SSH-LDAP-Fetcher is a tool to retrieve public SSH keys from an LDAP tree. This tool can be used to add public key authentication to an existing classical password authentication.

There are some tools already doing this, but the target of this one is to provide some features that does not exist on this tools such as :

• Fully configurable via command line parameters
• Can log to syslog
• Can use the DNS to discover the domain's LDAP server (TODO)
• Handle expired accounts (TODO)

This tool is written in Python.

The syntax is pretty simple and uses command line parameters. This tool is designed to be used with OpenSSH (via the AuthorizedKeysCommand parameter) but you can use it in standalone for testing purpose (by activating the debug mode).

Syntax

usage: ssh-ldap-fetcher [-h] --ldap-uri LDAP_URI --ldap-base LDAP_BASE
                        [--ldap-user-base LDAP_USER_BASE] --ldap-filter
                        LDAP_FILTER [--ldap-scope {base,onelevel,subtree}]
                        --ldap-attr LDAP_ATTR [--use-tls] [--debug]
                        [--syslog]
                        user
 
positional arguments:
  user                  Username to fetch from
 
optional arguments:
  -h, --help            show this help message and exit
  --ldap-uri LDAP_URI   LDAP server to fetch from
  --ldap-base LDAP_BASE
                        LDAP base dn
  --ldap-user-base LDAP_USER_BASE
                        User base (default: ou=users,<ldap-base>)
  --ldap-filter LDAP_FILTER
                        LDAP search filter (%s replaced with user)
  --ldap-scope {base,onelevel,subtree}
                        LDAP search scope (default: subtree)
  --ldap-attr LDAP_ATTR
                        LDAP attribute containing pub key
  --use-tls             Use TLS for connection
  --debug               Show debugging messages
  --syslog              Log messages to syslog

In the following example, we search in 'ldap.tld' the logged user '%u' and the connections are logged to syslog.

/etc/ssh/sshd_config

[...]
AuthorizedKeysCommand /usr/bin/ssh-ldap-fetcher --ldap-uri ldap://ldap.tld
                                                --ldap-base dc=tld
                                                --ldap-filter "(&(objectClass=person)(uid=%%s))"
                                                --ldap-attr sshPublicKey
                                                --use-tls
                                                --syslog %u
AuthorizedKeysCommandUser nobody

For now, ssh-ldap-fetcher is available as a Debian package.

• ssh-ldap-fetcher_1.0-12-gcb68063_all.deb