sakcl

SSH AuthorizedKeysCommand using LDAP (sakcl)

sakcl (pronounced 'sackle' like 'handle') is designed to be called by OpenSSH as the AuthorizedKeysCommand. It is simple to install and simple to configure and works with the other defaults of OpenSSH.

Installation

Cargo

cargo install sakcl

Binary Packages

curl -o artifacts.zip https://gitlab.com/cardoe/sakcl/-/jobs/71677129/artifacts/download
unzip artifacts.zip

Configuration

The configuration file by default is located at /etc/sakcl.conf. This can be overwritten by providing the -c /path/to/config argument before the username.

The configuration file must look like:

uri = "ldaps://ldap.host.name"
base = "ou=Users,dc=company,dc=com"
# basedn and bindpw are optional parameters
basedn = "dn=serviceacct,ou=Users,dc=company,dc=com"
basspw = "12345"
scope = "one|subtree|base"
# filter will have any * replaced with the username supplied
# otherwise it is passed directly to the LDAP search
filter = "(&(objectClass=posixAccount)(uid=*))"
attr = "attribute-with-ssh-public-key"

Once this is configured you can test that it works by running:

sakcl your-ldap-uid

And you should see your SSH public key displayed on stdout. To finish configuring your system to use this change the AuthorizedKeysCommand to point to your sakcl binary and change AuthorizedKeysCommandUser to an unpriviledged account name. Lastly change the ownership of /etc/sakcl.conf to the unpriviledged account name and set the mode to octal 0400.