SSH Public Keys using LDAP on Amazon EC2

You need to centralized login for your users? And you are managing 1000+ Amazon EC2 instances or servers?
You can use multiple public key to be used for your instances.
Define multiple users for admin and their public keys.

You need to patch the SSH installed on your AMI to use the setup.
If LDAP server is down, it falls back to default SSH configuration.(not sure if this is CONS).

Using Ubuntu Karmic and OpenSSH Versioin: 5.1p1 you can patch the SSH to validate public keys from LDAP server. LDAP server setup and configuration is beyond the scope of this article. Here’s how to do it on your running Ubuntu Karmic EC2 instance:

$ sudo wget
$ sudo svn checkout openssh-lpk-read-only  

$ cd openssh-5.1p1/
$ sudo patch < ../openssh-lpk-read-only/patch/contrib/contrib-openssh-lpk-5.1p1-0.3.10.patch
$ sudo patch < ../openssh-lpk-read-only/patch/contrib/contrib-openssh-5.1_p1-lpk-64bit.patch

$ sudo apt-get install build-essential libpam0g-dev 
$ ./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam 

$ sudo make 
$ su make install 

Add ldap schema as describe in this post: SSH Public Keys from LDAP

Configure LDAP Client, by entering the LDAP info upon installation of these packages:

$ sudo apt-get install libnss-ldap libpam-ldap nscd 

Another good reference for this is LDAP NSS and here Ubuntu LDAPClientAuthentication
Now on your LDAP server define the users and group:

dn: uid=foo,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: posixAccount
objectclass: ldapPublicKey
description: John Doe Account
userPassword: {crypt}0LXhFAsrBWEEQ
cn: John Doe
sn: John Doe
uid: foo
uidNumber: 1034
gidNumber: 1002
homeDirectory: /home/foo
sshPublicKey: ssh-dss AAAAB3...
sshPublicKey: ssh-dss AAAAM5...
dn: cn=unix,ou=groups,dc=example,dc=com
objectclass: top
objectclass: posixGroup
description: Unix group
cn: unix
gidNumber: 1002
memberUid: foo
memberUid: bar

Now configure your /etc/ssh/sshd_config as describe on this doc: OpenSSH-LPK Wiki

UseLPK yes
LpkServers         ldap:// ldap://
LpkUserDN          ou=users,dc=example,dc=com
LpkGroupDN         ou=groups,dc=example,dc=com
LpkBindDN          cn=Manager,dc=example,dc=com
LpkBindPw          somepasswordifneeded
LpkServerGroup     somegroupname
#LpkForceTLS        yes
LpkSearchTimelimit 3
LpkBindTimelimit   3

I’m not using TLS here so I comment out that entry. You have to replace the values with your LDAP informations.
Restart SSH daemon:

$ sudo /etc/init.d/ssh restart

You should be able to login with the public key from LDAP. If not check your LDAP configurations.

After you can login successfuly, you might also use the pam_mkhomedir to create home directory for the users.
Edit the /etc/pam.d/common-session and add the following:

session required
session required skel=/etc/skel/
session optional

Assuming you have the keypair and uploaded the publick key to LDAP server, you can now execute:

$ ssh foo@<your-ec2-instance> 

Your done!

2 thoughts on “SSH Public Keys using LDAP on Amazon EC2

  1. csg

    Thanks for your post. This might be a bit offtopic, but I’ll appreciate your help. Just wondering how to have an Ldap server in the cloud (Amazon or any else). I did not get any satisfying result looking for deploying a ldap serve in the cloud.
    Thanks for your time.

Leave a Reply

Your email address will not be published. Required fields are marked *