增加ldapPublicKey
由于openLdap默认架构中没有ldapPublicKey, 所以用户无法基于sshkey进行认证,现在要增加ldapPublicKey相关套件
cat openssh-lpk.ldif #添加配置文件
# LDAP SSH Public Key schema
# Source: https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap
# Homepage: https://github.com/AndriiGrytsenko/openssh-ldap-publickey
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey'
DESC 'MANDATORY: OpenSSH LPK objectclass'
SUP top AUXILIARY
MAY ( sshPublicKey $ uid )
)
#导入配置文件
root@client:~# ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openssh-lpk,cn=schema,cn=config"测试用户通过sshpublickey登录系统
加工我们之前创建的用户 john:
选择ObjectClass---> addValue 选择ldapPublicKey
选择 Add new attribute:
选择 sshPublicKey:
添加用户ssh公钥:
最后别忘记 update Object:
#在客户端 192.168.11.212 上执行(也就是我们要登录的服务器上面)
apt-get install ldap-utils # 安装ldap的一些utils包
apt-get install libnss-ldap
vim /etc/ldap.conf
base dc=ldap,dc=com
uri ldap://192.168.11.116/
binddn cn=admin,dc=ldap,dc=com
bindpw 123456
rootbinddn cn=admin,dc=ldap,dc=com
vim /etc/nsswitch.conf
修改为:
passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
vim /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel umask=0022
# 增加如下脚本
vim /usr/bin/sshPublicKey
#!/bin/sh
dapsearch -H ldap://192.168.11.116:389 -b dc=ldap,dc=com -x -D cn=admin,dc=ldap,dc=com -w 123456 '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
chmod +x /usr/bin/sshPublicKey #赋予脚本执行权限
#修改ssh的配置文件
vim /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sshPublicKey #这个脚本是我们前面设置的一个登录脚本
AuthorizedKeysCommandUser nobody
#重启ssh服务
service ssh restart
用sshPublicKey登录成功
$ ssh john@192.168.11.212
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-81-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 31 Aug 2021 10:16:44 AM UTC
System load: 0.0 Processes: 128
Usage of /: 50.2% of 19.56GB Users logged in: 1
Memory usage: 31% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for enp0s3: 192.168.11.212
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
96 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable
Last login: Tue Aug 31 10:07:28 2021 from 192.168.11.233
john@client2:~$给用户赋予sudo权限
在LDAP 服务端进行操作
1. export SUDO_FORCE_REMOVE=yes
2. apt-get install sudo-ldap #选择Y即可
3. export SUDO_FORCE_REMOVE=no
4. mkdir ~/sudoWork
5. cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
6. echo "include /etc/ldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf
7. slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/cn\=sudo.ldif
8. vim ~/sudoWork/cn\=sudo.ldif #修改这个文件,将文件的最上面修改为:
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
下面的这几行删除:
structuralObjectClass: olcSchemaConfig
entryUUID: 871b4d2e-a3cb-103b-8575-43555532eaee
creatorsName: cn=config
createTimestamp: 20210907020324Z
entryCSN: 20210907020324.132563Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210907020324Z
9. ldapadd -Y EXTERNAL -H ldapi:/// -f ~/sudoWork/cn\=sudo.ldif #导入配置文件
10. echo "index sudoUser eq" >> /etc/ldap/ldap.conf
11. /etc/init.d/slapd restart
12. vim ~/sudoWork/sudoMaster.ldif
#添加如下内容
dn: ou=SUDOers,dc=ldap,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
serviceSearchDescriptor: sudoers: ou=sudoers,dc=ldap,dc=com
13. SUDOERS_BASE=ou=SUDOers,dc=ldap,dc=com #显式声明一个变量
14. export SUDOERS_BASE #使变量生效
15. wget https://raw.githubusercontent.com/lbt/sudo/master/plugins/sudoers/sudoers2ldif #下载sudoers2ldif 这个脚本
16. perl sudoers2ldif /etc/sudoers >> ~/sudoWork/sudoMaster.ldif #将系统的sudoers文件转换成Ldap的sudoers组,执行的时候会报错,
需要修改两处
serviceSearchDescriptor: sudoers: ou=sudoers,dc=ldap,dc=com #将这行注释掉
dn: cn=defaults,ou=SUDOers,dc=ldap,dc=com #在这行上面添加一个空行
然后再执行 perl sudoers2ldif /etc/sudoers >> ~/sudoWork/sudoMaster.ldif
在客户端进行操作
1. export SUDO_FORCE_REMOVE=yes
2. apt-get install sudo-ldap #选择Y即可
3. export SUDO_FORCE_REMOVE=no
4. echo "sudoers_base ou=SUDOers,dc=ldap,dc=com" >> /etc/ldap.conf
5. ln -s /etc/ldap.conf /etc/sudo-ldap.conf #做软连接这个时候看到我们看到系统sudoers的组已经添加到LDAP里面了
修改root组里面的参数:
解释: sudoUser是指可以sudo到root账户下面的用户,这里john是我们前面添加的账户
开始测试:
john@client2:~$ sudo su -
root@client2:~# #可以看到我们已经成功sudo到了root下面
