Div | ||
---|---|---|
| ||
|
Recipe Ingredients
- This recipe requires COmanage Registry version 3.3.0 or later.
- Assumes the presence and use of an LDAP server.
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
|
Like what you see? See our other recipes!
Recipe Steps
Background Color | ||
---|---|---|
| ||
1. Install Plugins |
Div | ||
---|---|---|
| ||
COmanage Registry supports several types of plugins in order to easily customize and extend Registry functionality. Each plugins may be one of three types, each of which has a different process for being installed and enabled: Supported Core Plugins, Supported Non-core Plugins, and External Plugins. |
Step overview
For this recipe, you will need to install and enable the following plugins. Since both of these plugins are Core plugins, they are likely already available for your use.
Plugins needed for this recipe
NAME | TYPE | PLUGIN CLASS | DESCRIPTION |
---|---|---|---|
SSH Key Authenticator | CORE | Authenticator | Manages SSH Public Keys for CO People in Registry |
LDAP Provisioning | CORE | Provisioning | Provisions Registry data into an LDAP server |
Resources for this step
See the following resources for details to complete this recipe step:
USE GUIDES / OVERVIEWS
- Use Guide: About COmanage Plugins
- Use Guide: About Authenticators
- Use Guide: About Provisioners
TECHNICAL GUIDES
- Tech Guide: Installing and Enabling Registry Plugins
- Tech Reference: SSH Key Authenticator Plugin
- Tech Reference: LDAP Provisioning Plugin
Background Color | ||
---|---|---|
| ||
2. Configure Authenticator |
Div | ||
---|---|---|
| ||
All plugins have basic settings that are are related to the plugin’s Class. In addition, some plugins have plugin-specific settings to configure the specifics related to the plugin. |
Step overview
The SSH Key Authenticator plugin only uses basic settings. Note that SSH Key Authenticators are multi-valued, so each instantiation (configured version) of the plugin can store multiple SSH Keys. Authenticators are set at the CO level.
Authenticator Basic Settings
FIELD | DESCRIPTION |
---|---|
Description | Use a descriptive name that users will see when interacting with the authenticator |
Plugin | Select [ SshKeyAuthenticator ] |
Status | Select [ Active ] |
Plugin-specific Settings: [ SshKeyAuthenticator ]
NONE
Resources for this step
See the following resources for details to complete this recipe step:
USE GUIDES / OVERVIEWS
- Use Guide: About Authenticators
TECHNICAL GUIDES
- Tech Reference: SSH Key Authenticator Plugin
Background Color | ||
---|---|---|
| ||
3. Enable Registry to collect SSH Keys |
Div | ||
---|---|---|
| ||
By adding an authenticator via the plugin, you have enabled the collection of public SSH keys on any CO Person record. You may enable users to add their SSH keys to their CO Person record in Registry 1) Via their profile, or 2) Via an enrollment flow |
You may also use the Registry API to add SSH keys. Resources for the SshKey API can be found in the [ Recipe Variations and Complements ] section of this document.
3.1 Collect SSH Keys via the user's profile
- Sign into Registry and navigate to the CO (if necessary)
- Open one's profile for the CO
The user clicks their name in the upper right corner of the screen to display their user options, The user clicks the "My Profile" button to display their profile - Manage the user's the list of Authenticators
Click the [ Authenticators ] link located in the box on the right side of the window to display a list of authenticator types that the user may add
Click the [ Manage ] button next to the authenticator that you have configured to display the group of authenticators that are associated with this authenticator configuration. From this list, you may add new keys and [ View ] or[ Delete ] existing ones. - Add a Public SSH Key
Click the[ Add SSH Key ] link above the table on the right to display a form to add a new authenticator.
On the form that opens, click the [ Choose File ] button to locate your public SSH key on your computer, and the btn:[UPLOAD] button to add the key to the CO Person profile. This action will check if the uploaded file appears to be a public SHH key before adding it.
3.2 Collect SSH Keys via an enrollment flow
As of Registry v3.3.0, Authenticators may be collected as part of an Enrollment Flow.
To add SSH key collection to an enrollment flow:
- Navigate to the enrollment flow that should manage SSH Key collection
Click the [ Edit ] button for the enrollment flow to which you would like to add the SSH collection step. Configure the flow to include SSH Key collectrion
Near the bottom of the enrollment flow configuration form, check the [ Establish Authenticators ] checkbox to display the list of active, configured Authenticators. For each Authenticator, select [ Required ], [ Optional ], or [ Not Permitted ] to affect your needs for SSH key upload.Note Although the image above displays three different SSH Key configurations, most implementations will only use one. SSH Authenticators are multi-valued, so multiple keys may be associated with each configuration. Save your enrollment flow
Background Color | ||
---|---|---|
| ||
4. Configure Provisioner |
Div | ||
---|---|---|
| ||
Once Public SSH Keys are stored within Registry, they may be provisioned via any provisioner plugin that supports they keys. The LDAP Provisioner is one of these plugins. |
Step overview
Required additions to the LDAP server
The following schemas must be enabled on the LDAP server (if not already):
- posixAccount (RFC 2307)
- ldapPublicKey
Provision the SSH Key(s) to LDAP
COmanage Registry enables you to provision stored public SSH key to the ldapPublicKey objectClass in LDAP through the LDAP Provisioner plugin:
- Navigate to the Provisioning Targets area using Configuration > Provisioning Targets menu
- Either create or update the configuration of your LDAP Provisioner
- In the [ Attributes ] section of the configuration, scroll to the ldapPublicKey objectclass. Check this this checkbox to include the sshPublicKeys.
