 2048 -t rsa -f /tmp/admin01.pem -q -N ''
    ssh-keygen -b 2048 -t rsa -f /tmp/op01.pem -q -N ''
    ssh-keygen -b 2048 -t rsa -f /tmp/dev01.pem -q -N ''
    

    用户信息导入

    cat << _EOF_ | ldapmodify -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv
    dn: uid=admin01,ou=people,dc=suntv,dc=tv
    changetype: modify
    add: objectClass
    objectClass: ldapPublicKey
    -
    add: sshPublicKey
    sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtFaqzott45UAn3PwrmleujMJxZtugxH5Hq8UaD5OfhbOsMU1ATAQF48hCreQZXWYr3kqAD61yYzkXuoA57/3VkSGklEtOgTbweJvz2mtEMslFvQxnGqeijEvEdy4BWDZvWIq153/5Rf2hJCQYr8OVKSLfjWqbFxNycbvDfJgxOB8EUZEDIzBXrecYQgnJeYDeDAx0V8aLmb4cK99vsU9XTUAx+59bzuwm+ZqHmQqYIcLvtUm49HZ2eY+O4q6/Y+ov/KvyEW7PzeOaQqz3xTHkQH8TZZBZri/SDxxX5OCpqlz4vMNOqu8Azro4hYOyeILhAltbjDkpU3+kcvXbLoSN ken@ken-ThinkPad-X220
    -
    add: objectClass
    objectClass: MyAccount
    -
    add: active
    active: 1
    -
    add: access
    access: ssh
    
    dn: uid=op01,ou=people,dc=suntv,dc=tv
    changetype: modify
    add: objectClass
    objectClass: ldapPublicKey
    -
    add: sshPublicKey
    sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFclesnE+mETaKgqvNcfGvK3u2+z8qgzUQgE9I2fgd7lh2sEIR4zxKiSlNW6LN386VWFZ0FkQol5/Y3ZpivPEsqUjOQ5x90bNgrlsqCenLRtsO+uN7oqfzjpTBunq7W9XQ+c4iiCBX6xoHTWjUbIlw9FWkC7dkpMXQHJmbAF57iDsBTMhXrjEzORGSTTBNIO5sz4QEqICxzG4n3YdGGMLUutVDXH1tJWytU1+VUcaSLUyMAGmDB1r+DhUi4vsTb0BZ8V3odSzvC0nuww47ooM0FGb8X1Av7DfcJ3VcEQl5ges+HRqwMxLzSV+GFBurnDXa1SixIWuObRNhaq8Swekr ken@ken-ThinkPad-X220
    -
    add: objectClass
    objectClass: MyAccount
    -
    add: active
    active: 1
    -
    add: access
    access: ssh
    
    dn: uid=dev01,ou=people,dc=suntv,dc=tv
    changetype: modify
    add: objectClass
    objectClass: ldapPublicKey
    -
    add: sshPublicKey
    sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtFaqzott45UAn3PwrmleujMJxZtugxH5Hq8UaD5OfhbOsMU1ATAQF48hCreQZXWYr3kqAD61yYzkXuoA57/3VkSGklEtOgTbweJvz2mtEMslFvQxnGqeijEvEdy4BWDZvWIq153/5Rf2hJCQYr8OVKSLfjWqbFxNycbvDfJgxOB8EUZEDIzBXrecYQgnJeYDeDAx0V8aLmb4cK99vsU9XTUAx+59bzuwm+ZqHmQqYIcLvtUm49HZ2eY+O4q6/Y+ov/KvyEW7PzeOaQqz3xTHkQH8TZZBZri/SDxxX5OCpqlz4vMNOqu8Azro4hYOyeILhAltbjDkpU3+kcvXbLoSN ken@ken-ThinkPad-X220
    -
    add: objectClass
    objectClass: MyAccount
    -
    add: active
    active: 1
    -
    add: access
    access: ssh
    _EOF_
    

    目标服务器配置

    ssh

    # /etc/ssh/sssd_config
    PubkeyAuthentication yes
    AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys # 获取sssd中publickey
    AuthorizedKeysCommandUser nobody # 7.x
    # AuthorizedKeysCommandRunAs nobody # 6.x
    

    sssd

    cat > /etc/sssd/sssd.conf << _EOF_ 
    [domain/LDAP]
    debug_level = 9
    cache_credentials = True
    enumerate = false
    
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    sudo_provider = ldap
    
    ldap_uri = ldaps://master.local
    ldap_backup_uri = ldaps://slave.local
    ldap_search_base = dc=suntv,dc=tv
    ldap_user_search_base = ou=people,dc=suntv,dc=tv
    ldap_group_search_base = ou=group,dc=suntv,dc=tv
    ldap_sudo_search_base = ou=sudoer,dc=suntv,dc=tv
    
    access_provider = ldap
    ldap_access_order = filter
    ldap_access_filter = (&(&(active=1)(access=ssh))(|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))) # 用户过滤条件
    ldap_user_ssh_public_key = sshPublicKey # 支持ssh public key
    
    ldap_tls_cacertdir = /etc/openldap/cacerts
    ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
    ldap_tls_reqcert = never
    ldap_id_use_start_tls = false
    
    [sssd]
    domains = LDAP
    services = nss, pam, sudo, ssh
    config_file_version = 2
    
    [nss]
    domains = LDAP
    filter_users = root
    filter_groups = root
    
    [pam]
    domains = LDAP
    
    [sudo]
    domains = LDAP
    
    [ssh]
    domains = LDAP
    ssh_hash_known_hosts = false
    _EOF_ 
    

    测试

    ssh -i admin01.pem admin01@192.168.1.21
    ssh -i op01.pem op01@192.168.1.21
    ssh -i dev01.pem dev01@192.168.1.21
    
    ssh -i admin01.pem admin01@192.168.1.22
    ssh -i op01.pem op01@192.168.1.22
    ssh -i dev01.pem dev01@192.168.1.22
    

    尚未解决问题

    ssh支持password和sshkey两种登录方式,我需要只允许root或者指定用户使用password方式登录,其他用户只能用sshkey方式

  • 相关阅读:
    在Ubuntu下依然爱SOGO
    CompositePattern(23种设计模式之一)
    Arduino String.h库函数详解
    cp命令详解
    PHP AJAX 返回JSON 数据
    PHP AJAX返回 "TEXT"
    PHP JSON数据 AJAX
    PHP JQurey
    PHP 封装POD 类
    PHP 分页+查询
  • 原文地址:https://www.cnblogs.com/liujitao79/p/5992402.html
Copyright © 2020-2023  润新知