Linux SSH authentication against Active Directory without joining the domain

TechLinux
4 minutes read (About 603 words)

Prerequisites

Your Active Directory:

  • Firewall to allow port 389 (ldap) and 636 (ldaps)
  • A read-only user who has permission to read the LDAP data within the search base
  • An exported certificate from Active Directory Certificate Services

Your Linux client:
SSSD is used to connect to the Active Directory server to query user information for the authentication. Run following commands to install the required packages.

1
2
$ sudo apt-get update
$ sudo apt-get install sssd sssd-tools sssd-ldap python-sss

Configuration

SSSD config

Create a new config file for SSSD at /etc/sssd/sssd.conf with the following content

/etc/sssd/sssd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[domain/default]
id_provider = ldap
cache_credentials = True
ldap_uri = ldaps://172.17.30.69
ldap_search_base = DC=ndk,DC=name
ldap_schema = AD
ldap_default_bind_dn = CN=ADReader,CN=Users,DC=ndk,DC=name
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAAQAFHxZmkH+pe7LsRM7627ECs8l0+70v5sFjaMJnEIb8iDcesy73s6+guDhsm433awOj8y0oanH8OkxRUv/pmQICkAAQID
ldap_tls_cacert = /etc/pki/tls/ad_cert.pem
ldap_tls_reqcert = allow
ldap_id_mapping = True
ldap_referrals = false
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
enumerate = False
fallback_homedir = /home/%u
default_shell = /bin/bash

[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default
full_name_format = %1$s
debug_level = 3

[nss]
filter_users = nobody,root,postfix,apache,nginx
filter_groups = nobody,root,postfix,apache,nginx

[pam]
offline_credentials_expiration = 14

Where:

  • ldap_uri is your Active Directory server
  • ldap_search_base is the AD scope that SSSD will look for users
  • ldap_default_bind_dn is the user that has read-only permssion
  • ldap_default_authtok is the obfuscated password of that read-only user
  • ldap_tls_cacert is the path to your Active Directory CA certificate, in PEM format
  • ldap_user_ssh_public_key is the AD user’s attribute that SSSD will look for the SSH public key

Note:

To create the obfuscated password, run following command. Remember to change changeme password to yours

1
$ python -c "import pysss;print(pysss.password().encrypt('changeme', pysss.password().AES_256))"

When we export the certificate from Active Directory, it has CER format. To convert it to PEM format, run the following command

1
$ openssl x509 -inform der -in ad_cert.cer -out ad_cert.pem

Now restart SSSD service

1
$ sudo systemctl restart sssd

SSH config

Open your SSH config file /etc/ssh/sshd.conf and add the following content

1
2
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root

Then restart the SSH service

1
$ sudo systemctl restart ssh

AD user SSH public key

From Active Directory Users and Computers, modify the user’s altSecurityIdentities attribute to add the SSH public key

Active Directory Users and Computers

Testing

From the Linux client, try to query the AD user SSH public key using the following command.

1
2
$ /usr/bin/sss_ssh_authorizedkeys khanh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4eyJaYoDzhHYtUMEYfgmnlplDsQHGDBw...

If you are able to get the SSH public key, you are now ready to login to that Linux machine using the AD user!

Troubleshooting

During the test, keep an eye on the SSSD log files

1
$ tail -f /var/log/sssd/sssd*

If you see something similar to the following error, it could be related to the wrong CA certificate or the read-only user doesn’t have perssmion on the ldap_search_base.

1
[sssd[ssh]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
LDAP, Linux, Microsoft
Share Comments