SSH + LDAP Public Key (LPK)

SSH public key management can be a real pain. Adding or removing a user to your system, and distributing the account details and ssh keys is time consuming. Revoking keys is the bigger issue. Has a user added an ssh public key to the root account? To other people’s accounts?

Enter SSH LPK.

The LDAP Public Key patch for ssh allows you to set up a Public Key Infrastructure (PKI) using LDAP. It consists of an ldap schema and a diff against openssh, which inserts an LDAP lookup for the public key into the authentication path. Combine this with libnss-ldap and pam_mkhomedir, and provisioning a new user on your network is as easy as creating an entry in LDAP and inserting their public key.

The patch also allows group checks. It will check for standard posix group membership in LDAP, and if the user is in the group specified, they are allowed in. There doesn’t seem to be any way to nest groups, but this could be fixed eventually by making it a query rather than an attribute to test.
In terms of security, this is fine. We’re exporting SSH public keys via LDAP, but that’s the whole point of a public key. Perhaps more concerning is exporting UIDs and other account information via LDAP. This could be tied down by creating a CA for infrastructure and requiring that connecting clients have a certificate signed by the CA.
One can enforce LPK public keys only by setting AuthorizedKeysFile to /dev/null. This prevents users from inserting their own ssh public key onto the filesystem and bypassing any revocations you might issue. It also means if the LDAP tree is unavailable, you will fall back to password auth. If you really want to be able to completely revoke a user’s permission to log in, it’s best to disable password authentication as well. Couple this with some pam configuration to only allow admin or root accounts, and perhaps OTP or S/KEY authentication to eliminate root password leakage, and this becomes a fairly tight system.

Resources:

• OpenSSH LPK Patch