LDAP attribute to configure to store the SSH Key(s)
Attribute | Object Class | Data Model | Multiple Values Exported? |
---|---|---|---|
sshPublicKey | ldapPublicKey | cm_ssh_keys | YES |
Resources for this step
See the following resources for details to complete this recipe step:
USE GUIDES / OVERVIEWS
- Use Guide: About Provisioners
TECHNICAL GUIDES
- Tech Reference: LDAP Provisioning Plugin
OTHER RESOURCES
- ldapPublicKey (enabling OpenSSH in LDAP)
- posixAccount (RFC 2307)
Background Color | ||
---|---|---|
| ||
5. Configure your systems to use the stored keys (REFERENCE ONLY) |
Warning | ||
---|---|---|
| ||
These instructions in this section are NOT intended to provide instruction or guidance on system, security, or LDAP configurations. At all times, you should consult to your security guidelines and seek the advice of experts to implement a solution that achieves your security and access goals. The resources in this section are designed ONLY to provide links to what might be helpful references. |
5.1 Dynamically supply public keys using a command instead of a file
REFERENCE: https://man.openbsd.org/sshd_config#AuthorizedKeysCommand[AuthorizedKeysCommand]
The AuthorizedKeys Command configuration in sshd_config issues a command to dynamically retrieve public keys rather than read them from the authorized_keys file. This command may be leveraged to retrieve the user's public key(s) that have been stored in LDAP during the previous recipe steps. The command may be issued in the form of a script.[TIP]
Tip |
---|
The following article provides an excellent background and justification for this approach to dynamically accessing a user's authorized keys: |
SSH Authentication with AuthorizedKeysCommand |
(Ryan Canty, Feb 18, 2018) |
. |
5.2 Retrieve information from LDAP via the command line
REFERENCE: https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html[ldapsearch Command-Line Tool] ldapsearch Command-Line Tool
The ldapsearch Command processes one or more searchers in an LDAP directory server. Note that the criteria for the search request can be specified in a number of different ways, some of which may provide additional security or flexibility for your needs.[TIP]
Tip |
---|
There are several examples of how the ldapsearch might be used to retrieve the sshPublicKey value(s) for the current subject, for example, |
SSH key authentication using LDAP |
and SSH Public Keys in OpenLDAP. |
5.5.3 Using the ssh-ldap-helper
REFERENCE: https: //linux.die.net/man/8/ssh-ldap-helper[ssh-ldap-helper]
Instead of directly querying LDAP using ldapsearch, it may be possible to use a helper program supported by OpenSSH to retrieve the keys. Enabling ssh-ldap-helper may allow you to set the AuthorizedKeysCommand to a specific value (/usr/libexec/openssh/ssh-ldap-wrapper) instead of writing a script yourself.
5.4 Storing LDAP configurations
REFERENCE: https: //linux.die.net/man/5/ssh-ldap.conf[ssh-ldap.conf] | https://linux.die.net/man/5/ | ldap.conf[ldap.conf]
If you use the ssh-ldap-helper, you may also need to specify an LDAP configuration file as described in the reference links above..
Also of interest
[TIP]Tip |
---|
If you want to update your sshd_config to allow password authentication from internal RFC1918 networks, you may also find this thread to be helpful: |
Only allow password authentication to SSH server from internal network) |
Recipe Variations and Complements
SSH Key API
You may explore the _experimental_ SshKey API for managing SSH keys. For additional information, see the following resources:
- SshKey API (Reference Page)
- SshKey Schema (Reference Page)
Managing UNIX Clusters
A common use case for collecting and provisioning SSH Keys is for their use in UNIX clusters by the end user. The following resources provide additional information:
- https://spaces.at.internet2.edu/display/COmanage/LDAP + Provisioning +Plugin#LDAPProvisioningPlugin-ManagingUnixClusters[LDAP Provisioning Plugin] for Plugin for information on configuring LDAP Provisioning to support UNIX Clusters.https://spaces.at.internet2.edu/display/COmanage/
- Unix + Cluster + Plugin[Unix Cluster Plugin] _(Experimental)_
- https://voperson.org/[About the voPerson Object Class]
CSS Stylesheet |
---|
.home-banner { background: #ffffff; color: #d44415; font-size: 20px; padding: 20px; } .home-banner h1 { color: #5e2b97; font-size:2.5em; } .title-box { border: 0px solid #ff5b2d padding: 10px; padding-bottom: 30px; } .title-box > h2 { /*background: #5e2b97;*/ border-top: 3px solid #c2d6d6; bottom: 10px; /*color: #c2d6d6;*/ /*margin-left: -10px;*/ /*margin-right: -10px;*/ padding: 1em 0 0; position: relative; } .cfm-blog-image > img { display: block; margin-left: auto; margin-right: auto; } .lead > p { line-height: 2; font-size: 1.5em; } .about-box { border-top: 1px solid #c2d6d6; border-bottom: 2px solid #c2d6d6; padding: 10px; padding-top: 30px; padding-bottom: 30px; } .about-box > p { font-size: 0.9em; font-style: italic; } .about-box > h3 { font-size: 0.9em; } } |