Go to Qiita Advent Calendar 2024 Top
LoginSignup
17
16

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@T_Tsan(Takashi Tomokuni)

CentOS 6.5 で OpenLDAP(5)SSHを鍵認証にする

Last updated at Posted at 2014-04-21

公開鍵・秘密鍵発行

パスワード無しで公開鍵・秘密鍵発行

ssh-keygen -t rsa -b 2048 -N "" -f /tmp/id

/tmp/id が秘密鍵、/tmp/id.pub が公開鍵となる
これらを人数分発行し、秘密鍵は sftp などのセキュアな通信で各人に渡す
公開鍵は cat などで中身を読み込み、コピペで問題ない
また、公開鍵は行末にユーザー名とホスト名が記載されているが、これは削除しておく

/tmp/id
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7
CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi
+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXAT
dGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqk
lfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1
Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778wIBIwKCAQEAtJtqPg7iZWKSpce5
GX40TnZ60FVIfEM3aAYVm6cM/a8GBGsFUBCk5yWqfyk6AlXa3dEDQFkVTuPsliSV
hSgMX3Tl6kjM+MR/pITWD6WyyRbczKNvGPWSTg7g9IQCaOhpLtVEU8ntg/2XR0hq
pIG/+48SJBsZr1nZ6yz9c2FnCMNwMTCdLU3WR6g4bOcKVZdXUPmMpA+NPhrXG7ib
r9rFTuV9KlpMq/XL8I6rEl6/xWF1VZByXRruVpv7lRfsZ13d7sg9U5iUn9afR3Gf
q7TL+R72V+kS1C51NODSXn8n7apSP4+Ew20AGpZTw85sZ0QlL8ySbcA7/673/nxh
VeoHKwKBgQD3ypBkmzPxV5LC6/hTzA7oCmtI727p8LMBXjkjUb0H6QiDudhD/8Hd
nPPqmD4pTAwohRZIjFeZlK1Sq77jpU7Xhal+CHcGzYankiW62Vhx+HFTwZmzZw++
S602ehnOaOqBUKzSGmHRZOrO+Xsce0RB9h/MKduICc3hHzXNO2X/UQKBgQDx4EtU
4Nr/ABy7xEH8Lce1o8VVVF2S8Nuzlaaq29EOJSamNgHxfXfc56LYcKsCj2p/HQa+
Toqs+feCgR7sfzjwiXheV2m0tbcaNXVQ35gv+0XZu2O/2hQGOG90Mb0MYWNKkkoa
sP7mU9AZ0RLV9yfgjzfVoVaW+f1F6keAiCmeAwKBgQCGg+f8Gb0cnUEKupy/xou/
yyRMKjTlZWh9FeSA4zq7Jrt6tVgk6ezmBL7tENFJnk++OZ5h5cknfJial79louGo
Mp3WtCNbduKyvQ0q6wQgnM/OYch3VTRunhwzhByjQETJ21aArzxqW1rlYtxujA8c
fkvGmmE7OIW0uSvVz8mn2wKBgHV7kk3MTRzFikyShnMsLc1A6tGsonqSPtOR1Jwh
oA4vTUlqsHycBwTliZxT+0pi6pWDIIhSCNesnMpb+RPIw+KL6gHv8YOouAVqbC6Y
fR6enkUvIdI2uUTZlThv7hv0ydPDZdJzOfrYQIGRb4x/XIMDvAitczNjewSznxKL
R2oBAoGALQKKyjxLKxiX89mMD7cLcT4Vg4Z2mpCGKEY9ZVeMz+aG+NR6AVR6j5Ik
682R4Cgiln5UMXA9L6ZZaUqlspWbHnFbfZUbEv/Q2BZWLr6j4xc7Y8Hj1DAVAUKp
SCkwwkWnJlwMGtTxI2aRuBUuWt5muJX84F1TxNM237W5MWea6D4=
-----END RSA PRIVATE KEY-----
/tmp/id.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXATdGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqklfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778w==

サーバー側作業

OpenSSHのLDAPサポートパッケージをインストールする

yum -y install openssh-ldap
cp -a /usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema /etc/openldap/schema/openssh.schema

OpenLDAP設定ファイル編集

include /etc/openldap/schema/openssh.schema を追記する

/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openssh.schema

# 接続プロトコル
allow bind_v2

# 管理ファイル
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# TLS設定
#TLSCACertificatePath  /etc/openldap/ssl/cacert.pem
#TLSCertificateFile    /etc/openldap/ssl/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl/server.key

# userPasswordに関するアクセス権
access to attrs=userPassword
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by anonymous auth
    by * none

