You need to centralized login for your users? And you are managing 1000+ Amazon EC2 instances or servers?
Pros:
You can use multiple public key to be used for your instances.
Define multiple users for admin and their public keys.
Cons:
You need to patch the SSH installed on your AMI to use the setup.
If LDAP server is down, it falls back to default SSH configuration.(not sure if this is CONS).
Using Ubuntu Karmic and OpenSSH Versioin: 5.1p1 you can patch the SSH to validate public keys from LDAP server. LDAP server setup and configuration is beyond the scope of this article. Here’s how to do it on your running Ubuntu Karmic EC2 instance:
$ sudo wget http://archive.ubuntu.com/ubuntu/pool/o/openssh/openssh_5.1p1.orig.tar.gz $ sudo svn checkout http://openssh-lpk.googlecode.com/svn/trunk/ openssh-lpk-read-only $ cd openssh-5.1p1/ $ sudo patch < ../openssh-lpk-read-only/patch/contrib/contrib-openssh-lpk-5.1p1-0.3.10.patch $ sudo patch < ../openssh-lpk-read-only/patch/contrib/contrib-openssh-5.1_p1-lpk-64bit.patch $ sudo apt-get install build-essential libpam0g-dev $ ./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam $ sudo make $ su make install
Add ldap schema as describe in this post: SSH Public Keys from LDAP
Configure LDAP Client, by entering the LDAP info upon installation of these packages:
$ sudo apt-get install libnss-ldap libpam-ldap nscd
Another good reference for this is LDAP NSS and here Ubuntu LDAPClientAuthentication
Now on your LDAP server define the users and group:
dn: uid=foo,ou=users,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: posixAccount objectclass: ldapPublicKey description: John Doe Account userPassword: {crypt}0LXhFAsrBWEEQ cn: John Doe sn: John Doe uid: foo uidNumber: 1034 gidNumber: 1002 homeDirectory: /home/foo sshPublicKey: ssh-dss AAAAB3... sshPublicKey: ssh-dss AAAAM5...
dn: cn=unix,ou=groups,dc=example,dc=com objectclass: top objectclass: posixGroup description: Unix group cn: unix gidNumber: 1002 memberUid: foo memberUid: bar
Now configure your /etc/ssh/sshd_config as describe on this doc: OpenSSH-LPK Wiki
UseLPK yes LpkServers ldap://10.1.7.1 ldap://10.1.7.2 LpkUserDN ou=users,dc=example,dc=com LpkGroupDN ou=groups,dc=example,dc=com LpkBindDN cn=Manager,dc=example,dc=com LpkBindPw somepasswordifneeded LpkServerGroup somegroupname #LpkForceTLS yes LpkSearchTimelimit 3 LpkBindTimelimit 3
I’m not using TLS here so I comment out that entry. You have to replace the values with your LDAP informations.
Restart SSH daemon:
$ sudo /etc/init.d/ssh restart
You should be able to login with the public key from LDAP. If not check your LDAP configurations.
After you can login successfuly, you might also use the pam_mkhomedir to create home directory for the users.
Edit the /etc/pam.d/common-session and add the following:
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so
Assuming you have the keypair and uploaded the publick key to LDAP server, you can now execute:
$ ssh foo@<your-ec2-instance>
Your done!
Thanks for your post. This might be a bit offtopic, but I’ll appreciate your help. Just wondering how to have an Ldap server in the cloud (Amazon or any else). I did not get any satisfying result looking for deploying a ldap serve in the cloud.
Thanks for your time.
Hi Carlos,
There’s nothing special with installing LDAP with EC2.
I suggest you start with OpenLDAP http://www.openldap.org/doc/admin/ and https://help.ubuntu.com/10.04/serverguide/openldap-server.html
The OpenLDAP also have forums where we can post our LDPA specific questions.