CentOS
OpenSSH
openssl
openldap

CentOS 6.5 で OpenLDAP(5)SSHを鍵認証にする

More than 5 years have passed since last update.


公開鍵・秘密鍵発行


パスワード無しで公開鍵・秘密鍵発行

ssh-keygen -t rsa -b 2048 -N "" -f /tmp/id

/tmp/id が秘密鍵、/tmp/id.pub が公開鍵となる

これらを人数分発行し、秘密鍵は sftp などのセキュアな通信で各人に渡す

公開鍵は cat などで中身を読み込み、コピペで問題ない

また、公開鍵は行末にユーザー名とホスト名が記載されているが、これは削除しておく


/tmp/id

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7
CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi
+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXAT
dGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqk
lfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1
Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778wIBIwKCAQEAtJtqPg7iZWKSpce5
GX40TnZ60FVIfEM3aAYVm6cM/a8GBGsFUBCk5yWqfyk6AlXa3dEDQFkVTuPsliSV
hSgMX3Tl6kjM+MR/pITWD6WyyRbczKNvGPWSTg7g9IQCaOhpLtVEU8ntg/2XR0hq
pIG/+48SJBsZr1nZ6yz9c2FnCMNwMTCdLU3WR6g4bOcKVZdXUPmMpA+NPhrXG7ib
r9rFTuV9KlpMq/XL8I6rEl6/xWF1VZByXRruVpv7lRfsZ13d7sg9U5iUn9afR3Gf
q7TL+R72V+kS1C51NODSXn8n7apSP4+Ew20AGpZTw85sZ0QlL8ySbcA7/673/nxh
VeoHKwKBgQD3ypBkmzPxV5LC6/hTzA7oCmtI727p8LMBXjkjUb0H6QiDudhD/8Hd
nPPqmD4pTAwohRZIjFeZlK1Sq77jpU7Xhal+CHcGzYankiW62Vhx+HFTwZmzZw++
S602ehnOaOqBUKzSGmHRZOrO+Xsce0RB9h/MKduICc3hHzXNO2X/UQKBgQDx4EtU
4Nr/ABy7xEH8Lce1o8VVVF2S8Nuzlaaq29EOJSamNgHxfXfc56LYcKsCj2p/HQa+
Toqs+feCgR7sfzjwiXheV2m0tbcaNXVQ35gv+0XZu2O/2hQGOG90Mb0MYWNKkkoa
sP7mU9AZ0RLV9yfgjzfVoVaW+f1F6keAiCmeAwKBgQCGg+f8Gb0cnUEKupy/xou/
yyRMKjTlZWh9FeSA4zq7Jrt6tVgk6ezmBL7tENFJnk++OZ5h5cknfJial79louGo
Mp3WtCNbduKyvQ0q6wQgnM/OYch3VTRunhwzhByjQETJ21aArzxqW1rlYtxujA8c
fkvGmmE7OIW0uSvVz8mn2wKBgHV7kk3MTRzFikyShnMsLc1A6tGsonqSPtOR1Jwh
oA4vTUlqsHycBwTliZxT+0pi6pWDIIhSCNesnMpb+RPIw+KL6gHv8YOouAVqbC6Y
fR6enkUvIdI2uUTZlThv7hv0ydPDZdJzOfrYQIGRb4x/XIMDvAitczNjewSznxKL
R2oBAoGALQKKyjxLKxiX89mMD7cLcT4Vg4Z2mpCGKEY9ZVeMz+aG+NR6AVR6j5Ik
682R4Cgiln5UMXA9L6ZZaUqlspWbHnFbfZUbEv/Q2BZWLr6j4xc7Y8Hj1DAVAUKp
SCkwwkWnJlwMGtTxI2aRuBUuWt5muJX84F1TxNM237W5MWea6D4=
-----END RSA PRIVATE KEY-----


/tmp/id.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXATdGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqklfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778w==



サーバー側作業


OpenSSHのLDAPサポートパッケージをインストールする

yum -y install openssh-ldap

cp -a /usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema /etc/openldap/schema/openssh.schema


OpenLDAP設定ファイル編集

include /etc/openldap/schema/openssh.schema を追記する


/etc/openldap/slapd.conf

include /etc/openldap/schema/corba.schema

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openssh.schema

# 接続プロトコル
allow bind_v2

# 管理ファイル
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# TLS設定
#TLSCACertificatePath /etc/openldap/ssl/cacert.pem
#TLSCertificateFile /etc/openldap/ssl/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl/server.key

# userPasswordに関するアクセス権
access to attrs=userPassword
by self write
by dn="cn=Manager,dc=example,dc=com" write
by anonymous auth
by * none

# その他の属性に対するアクセス権
access to *
by self write
by dn="cn=Manager,dc=example,dc=com" write
by * read

# monitorデータベースに対するアクセス権
database monitor
access to *
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none

# データベース設定
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}fCkF7qPmO1cnQsPun1fixcrhCNP+Kerd
directory /var/lib/ldap

# indexの設定
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub



LDAP情報を更新する

/etc/init.d/slapd stop

rm -rf /etc/openldap/slapd.d/*
sudo -u ldap slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
/etc/init.d/slapd start


