GitHub - paul-mcm/getpk-tools: Get users' public keys stored in an LDAP directory for public key authentication with sshd (or other programs)

paul-mcm / getpk-tools Public
Notifications You must be signed in to change notification settings
Fork 0
Star 2
Get users' public keys stored in an LDAP directory for public key authentication with sshd (or other programs)
Notifications
Name		Name	Last commit message	Last commit date
Latest commit History 30 Commits
src		src
.gitignore		.gitignore
LICENSE.md		LICENSE.md
README		README
sshPublicKey.schema		sshPublicKey.schema
Repository files navigation

CONTENTS
==========
I.	INTRO
II.	IMPLEMENTATION DETAILS
III.	REQUIREMENTS
IV.	INSTALLATION & CONFIGURATION
V.	SSHD CONFIGURATION
VI.	LDAP CONFIGURATION
VII.	THE sshPublicKey OBJECT CLASS
VIII.	OS SPECIFIC NOTES

I. INTRO
---------

Using the AuthorizedKeysCommand configuration keyword, sshd can be
configured to requests users' public keys from external programs run
on the local host for public-key authentication (see sshd_config(5)).

The getpk tools, getpk(8) and getpkd(8), are a pair of small
client/server utilities that run on the local host to serve requests
from sshd(8) (or other programs) for public keys stored in an LDAP
directory entry.

The primary design requirement was to maintain state information on
the LDAP servers' availability, obviating any dependencies on layer-3
proxies (e.g. VIPs) between clients running sshd(8) and clusters of
redundant of LDAP servers.

Similarly to other common authentication management tools (nslcd,
saslauthd, sssd) the getpkd(8) daemon can be configured with a list of
LDAP servers, and it provides failover and failback functionality as
their availability status changes.

The getpk tools have been tested successfully on OpenBSD 6.0 and 6.1,
FreeBSD 11.0, Debian Linux 8.7, and Centos 7.3.  See section VIII 'OS
SPECIFIC NOTES' for OS specific idiosyncrasies. 


II. IMPLEMENTATION DETAILS
----------------------------

getpkd(8) is a server daemon that listens on the local, unix domain
socket at /tmp/getpkd/getpkd.sock.  A client request consists of a
single username.  A server reply consists of one or more lines of
'authorized keys' output retrieved from the LDAP directory entry for
the given username.

For public key authentication using sshd(8), public keys in the LDAP
entry must be stored in the authorized_keys format as described in the
section AUTHORIZED_KEYS in the sshd(8) manpage.

The client program, getpk(8), is a simple command-line tool that can
be used by programs that can't communicate directly with the getpkd(8)
daemon.  It takes a username as its only argument and initiates a
client request to getpkd(8).  It writes the server's reply
unmodified to STDOUT.

The following diagram shows the data flow between sshd(8), the getpk
tools and a host running OpenLDAP's slapd server daemon.  

 ---------------------------------------------------
|                 CLIENT HOST                       | 
|                                                   |       ---------------
|  ------           -------           --------      |      |  LDAP server  |
| | sshd | <-----> | getpk | <-----> |        |     |      |               |
|  ------           -------          |        |     |      |     -------   |
|                   -------          | getpkd | <---|------|--> | slapd |  | 
|                  |  foo  | <-----> |        |     |      |     -------   |
|                   -------          |        |     |       ---------------
|                                     --------      |
|                                                   |
 ---------------------------------------------------

Both getpk(8) and getpkd(8) run on the same host as the sshd server.  In
this example, sshd(8) executes getpk(8) with the username to
authenticate as the only arg.  getpk(8) initiates a request to getpkd(8)
which fetches the public key for that user from the LDAP server.
Results of the query are passed back to getpk(8) unmodified which in
turn passes them back to sshd(8). 

The program `foo' is an example of an application written to talk
directly to getpkd(8).

The primary purpose of the server daemon, getpkd(8), is to obviate any
need for layer-3 proxies (e.g., VIPs) between the client and the LDAP
servers.  getpkd(8) maintains state information about the availability
of the LDAP servers it has been configured to query and ensures
redundancy through failover/failback mechanisms when the status of
servers' availability changes.

getpkd(8) expects public keys to be a value assigned to the `authkey'
attribute in the user's LDAP directory entry.  The getpk tools include
an LDAP schema that defines the sshPublicKey object class with the
authkey attribute.

See the section VI 'LDAP CONFIGURATION' for installing the schema on
OpenLDAP's slapd server.  See section VII 'THE sshPublicKey OBJECT
CLASS' for additional details.

III. REQUIREMENTS
-----------------

1.   The getpkd(8) daemon requires libldap and related libraries from the
     OpenLDAP project (http://www.openldap.org).  Your system most likely
     has a package that installs these libraries.

     For Debian 8.7, if TLS functionality is desired then the OpenLDAP 
     libraries cannot be linked to the GnuTLS library.  See section VIII 
     'OS SPECIFIC NOTES'.

2.   To compile the getpkd tools, gcc and GNU make are required.  Also,
     the header file `ldap.h' must exist.  Depending on your target system,
     this may require installing an openldap development package.

3.   getpkd(8) runs as the unprivileged user `getpk'.  It is therefore
     necessary to create a user and group with this name on your target
     system before installation.

     For security reasons, the getpk user's shell should be set to
     /sbin/nologin and the home directory to /var/empty (or whatever
     equivalents exist on your system for unprivileged user accounts).

