{"id":468,"date":"2019-10-10T18:13:03","date_gmt":"2019-10-10T16:13:03","guid":{"rendered":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/?p=468"},"modified":"2021-02-09T07:24:46","modified_gmt":"2021-02-09T06:24:46","slug":"samba-stocker-vos-cles-publiques-ssh-dans-ad-2","status":"publish","type":"post","link":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/samba-stocker-vos-cles-publiques-ssh-dans-ad-2\/","title":{"rendered":"samba &#8211; stocker vos cl\u00e9s publiques SSH dans AD"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2021\/02\/sshkeypub-1.png\" alt=\"sshkeypub\" \/><\/p>\n<p>L&rsquo;authentification par cl\u00e9 publique a longtemps \u00e9t\u00e9 consid\u00e9r\u00e9e comme l&rsquo;une des m\u00e9thodes les plus s\u00fbres d&rsquo;authentification SSH \u00e0 distance. Cependant, l&rsquo;utilisation de la m\u00eame paire de cl\u00e9s pour plus d&rsquo;une machine peut poser des risques de s\u00e9curit\u00e9, surtout si cette cl\u00e9 n&rsquo;est pas s\u00e9curis\u00e9e par une phrase de chiffrement. Pour cette raison, je vous propose d&rsquo;utilis\u00e9 Samba4 Active Directory comme magasin de cl\u00e9s publiques SSH.<\/p>\n<p><!--more--><\/p>\n<h2>Pr\u00e9-requis<\/h2>\n<ul>\n<li>Faire une sauvegarde compl\u00e8te de votre AD Samba4.<\/li>\n<li>Activer le param\u00e8tre de modification des schemas dans la section global de votre fichier \/etc\/samba\/smb.conf.<\/li>\n<\/ul>\n<pre><code>dsdb:schema update allowed = true\n<\/code><\/pre>\n<ul>\n<li>Relancer le service samba-ad-dc<\/li>\n<\/ul>\n<pre><code># \/etc\/init.d\/samba-ad-dc restart\n<\/code><\/pre>\n<h2>Mise en place du sch\u00e9ma pour accueillir les cl\u00e9s publiques<\/h2>\n<ul>\n<li>Depuis une machine windows (avec les outils RSAT) ouvrir une console et executer la commande suivante :<\/li>\n<\/ul>\n<pre><code>regsvr32 schmmgmt.dll\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-11.49.23.png\" alt=\"2019-10-12 11.49.23\" \/><\/p>\n<p>Toujours dans cette console, ex\u00e9cuter la commande suivante afin d&rsquo;ouvrir une seconde console afin de lancer un mmc<\/p>\n<pre><code>runas \/user:FORMATION\\Administrator cmd\nmmc\n<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-11.28.12.png\" alt=\"2019-10-12 11.28.12\" \/><\/p>\n<ul>\n<li>Ajouter le composant logiciel enfichable <strong>Sch\u00e9ma Active Directory<\/strong><\/li>\n<li>Clique droit sur Attributs, Cr\u00e9er un attribut&#8230;<\/li>\n<li>Liser l&rsquo;avertissement et continuer :<br \/>\n<img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-11.45.06.png\" alt=\"2019-10-12 11.45.06\" \/><\/p>\n<\/li>\n<li>\n<p>Renseigner les informations suivantes<\/p>\n<ul>\n<li>Nom commun et Nom complet LDAP avec <strong>sshPublicKey<\/strong><\/li>\n<li>ID d&rsquo;objet X.500 unique <strong>1.3.6.1.4.1.24552.1.1.1.13<\/strong><\/li>\n<li>S\u00e9lectionner pour Syntaxe <strong>Cha\u00eene IA5<\/strong><\/li>\n<li>Cocher <strong>\u00c0 valeurs multiples<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/sshPublicKeys.png\" alt=\"sshPublicKeys\" \/><\/p>\n<ul>\n<li>Clique droit sur Classes, Cr\u00e9er une classe&#8230;<\/li>\n<li>Renseigner les informations suivantes\n<ul>\n<li>Nom commun et Nom complet LDAP avec <strong>ldapPublicKey<\/strong><\/li>\n<li>ID d&rsquo;objet X.500 unique <strong>1.3.6.1.4.1.24552.500.1.1.2.0<\/strong><\/li>\n<li>Classe parente <strong>top<\/strong><\/li>\n<li>Type de classe <strong>Auxiliaire<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-11.30.55.png\" alt=\"2019-10-12 11.30.55\" \/><\/p>\n<ul>\n<li>Cliquer sur Suivant afin d&rsquo;ajouter l&rsquo;attribut sshPublicKeys pr\u00e9c\u00e9demment cr\u00e9\u00e9.