You need to centralized login for your users? And you are managing 1000+ Amazon EC2 instances or servers?
Pros:
You can use multiple public key to be used for your instances.
Define multiple users for admin and their public keys.
Cons:
You need to patch the SSH installed on your AMI to use the setup.
If LDAP server is down, it falls back to default SSH configuration.(not sure if this is CONS).
Using Ubuntu Karmic and OpenSSH Versioin: 5.1p1 you can patch the SSH to validate public keys from LDAP server. LDAP server setup and configuration is beyond the scope of this article. Here’s how to do it on your running Ubuntu Karmic EC2 instance:
$ sudo wget http://archive.ubuntu.com/ubuntu/pool/o/openssh/openssh_5.1p1.orig.tar.gz
$ sudo svn checkout http://openssh-lpk.googlecode.com/svn/trunk/ openssh-lpk-read-only
$ cd openssh-5.1p1/
$ sudo patch < ../openssh-lpk-read-only/patch/contrib/contrib-openssh-lpk-5.1p1-0.3.10.patch
$ sudo patch < ../openssh-lpk-read-only/patch/contrib/contrib-openssh-5.1_p1-lpk-64bit.patch
$ sudo apt-get install build-essential libpam0g-dev
$ ./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam
$ sudo make
$ su make install
Add ldap schema as describe in this post: SSH Public Keys from LDAP
Configure LDAP Client, by entering the LDAP info upon installation of these packages:
$ sudo apt-get install libnss-ldap libpam-ldap nscd
Another good reference for this is LDAP NSS and here Ubuntu LDAPClientAuthentication
Now on your LDAP server define the users and group:
dn: uid=foo,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: posixAccount
objectclass: ldapPublicKey
description: John Doe Account
userPassword: {crypt}0LXhFAsrBWEEQ
cn: John Doe
sn: John Doe
uid: foo
uidNumber: 1034
gidNumber: 1002
homeDirectory: /home/foo
sshPublicKey: ssh-dss AAAAB3...
sshPublicKey: ssh-dss AAAAM5...
dn: cn=unix,ou=groups,dc=example,dc=com
objectclass: top
objectclass: posixGroup
description: Unix group
cn: unix
gidNumber: 1002
memberUid: foo
memberUid: bar
Now configure your /etc/ssh/sshd_config as describe on this doc: OpenSSH-LPK Wiki
UseLPK yes
LpkServers ldap://10.1.7.1 ldap://10.1.7.2
LpkUserDN ou=users,dc=example,dc=com
LpkGroupDN ou=groups,dc=example,dc=com
LpkBindDN cn=Manager,dc=example,dc=com
LpkBindPw somepasswordifneeded
LpkServerGroup somegroupname
#LpkForceTLS yes
LpkSearchTimelimit 3
LpkBindTimelimit 3
I’m not using TLS here so I comment out that entry. You have to replace the values with your LDAP informations.
Restart SSH daemon:
$ sudo /etc/init.d/ssh restart
You should be able to login with the public key from LDAP. If not check your LDAP configurations.
After you can login successfuly, you might also use the pam_mkhomedir to create home directory for the users.
Edit the /etc/pam.d/common-session and add the following:
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
Assuming you have the keypair and uploaded the publick key to LDAP server, you can now execute:
$ ssh foo@<your-ec2-instance>
Your done!