3 unstable releases
Uses old Rust 2015
0.2.1 | Jul 6, 2020 |
---|---|
0.2.0 | Mar 19, 2020 |
0.1.0 | May 31, 2018 |
#17 in #openssh
15KB
164 lines
SSH AuthorizedKeysCommand using LDAP (sakcl)
sakcl (pronounced 'sackle' like 'handle') is designed to be called by OpenSSH as the AuthorizedKeysCommand. It is simple to install and simple to configure and works with the other defaults of OpenSSH.
Installation
Cargo
cargo install sakcl
Binary Packages
curl -o artifacts.zip https://gitlab.com/cardoe/sakcl/-/jobs/71677129/artifacts/download
unzip artifacts.zip
Configuration
The configuration file by default is located at /etc/sakcl.conf
. This
can be overwritten by providing the -c /path/to/config
argument before
the username.
The configuration file must look like:
uri = "ldaps://ldap.host.name"
base = "ou=Users,dc=company,dc=com"
# basedn and bindpw are optional parameters
basedn = "dn=serviceacct,ou=Users,dc=company,dc=com"
basspw = "12345"
scope = "one|subtree|base"
# filter will have any * replaced with the username supplied
# otherwise it is passed directly to the LDAP search
filter = "(&(objectClass=posixAccount)(uid=*))"
attr = "attribute-with-ssh-public-key"
Once this is configured you can test that it works by running:
sakcl your-ldap-uid
And you should see your SSH public key displayed on stdout. To finish
configuring your system to use this change the
AuthorizedKeysCommand
to point to your sakcl
binary and change
AuthorizedKeysCommandUser
to an unpriviledged account name. Lastly change the ownership of
/etc/sakcl.conf
to the unpriviledged account name and set the mode to
octal 0400
.
Dependencies
~14MB
~254K SLoC