4.   Public keys in the LDAP directory must be assigned to the
     `authkey' attribute.  Use the included sshPublicKey.schema or write a
     schema definition that defines an object class with this attribute
     name.  See the section VI 'LDAP CONFIGURATION'.

5.   sshd(8) requires owner and group settings of root:root (or
     root:wheel) on the directory where getpk(8) is installed.  See section
     VIII 'OS SPECIFIC NOTES' for how this requirement affects installation
     on Debian systems. 


IV. INSTALLATION & CONFIGURATION
----------------------------------

The getpk tools have been successfully compiled on OpenBSD 6.0 and
6.1, FreeBSD 11, Debian Linux 8.7 and Centos 7.3.

If your system's linker is unable to find the libraries modify the
`libs' variable in the Makefile to point to the location where the
ldap libraries are installed.

After satisfying the requirements defined in section II, change to the
src/ directory and run

    make all
     
and as a privileged user 

    make install

(on BSDs, use gmake);

If all goes well, the result will be 2 new binaries.  On Centos/BSDs
these are:

    /usr/local/sbin/getpk	
    /usr/local/sbin/getpkd

on Debian:
    /opt/getpktools/getpk
    /opt/getpktools/getpkd

(Section VIII of this document describes the rationale for the install
location on Debian systems.) 

A config file is automatically installed as:
    /etc/getpkd.conf

These manpages are placed under /usr/local/
    getpk(8)
    getpkd(8)
    getpkd.conf(5)

See the getpkd.conf(5) man page for details on configuring getpkd(8). 


V. SSHD CONFIGURATION
-----------------------

sshd(8) must be configured to use getpk(8) to obtain public keys (see
sshd_config(5)).

For BSDs/RHEL systems, add these settings to sshd_config:

     AuthorizedKeysCommand	/usr/local/sbin/getpk
     AuthorizedKeysCommandUser	getpk

On Debian, the value for AuthorizedKeysCommand should be set to
/opt/getpktools/getpk.

Also, confirm that sshd(8) is configured to use public key
authentication (it's turned on by default) and then restart sshd(8). 


VI. LDAP CONFIGURATION
----------------------
getpkd(8) searches the LDAP directory for a DN with the uid attribute
that matches the username being queried.  This typically requires LDAP
entries to use either the posixAccount or inetOrgPerson object class. 

Public keys are expected to be a value assigned to the authkey
attribute in a user's LDAP entry.  The file sshPublicKey.schema
defines the sshPublicKey object class with the authkey attribute.  The
authkey attribute may hold multiple keys. 

The format of the key should conform to the authorized_keys format as
described in the manpage for sshd(8). 

To use the sshPublicKey object class with OpenLDAP's slapd server,
copy the file sshPublicKey.schema to OpenLDAP's schema directory and
configure slapd to include the new object class (see slapd.conf(5)). 

See the next section for more information on the sshPublicKey object
class. 

VII. THE sshPublicKey OBJECT CLASS
--------------------------------

The sshPublicKey object class provided with getpk tools defines 4 attributes:

authkey         - a value conforming to the authorized_keys format as described
                  in the manpage for sshd(8)
fingerprint 	- fingerprint of the key
keytype         - e.g., `ecdsa-sha2-nistp256', `ecdsa-sha2-nistp384',
                 `ecdsa-sha2-nistp521', `ssh-ed25519', `ssh-dss' or `ssh-rsa'
keylen		- number of bits in the key

All attributes may contain multiple values.  Note however that there is
no inherent way for an LDAP operation to associate multiple values of
one attribute to values in another attribute - e.g., if the authkey
attribute contains 2 keys, and the fingerprint attribute contains 2
different values, there is no way for an LDAP search operation to map
the keys to their corresponding fingerprints.  The program initiating
the request must determine those associations based on the results of
the LDAP search operation (if possible).

At this time, getpkd(8) only queries the LDAP server for the authkey
attribute's values.  It is the only value required for OpenSSH public
key authentication.

VIII. OS SPECIFIC NOTES
-------------------------
OpenBSD
-------
The getpk tools use pledge(2) to restrict their operations.
Therefore, they will not compile on OpenBSD releases prior to 5.9. 

FreeBSD
--------
(none)

CentOS
-------
(none)

Debian Linux
-------------
1.   sshd(8) requires that the program specified by the 
     'AuthorizedKeysCommand' be in a directory owned by root with a group
      owner id of `0' (typically 'root' or 'wheel').

     Debian Linux sets group ownership of /usr/local/sbin to 'staff' 
     (gid 50), therefore, in order to install the getpk tool into a 
     working location on these systems, the Makefile creates the directory
     /opt/getpktools with the requisite permissions and installs the
     binaries there.  The binaries may be moved to any other location in
     the filesystem that meets sshd(8)'s requirements for owner/group
     settings.

2.   The OpenLDAP libraries packaged for Debian are linked with the GnuTLS 
     library for TLS operations.  The version of this library installed 
     on Debian 8.7 (and earlier verions?) has initialization functions 
     that break some security features and cause getpkd to fail when 
     configured to use TLS.

     To use TLS with getpkd, rebuild the LDAP libraries, configuring support
     for TLS using some other library (libssl has been tested successfully).
     By default, the Makefile expects to find the LDAP libraries in 
     /usr/local/lib