# その他の属性に対するアクセス権
access to *
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by * read

# monitorデータベースに対するアクセス権
database monitor
access to *
    by dn.exact="cn=Manager,dc=example,dc=com" read
    by * none

# データベース設定
database    bdb
suffix      "dc=example,dc=com"
checkpoint  1024 15
rootdn      "cn=Manager,dc=example,dc=com"
rootpw      {SSHA}fCkF7qPmO1cnQsPun1fixcrhCNP+Kerd
directory   /var/lib/ldap

# indexの設定
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

LDAP情報を更新する

/etc/init.d/slapd stop
rm -rf /etc/openldap/slapd.d/*
sudo -u ldap slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
/etc/init.d/slapd start

LDAPサーバーに各ユーザーの公開鍵を登録する

/etc/openldap/ldif/key.ldif
# 部長:武田 貴彦
dn: uid=takahiko.takeda,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXATdGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqklfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778w==

# 開発課 課長:横山 真也
dn: uid=shinya.yokoyama,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq3bXY1cd7S1deAGtmPN/CcvYo4ED2C/SL/Bru9OxxOJs0I2oik+HzTj2SYQiiN1Q4Zf5vuR9AMe8rSSFJOUGgTaliBLHU0scPPIrg8y7Un+InvoJdbYgD7c/7Tap6YytEaj7bdemhi1/Gy5kOwkcRmQYsZBNJy4KEQJe4kJHGBpokHcqkBafxVrv/CuXfwZjoqfb0K2N5SGMKudrgofHBP8b/qmWDDFR21ZFwk8cVJVprYmqshsCF0qeg/9NRb22Y2lZ3ZSlR8mlMobGgBuVAtx1epUm3f3UpbC44nbEDNeMzprENCjgVj02Z8pxWc1PmjSzi/Va2tz4jixB4I70bw==

# 運用課 課長:井上 修
dn: uid=osamu.inoue,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyZYHfpIUjcXokOmzKJdlnrm1Gq02Ygi/PJnOlS5LqUJUVn03zYjCGjVln52izOZ2XgVEnzRlKXHadbUcf2KvYz2iJUqB5bH5yCla9butG1bEswRO2MUYU0vAjxToRZIT/aJAywgaW+OaPPv8112SwLNEgmzqN+N/4g9oCI03bKlhTEE6FzuHTi6V6FJOFTrwnbiv2ag/IFnsctk060qfLbl38aN3wVjpcnYBog/dTWLbcc1CcQ21Mfg9diO8BXpXZSUhyOjAGyYXv9+l4m17GGWmBRHYRh1jrdt1i8PVLUVg4gZ5YHhkEday0cWpNJieGrStsfN8cyKBBVlKmmV1fw==

# 開発課 社員:石川 直樹
dn: uid=naoki.ishikawa,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoNuB16f1OiJeJoEuRKPlXSqn1Of9R4e5Rh4EzOKiRa6lD7pGr5KFin7TS5X1+5De6MDzv4/qhJNtAkQ7wOb7lNFn/8mlW6OXkNcPqoHvLCWs927NyXtwujhFFE+sTgibWIaf3NBeoq+dlG9RIFFHlMRg16pR9gr2/5Zehlr7UNYzdzwz0GG62uEoevdqwm3lmXD1YTFW48BXkMjgipsmD6cER10rbubMSSF8KY6p1a9ghEB9+y1Ii65HPEiQwsUwu8/bc7mfm4GsLiu98qokkyCOjLFp1kppkqWGMkCOcB6bia6o4K1Y62ituh45tJgJXgTL3SUU2QA7TONabF46qw==

# 運用課 社員:田村 和夫
dn: uid=kazuo.tamura,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt6vDrw+mA/cOPzpcBF/UbplOT7VV7dPKDsCQyyBWPbTMCiOPl4FM/8CGg0NxdU3bW9fu0eF4qurwdhezrRVw72GeLOVUVsvcIEyjtvk4190OSZXkko/qIQvNre1vtf13WIE8w3fyJsc56LQJ/cM7/BpXma1fh5aCBxhyX+ea/uk/no6+E75gdGvsHurJxor0PE8FLl/ixovC+Ve+RcIvrW5rrO+TfxLdp54vqoqaWg4Lof/mRWpKfvsJkZ74zmbiFuqKQpVKWtTx5Gaf38HvqvaaE9nJJgmFIpE1y7+ZvxFu8lKft+Llca8qP0xbV2vPg5uy+5x9rVNt+qI16b4OTQ==

ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/ldif/key.ldif

サーバー・クライアント側作業

OpenSSHのLDAPサポートパッケージをインストールする

yum -y install openssh-ldap

SSH設定編集

公開鍵認証とし、パスワード認証を拒否する
また、rootでのログインも禁止し、LDAP経由で公開鍵を取得するようにする

/etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs root

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

SSHサーバー再起動

/etc/init.d/sshd restart

確認

各人、それぞれの秘密鍵でSSH接続可能かどうか、試す

17
16
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
17
16

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?