LDAPサーバーに各ユーザーの公開鍵を登録する


/etc/openldap/ldif/key.ldif

# 部長:武田 貴彦

dn: uid=takahiko.takeda,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6h7MF46Nxcuhp34o1THSBuVvy7DsL02mo0pB77KfD/XYZIq7CPkhnWm3Fp28+Yu85qalZmCD6wGIBQAEMVnXJmggjoRMExGu8bWtMLpZiWl9CUWi+m29p46L56GkTxpPdZkypYEEe7EGeNkh8bGtA7l2VLrVcYdv0grpu35DMUscSXATdGpbcjQ5nDZm2pFRPRVLGHhZ5jY9kxF7jMYfTogOjwzkuvOc9U+zwei8Jy3g6xqklfI5JNdUMIGQ0HM9FUHgBSHIBpZXXRtfcZig4VEXfSuVJMhJfM5TE1899Og2gTW1Vu4DtUTjmPhZCz+7BayrdejxiB+92B6Jkb778w==

# 開発課 課長:横山 真也
dn: uid=shinya.yokoyama,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq3bXY1cd7S1deAGtmPN/CcvYo4ED2C/SL/Bru9OxxOJs0I2oik+HzTj2SYQiiN1Q4Zf5vuR9AMe8rSSFJOUGgTaliBLHU0scPPIrg8y7Un+InvoJdbYgD7c/7Tap6YytEaj7bdemhi1/Gy5kOwkcRmQYsZBNJy4KEQJe4kJHGBpokHcqkBafxVrv/CuXfwZjoqfb0K2N5SGMKudrgofHBP8b/qmWDDFR21ZFwk8cVJVprYmqshsCF0qeg/9NRb22Y2lZ3ZSlR8mlMobGgBuVAtx1epUm3f3UpbC44nbEDNeMzprENCjgVj02Z8pxWc1PmjSzi/Va2tz4jixB4I70bw==

# 運用課 課長:井上 修
dn: uid=osamu.inoue,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyZYHfpIUjcXokOmzKJdlnrm1Gq02Ygi/PJnOlS5LqUJUVn03zYjCGjVln52izOZ2XgVEnzRlKXHadbUcf2KvYz2iJUqB5bH5yCla9butG1bEswRO2MUYU0vAjxToRZIT/aJAywgaW+OaPPv8112SwLNEgmzqN+N/4g9oCI03bKlhTEE6FzuHTi6V6FJOFTrwnbiv2ag/IFnsctk060qfLbl38aN3wVjpcnYBog/dTWLbcc1CcQ21Mfg9diO8BXpXZSUhyOjAGyYXv9+l4m17GGWmBRHYRh1jrdt1i8PVLUVg4gZ5YHhkEday0cWpNJieGrStsfN8cyKBBVlKmmV1fw==

# 開発課 社員:石川 直樹
dn: uid=naoki.ishikawa,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoNuB16f1OiJeJoEuRKPlXSqn1Of9R4e5Rh4EzOKiRa6lD7pGr5KFin7TS5X1+5De6MDzv4/qhJNtAkQ7wOb7lNFn/8mlW6OXkNcPqoHvLCWs927NyXtwujhFFE+sTgibWIaf3NBeoq+dlG9RIFFHlMRg16pR9gr2/5Zehlr7UNYzdzwz0GG62uEoevdqwm3lmXD1YTFW48BXkMjgipsmD6cER10rbubMSSF8KY6p1a9ghEB9+y1Ii65HPEiQwsUwu8/bc7mfm4GsLiu98qokkyCOjLFp1kppkqWGMkCOcB6bia6o4K1Y62ituh45tJgJXgTL3SUU2QA7TONabF46qw==

# 運用課 社員:田村 和夫
dn: uid=kazuo.tamura,dc=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt6vDrw+mA/cOPzpcBF/UbplOT7VV7dPKDsCQyyBWPbTMCiOPl4FM/8CGg0NxdU3bW9fu0eF4qurwdhezrRVw72GeLOVUVsvcIEyjtvk4190OSZXkko/qIQvNre1vtf13WIE8w3fyJsc56LQJ/cM7/BpXma1fh5aCBxhyX+ea/uk/no6+E75gdGvsHurJxor0PE8FLl/ixovC+Ve+RcIvrW5rrO+TfxLdp54vqoqaWg4Lof/mRWpKfvsJkZ74zmbiFuqKQpVKWtTx5Gaf38HvqvaaE9nJJgmFIpE1y7+ZvxFu8lKft+Llca8qP0xbV2vPg5uy+5x9rVNt+qI16b4OTQ==


ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/ldif/key.ldif


サーバー・クライアント側作業


OpenSSHのLDAPサポートパッケージをインストールする

yum -y install openssh-ldap


SSH設定編集

公開鍵認証とし、パスワード認証を拒否する

また、rootでのログインも禁止し、LDAP経由で公開鍵を取得するようにする


/etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs root

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server



SSHサーバー再起動

/etc/init.d/sshd restart


確認

各人、それぞれの秘密鍵でSSH接続可能かどうか、試す