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-11.31.18.png\" alt=\"2019-10-12 11.31.18\" \/><\/p>\n<ul>\n<li>Etendre l&rsquo;objet Classes et ouvrir les propri\u00e9t\u00e9s de user afin d&rsquo;ajouter la classe auxiliaire ldapPublicKey aux relations.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-12.03.55.png\" alt=\"2019-10-12 12.03.55\" \/><\/p>\n<ul>\n<li>Depuis ADUC, afficher les fonctionnalit\u00e9s avanc\u00e9es afin d&rsquo;acc\u00e9der \u00e0 l&rsquo;onglet \u00c9diteur d&rsquo;attributs sur la fiche utilisateur.<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-content\/uploads\/sites\/2\/2019\/10\/2019-10-12-12.07.25.png\" alt=\"2019-10-12 12.07.25\" \/><\/p>\n<h1>Activer la prise en charge des cl\u00e9s publiques sur votre serveur OpenSSH (ici debian9)<\/h1>\n<pre><code># more \/etc\/ssh\/sshd_config\n...\nPubkeyAuthentication yes\nAuthorizedKeysCommand \/usr\/bin\/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody\n#AuthorizedKeysCommand \/usr\/bin\/fetchSSHKeysFromLDAP\n#AuthorizedKeysCommand \/usr\/bin\/sss_ssh_authorizedkeys\n...\n<\/code><\/pre>\n<pre><code># apt-get install python-pip python-ldap python-pyldap\n# pip install ssh-ldap-pubkey\n\n# mv \/usr\/local\/bin\/ssh-ldap-pubkey \/usr\/bin\/\n# mv \/usr\/local\/bin\/ssh-ldap-pubkey-wrapper \/usr\/bin\/\n\n<\/code><\/pre>\n<pre><code># vi \/etc\/ldap\/ldap.conf\n...\n# SSL sur AD\nTLS_CACERTDIR   \/etc\/ssl\/certs\/\nTLS_REQCERT never\n...\n<\/code><\/pre>\n<pre><code># more \/etc\/ldap.conf\n\n\n# \/etc\/ldap.conf\n#\n# This is the configuration file for OpenSSH LDAP Public Keys (ssh-ldap-pubkey).\n#\n# This file actually uses a subset of directives from configuration file of the\n# LDAP nameservice switch library and the LDAP PAM module, so the same file can\n# be used for all these services.\n#\n\n# Specifies the URI(s) of the LDAP server(s) to connect to. The URI scheme may\n# be ldap, or ldaps, specifying LDAP over TCP or SSL respectively. A port\n# number can be specified; the default port number for the selected protocol\n# is used if omitted.\nuri ldap:\/\/10.0.2.4\n\n# The distinguished name of the search base.\nbase DC=formation,DC=fr\n\n# The LDAP version to use. Default is 3 if supported by client library.\n#ldap_version 3\n\n# Enable SASL and specify mechanism to use (currently supported: GSSAPI).\n#sasl GSSAPI\n\n# The distinguished name to bind to the server with.\n# Default is to bind anonymously.\nbinddn CN=Administrateur,CN=Users,DC=formation,DC=fr\n\n# The credentials to bind with. Default is no credential.\nbindpw Pa$$w0rd\n\n# The search scope; sub, one, or base.\nscope sub\n\n# Specifies if the client should automatically follow referrals returned\n# by LDAP servers. This must be typically disabled for Active Directory.\n# Default is \"on\".\nreferrals off\n\n# Search timelimit in seconds (0 for indefinite).\ntimelimit 5\n\n# Bind\/connect timelimit (0 for indefinite).\nbind_timelimit 5\n\n# The filter to use when retrieving user information, additional to the login\n# attribute value assertion (pam_login_attribute=&lt;login&gt;).\npam_filter objectclass=user\n\n# The user ID attribute (defaults to 'uid').