- Informatique
- Arduino
- Projets
- Mécanique
SSH-LDAP-Fetcher is a tool to retrieve public SSH keys from an LDAP tree. This tool can be used to add public key authentication to an existing classical password authentication.
There are some tools already doing this, but the target of this one is to provide some features that does not exist on this tools such as :
This tool is written in Python.
The syntax is pretty simple and uses command line parameters. This tool is designed to be used with OpenSSH (via the AuthorizedKeysCommand parameter) but you can use it in standalone for testing purpose (by activating the debug mode).
usage: ssh-ldap-fetcher [-h] --ldap-uri LDAP_URI --ldap-base LDAP_BASE [--ldap-user-base LDAP_USER_BASE] --ldap-filter LDAP_FILTER [--ldap-scope {base,onelevel,subtree}] --ldap-attr LDAP_ATTR [--use-tls] [--debug] [--syslog] user positional arguments: user Username to fetch from optional arguments: -h, --help show this help message and exit --ldap-uri LDAP_URI LDAP server to fetch from --ldap-base LDAP_BASE LDAP base dn --ldap-user-base LDAP_USER_BASE User base (default: ou=users,<ldap-base>) --ldap-filter LDAP_FILTER LDAP search filter (%s replaced with user) --ldap-scope {base,onelevel,subtree} LDAP search scope (default: subtree) --ldap-attr LDAP_ATTR LDAP attribute containing pub key --use-tls Use TLS for connection --debug Show debugging messages --syslog Log messages to syslog
In the following example, we search in 'ldap.tld' the logged user '%u' and the connections are logged to syslog.
[...] AuthorizedKeysCommand /usr/bin/ssh-ldap-fetcher --ldap-uri ldap://ldap.tld --ldap-base dc=tld --ldap-filter "(&(objectClass=person)(uid=%%s))" --ldap-attr sshPublicKey --use-tls --syslog %u AuthorizedKeysCommandUser nobody
For now, ssh-ldap-fetcher is available as a Debian package.
Discussion