Reputation: 359
passwordless ssh authentication using active directory
Our current infrastructure uses ssh keys for passwordless login to our Linux servers. As our infrastructure grows, managing these authorised keys is getting harder.
As we also have an Active Directory (AD) server, I would like to authenticate the users over ssh using this mechanism, but maintain the passwordless nature of ssh keys.
Is it possible to authenticate the users over ssh without password, using some AD mechanism?
Upvotes: 16
Views: 16215
Answers (4)
Reputation: 1
I use this kind of process : https://signmykey.io/
But sorry I'm just a user of it, I didn't find to install it in my company. But the documentation seems clear.
Upvotes: 0
Reputation: 5880
My approach would be to reduce the problem to an already solved one by
- Use active directory to authenticate without password and establish an HTTPS connection using Kerberos. The Dzone Tutorial Configuring Tomcat 7 Single Sign-on with SPNEGO might be a good starting point for that approach.
- Wrap SSH into the https-protocol like, see section Wrapping SSH in HTTP(S) at https://unix.stackexchange.com/questions/190490/how-to-use-ssh-over-http-or-https
Upvotes: 2
Reputation: 162
Option 1
This is a good article explaining how to do this. Storing SSH keys in Active Directory for easy deployment
Basically, it will allow people to post their public keys to your Active Directory and then you can set up a cron script on your servers to fetch a copy of the public keys every 5 minutes or so.
Option 2
You could also use a file server that has all your keys and get each server to fetch from there using a cron script. Obviously, you need a way to verify each key's authenticity especially if you are using FTP or some other insecure protocol. This could be achieved using GPG. You could have a company master GPG key that signs all the employee keys.
Personally, I like option 2 the best because I think it is more secure, but either method should work. Hope this helps!
Upvotes: 4
Reputation: 5270
This is usually done via SSH key certificates in order to keep the password-less nature and at the same time have a Central Authority that can be trusted to generate new certificates for each account.
LDAP/Active directory use on login is not advised - apart from having to use passwords, it also becomes a single point of failure for access to any system it manages.
See RedHat documentation on how to do this and also Facebook's good write up on their use of certificate authentication with SSH.
Upvotes: 7
Related Questions
- How to make a Password-Less Login from Windows to Linux using OpenSSH?
- Can't authenticate using SSH on Kerberos client from Kerberos server
- SSSD Integration with Microsoft AD for SSH Key based Login
- Can't perform no password authentication ssh
- Permanent Kerberos tickets for interactive users of Hadoop cluster
- AWS Simple AD : SSH based key Authentication for Linux instances
- ssh key passwordless using bash
- Password-less login for SSH via SSH
- Setting up passwordless authentication from one host to another
- Passwordless login to a specific directory by SSH