CentOS 6.5 で OpenLDAP（5）SSHを鍵認証にする #CentOS

公開鍵・秘密鍵発行

パスワード無しで公開鍵・秘密鍵発行

ssh-keygen -t rsa -b 2048 -N "" -f /tmp/id

/tmp/id が秘密鍵、/tmp/id.pub が公開鍵となる
これらを人数分発行し、秘密鍵は sftp などのセキュアな通信で各人に渡す
公開鍵は cat などで中身を読み込み、コピペで問題ない
また、公開鍵は行末にユーザー名とホスト名が記載されているが、これは削除しておく

/tmp/id

/tmp/id.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXATdGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqklfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778w==

サーバー側作業

OpenSSHのLDAPサポートパッケージをインストールする

yum -y install openssh-ldap
cp -a /usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema /etc/openldap/schema/openssh.schema

OpenLDAP設定ファイル編集

include /etc/openldap/schema/openssh.schema を追記する

/etc/openldap/slapd.conf

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openssh.schema

# 接続プロトコル
allow bind_v2

# 管理ファイル
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# TLS設定
#TLSCACertificatePath  /etc/openldap/ssl/cacert.pem
#TLSCertificateFile    /etc/openldap/ssl/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl/server.key

# userPasswordに関するアクセス権
access to attrs=userPassword
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by anonymous auth
    by * none

# その他の属性に対するアクセス権
access to *
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by * read

# monitorデータベースに対するアクセス権
database monitor
access to *
    by dn.exact="cn=Manager,dc=example,dc=com" read
    by * none

# データベース設定
database    bdb
suffix      "dc=example,dc=com"
checkpoint  1024 15
rootdn      "cn=Manager,dc=example,dc=com"
rootpw      {SSHA}fCkF7qPmO1cnQsPun1fixcrhCNP+Kerd
directory   /var/lib/ldap

# indexの設定
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

LDAP情報を更新する

/etc/init.d/slapd stop
rm -rf /etc/openldap/slapd.d/*
sudo -u ldap slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
/etc/init.d/slapd start

LDAPサーバーに各ユーザーの公開鍵を登録する

/etc/openldap/ldif/key.ldif

# 部長：武田 貴彦
dn: uid=takahiko.takeda,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXATdGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqklfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778w==

# 開発課 課長：横山 真也
dn: uid=shinya.yokoyama,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq3bXY1cd7S1deAGtmPN/CcvYo4ED2C/SL/Bru9OxxOJs0I2oik+HzTj2SYQiiN1Q4Zf5vuR9AMe8rSSFJOUGgTaliBLHU0scPPIrg8y7Un+InvoJdbYgD7c/7Tap6YytEaj7bdemhi1/Gy5kOwkcRmQYsZBNJy4KEQJe4kJHGBpokHcqkBafxVrv/CuXfwZjoqfb0K2N5SGMKudrgofHBP8b/qmWDDFR21ZFwk8cVJVprYmqshsCF0qeg/9NRb22Y2lZ3ZSlR8mlMobGgBuVAtx1epUm3f3UpbC44nbEDNeMzprENCjgVj02Z8pxWc1PmjSzi/Va2tz4jixB4I70bw==

# 運用課 課長：井上 修
dn: uid=osamu.inoue,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyZYHfpIUjcXokOmzKJdlnrm1Gq02Ygi/PJnOlS5LqUJUVn03zYjCGjVln52izOZ2XgVEnzRlKXHadbUcf2KvYz2iJUqB5bH5yCla9butG1bEswRO2MUYU0vAjxToRZIT/aJAywgaW+OaPPv8112SwLNEgmzqN+N/4g9oCI03bKlhTEE6FzuHTi6V6FJOFTrwnbiv2ag/IFnsctk060qfLbl38aN3wVjpcnYBog/dTWLbcc1CcQ21Mfg9diO8BXpXZSUhyOjAGyYXv9+l4m17GGWmBRHYRh1jrdt1i8PVLUVg4gZ5YHhkEday0cWpNJieGrStsfN8cyKBBVlKmmV1fw==

# 開発課 社員：石川 直樹
dn: uid=naoki.ishikawa,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoNuB16f1OiJeJoEuRKPlXSqn1Of9R4e5Rh4EzOKiRa6lD7pGr5KFin7TS5X1+5De6MDzv4/qhJNtAkQ7wOb7lNFn/8mlW6OXkNcPqoHvLCWs927NyXtwujhFFE+sTgibWIaf3NBeoq+dlG9RIFFHlMRg16pR9gr2/5Zehlr7UNYzdzwz0GG62uEoevdqwm3lmXD1YTFW48BXkMjgipsmD6cER10rbubMSSF8KY6p1a9ghEB9+y1Ii65HPEiQwsUwu8/bc7mfm4GsLiu98qokkyCOjLFp1kppkqWGMkCOcB6bia6o4K1Y62ituh45tJgJXgTL3SUU2QA7TONabF46qw==

# 運用課 社員：田村 和夫
dn: uid=kazuo.tamura,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt6vDrw+mA/cOPzpcBF/UbplOT7VV7dPKDsCQyyBWPbTMCiOPl4FM/8CGg0NxdU3bW9fu0eF4qurwdhezrRVw72GeLOVUVsvcIEyjtvk4190OSZXkko/qIQvNre1vtf13WIE8w3fyJsc56LQJ/cM7/BpXma1fh5aCBxhyX+ea/uk/no6+E75gdGvsHurJxor0PE8FLl/ixovC+Ve+RcIvrW5rrO+TfxLdp54vqoqaWg4Lof/mRWpKfvsJkZ74zmbiFuqKQpVKWtTx5Gaf38HvqvaaE9nJJgmFIpE1y7+ZvxFu8lKft+Llca8qP0xbV2vPg5uy+5x9rVNt+qI16b4OTQ==

ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/ldif/key.ldif

サーバー・クライアント側作業

OpenSSHのLDAPサポートパッケージをインストールする

yum -y install openssh-ldap

SSH設定編集

公開鍵認証とし、パスワード認証を拒否する
また、rootでのログインも禁止し、LDAP経由で公開鍵を取得するようにする

/etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs root

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

SSHサーバー再起動

/etc/init.d/sshd restart

確認

各人、それぞれの秘密鍵でSSH接続可能かどうか、試す