SSH AuthorizedKeysCommand using LDAP (sakcl)

sakcl (pronounced 'sackle' like 'handle') is designed to be called by OpenSSH as the AuthorizedKeysCommand. It is simple to install and simple to configure and works with the other defaults of OpenSSH.

Installation

Cargo

bash cargo install sakcl

Binary Packages

bash wget 'https://gitlab.com/cardoe/sakcl/-/jobs/artifacts/master/download?job=release' unzip artifacts.zip

Configuration

The configuration file by default is located at /etc/sakcl.conf. This can be overwritten by providing the -c /path/to/config argument before the username.

The configuration file must look like:

```toml uri = "ldaps://ldap.host.name" base = "ou=Users,dc=company,dc=com"

basedn and bindpw are optional parameters

basedn = "dn=serviceacct,ou=Users,dc=company,dc=com" basspw = "12345" scope = "one|subtree|base"

filter will have any * replaced with the username supplied

otherwise it is passed directly to the LDAP search

filter = "(&(objectClass=posixAccount)(uid=*))" attr = "attribute-with-ssh-public-key" ```

Once this is configured you can test that it works by running:

bash sakcl your-ldap-uid

And you should see your SSH public key displayed on stdout. To finish configuring your system to use this change the AuthorizedKeysCommand to point to your sakcl binary and change AuthorizedKeysCommandUser to an unpriviledged account name. Lastly change the ownership of /etc/sakcl.conf to the unpriviledged account name and set the mode to octal 0400.