Storing SSH Keys In Gluu/LDAP

By: Tim Soderstrom user 29 Mar 2016 at 11:59 a.m. CDT

7 Responses
Tim Soderstrom gravatar
Hi Gluu! We're evaluating various centralized auth solutions (including Gluu Community, Paid Gluu, JumpCloud, roll-your-own-LDAP, etc.) and are trying to get a handle on what Gluu can/can't do. I know it's possible (though I personally have never tested it) to store SSH keys in LDAP. Does Gluu support this and how? Also, I know Gluu had support for Yubikey via U2F but the docs are rather sparse on how to get that setup? Thanks! Tim
None
closed

Answers

By William Lowe user 29 Mar 2016 at 12:07 p.m. CDT

Copy
William Lowe gravatar
Hey Tim, I'll let one of our support engineers comment on the SSH keys in LDAP, but in terms of support for Yubikey, that comes out of the box. All you have to do is enable U2F authentication in the Gluu Server and any U2F compliant token, including Yubikey, will work for 2FA. Docs for U2F are [here](https://gluu.org/docs/multi-factor/u2f/). Thanks, Will

By Mohib Zico staff 29 Mar 2016 at 12:18 p.m. CDT

Copy
Mohib Zico gravatar
Tim, Gluu-LDAP store information of those users who will take part in Single Sign On. 'SSH' is part of system/infrastructure ( not the Gluu Software) and there is actually no place in LDAP tree to store information about system/infrastructure administrators; at least not in our Community Edition. What you can do..you can protect your SSH with any 2FA ( i.e. Duo ).

By Michael Schwartz Account Admin 29 Mar 2016 at 12:23 p.m. CDT

Copy
Michael Schwartz gravatar
I think its always possible to define a custom attribute in LDAP and store the ssh public key for a user. You might want to base64 encode the key if it contains any line breaks or other special characters. LDIF automatically handles base64 encoding by using two colons. For example: dn: uid=foo,ou=people,o=example.com add: sshKey sshKey:: k3NoLXJzYSccqISBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCVTEGY3JXQTRYRHVLSTA0bVJkRU5r Check the OpenDJ docs about extending the schema. I don't see why you'd ever need this attribute to be released to a SAML SP or OpenID Connect RP, so its just an LDAP consideration. I'm guessing that your pam_ldap module can use the public key.

By Tim Soderstrom user 29 Mar 2016 at 12:43 p.m. CDT

Copy
Tim Soderstrom gravatar
Hi All! Thanks for the input and lightning fast response! Yes indeed, this would be exclusive to the LDAP side. We're trying to avoid having to manage keys via Ansible as it sort of defeats the point of centralized auth and is what we're doing now and it's just not very fun. We could export home directories and things like that for keys but housing them within our centralized auth makes a lot more sense for our needs I think. If I add the LDAP attribute directly in OpenDJ, I'm guessing that means we wouldn’t be able to manage it from the Gluu web interface?

By Michael Schwartz Account Admin 29 Mar 2016 at 2:28 p.m. CDT

Copy
Michael Schwartz gravatar
Did you read this [docs page](https://gluu.org/docs/customize/attributes/)? If just managing the attribute in the GUI is all you want, you can make sure to register the attribute and make sure the admin has view/edit permissions (configured in the oxTrust Attributes GUI). In fact, if its just one attribute, you might want to just add it through the oxTrust UI. This adds it to `100-user.ldif` in `/opt/opendj/config/schema` thx, Mike

By Tim Soderstrom user 29 Mar 2016 at 4:03 p.m. CDT

Copy
Tim Soderstrom gravatar
Ah, oops, thanks again Michael! You busted me on not finding that particular page in the docs. I've been thumbing through them but admittedly didn't run into this doc. But thanks for schooling and the super helpful advice! I think I have enough information to start testing things out!

By William Lowe user 29 Mar 2016 at 4:07 p.m. CDT

Copy
William Lowe gravatar
Sounds good, Tim. I'm going to close this ticket out. Feel free to open a new one if you run into specific issues. Thanks, Will

Post an answer