SSH login using LDAP Authentication

November 8th, 2007 by erik | Posted in blurt |

Round and round the web I went, looking for a way to allow a user to
SSH into a linux box using an LDAP login (actually an AD account, but
it’s all the same when it comes to this scenario). I ran down the
libnss_ldap+pam_ldap path, which, for the record, is not what you’re
looking for unless you’re looking to completely integrate the box with
AD, and that proved to be unsuccessful. After asking a co-worker, it
turns out the solution is easy as pie.

Here’s the rig: AD ldap to auth against, ubuntu 6.06 box with ssh
configured. Generally, LDAP/AD will require an account to query with,
so you’ll need that info along with the desired AD account to be used
for logging into SSH.

items needed:

  • sudo access
  • the LDAP user account
  • LDAP server dns/ip address
  • LDAP query account information: username and password
  • know the LDAP path to user accounts
  • fingers! (to type)

1. Add the user LDAP/AD account as a regular user to the system:
# sudo adduser
Note: the password you enter here isn’t going to be used, but you
still want to use a strong password and take note of it.

2. Install ldap-utils libpam-ldap:
# sudo apt-get install ldap-utils libpam-ldap

3. Backup then modify /etc/pam_ldap.conf
# sudo cp /etc/pam_ldap.conf /etc/pam_ldap.conf.bak; sudo vim
/etc/pam_ldap.conf
There’s going to be some interesting things in this file, but for now,
comment everything out by adding a pound sign (#) to the beginning of
every line that doesn’t have one already. At the bottom (or top -
whichever), you’ll want to enter:
host <ldap server dns name>
base <ldap path to user accounts>
ldap_version 3
binddn <ldap authentication account for queries>
bindpw <ldap authentication account password>
pam_password crypt
pam_login_attribute name

Where….
<ldap server dns name> -> ldapserver.example.com
<ldap path to user accounts> -> ou=Users,dn=ldapserver,dn=example,dn=com
<ldap authentication account for queries> -> cn=ldapdude,ou=Service
accounts,dn=ldapserver,dn=example,dn=com
<ldap authentication account password> -> unencrypted password for the
above LDAP query account
*Note - in other howtos you may see pam_password being used as:
pam_password ad
This isn’t necessary for this scenario; it’s only requred if you’re
fully integrating the box into an LDAP/AD.

4. Backup and modify /etc/pam.d/common-auth:
# sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak;
sudo vim /etc/pam.d/common-auth
Add this line:
auth sufficient pam_ldap.so debug
Above the one that reads something similar to this:
auth required pam_unix.so
It’s got to be above it because the pam methods are read top-down.

5. Completo: try ssh’ing in using your LDAP user account via SSH from
another box.

  1. 6 Trackback(s)

  2. Jul 6, 2011: Alexander
  3. Oct 19, 2011: Inspired By Nature
  4. Nov 29, 2011: Business Card Design
  5. Dec 29, 2011: Buy Facebook Fans
  6. Jan 15, 2012: madonna music lyrics
  7. Jan 24, 2012: nice sites to visit

You must be logged in to post a comment.