\npam_login_attribute sAMAccountName\n\n# RFC2307bis naming contexts\n# Syntax is:\n#   nss_base_XXX  base?scope?filter\n# where scope is {base,one,sub} and filter is a filter to be &amp;'d with the\n# default filter.\n#nss_base_passwd   ou=People,dc=example,dc=org?one\nnss_base_passwd CN=Users,DC=formation,DC=fr?one\n\n# CA certificates for server certificate verification.\ntls_cacertdir \/etc\/ssl\/certs\n\n# Name of LDAP attribute used for SSH public keys.\npubkey_attr sshPublicKey\n<\/code><\/pre>\n<p>Afficher la cl\u00e9 pr\u00e9sente dans l&rsquo;AD pour un utilisateur pr\u00e9cis<\/p>\n<pre><code>root@debian9:~# ssh-ldap-pubkey list -u colombet\nNo public keys found.\nroot@debian9:~# ssh-ldap-pubkey add -D CN=Administrateur,CN=Users,DC=formation,DC=fr -u colombet ~\/.ssh\/id_rsa.pub\nEnter LDAP password for 'CN=Administrateur,CN=Users,DC=formation,DC=fr':\nKey has been stored: root@debian9\nroot@debian9:~# ssh-ldap-pubkey list -u colombet\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcCAbvhse37NgMUhLTT6OhxR9cecaz0NIMVE1B1bq3llR+OGBvyI41nTj+l6pNUqwhvVTHWhHpePOuv562hL6+OTZPlbmYC4NUYFXEOP+M3WgoqlDbKQQoKX4zxznOgcf85xh9w9IrJrlj0H7dJxdEcuModh+E2WsY7LAFHp7UyD5rsPuGAlXqw1oXgEWqInD9JQOFK4KkH35wCWAYGxfZYOemMol\/xQfc1ORC65loivXDQfG7oQjk8UfaDH5RM6OsEk9yjBawYB5pCT+XiV9V6OBqno2llc3t9ZmBPjSUzrMbFca8eloOD2CUYwm3vYdFq4MZQ6VngYFFCFY9hR+j root@debian9\n<\/code><\/pre>\n<p>Ajouter une cl\u00e9 \u00e0 l&rsquo;utilisateur colombet :<\/p>\n<pre><code># ssh-ldap-pubkey add -D CN=Administrateur,CN=Users,DC=formation,DC=fr -u colombet ~\/.ssh\/id_rsa.pub\n<\/code><\/pre>\n<p>Supprimer la cl\u00e9 publique <strong>root@debian9<\/strong> de l&rsquo;utilisateur colombet :<\/p>\n<pre><code># ssh-ldap-pubkey del -u colombet -D CN=Administrateur,CN=Users,DC=formation,DC=fr root@debian9\n<\/code><\/pre>\n<p>Gestion de la cl\u00e9 depuis l&rsquo;utilisateur :<\/p>\n<pre><code>root@debian9:~# su - colombet\n\ncolombet@debian9:~$ ssh-ldap-pubkey list\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcCAbvhse37NgMUhLTT6OhxR9cecaz0NIMVE1B1bq3llR+OGBvyI41nTj+l6pNUqwhvVTHWhHpePOuv562hL6+OTZPlbmYC4NUYFXEOP+M3WgoqlDbKQQoKX4zxznOgcf85xh9w9IrJrlj0H7dJxdEcuModh+E2WsY7LAFHp7UyD5rsPuGAlXqw1oXgEWqInD9JQOFK4KkH35wCWAYGxfZYOemMol\/xQfc1ORC65loivXDQfG7oQjk8UfaDH5RM6OsEk9yjBawYB5pCT+XiV9V6OBqno2llc3t9ZmBPjSUzrMbFca8eloOD2CUYwm3vYdFq4MZQ6VngYFFCFY9hR+j root@debian9\n\ncolombet@debian9:~$ ssh-ldap-pubkey del root@debian9\nEnter login (LDAP) password for user 'colombet':\nDeleted keys:\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcCAbvhse37NgMUhLTT6OhxR9cecaz0NIMVE1B1bq3llR+OGBvyI41nTj+l6pNUqwhvVTHWhHpePOuv562hL6+OTZPlbmYC4NUYFXEOP+M3WgoqlDbKQQoKX4zxznOgcf85xh9w9IrJrlj0H7dJxdEcuModh+E2WsY7LAFHp7UyD5rsPuGAlXqw1oXgEWqInD9JQOFK4KkH35wCWAYGxfZYOemMol\/xQfc1ORC65loivXDQfG7oQjk8UfaDH5RM6OsEk9yjBawYB5pCT+XiV9V6OBqno2llc3t9ZmBPjSUzrMbFca8eloOD2CUYwm3vYdFq4MZQ6VngYFFCFY9hR+j root@debian9\n<\/code><\/pre>\n<h2>Debug<\/h2>\n<pre><code># ldapsearch -h debian9.formation.fr -b 'CN=Users,DC=formation,DC=fr' '(sAMAccountName='\"${1%@*}\"')' -D 'CN=Administrator,CN=Users,DC=formation,DC=fr' -w 'Pa$$w0rd' 'sshPublicKeys' | sed -n '\/^ \/{H;d};\/sshPublicKeys:\/x;$g;s\/\\n *\/\/g;s\/sshPublicKeys: \/\/gp'\n\n\n# ldapsearch -h dc1ad.formation.fr -b 'CN=Users,DC=formation,DC=fr' '(sAMAccountName='\"${1%@*}\"')' -D 'CN=Administrateur,CN=Users,DC=formation,DC=fr' -w 'Pa$$w0rd' 'sshPublicKey' | sed -n '\/^ \/{H;d};\/sshPublicKey:\/x;$g;s\/\\n *\/\/g;s\/sshPublicKey: \/\/gp'\n<\/code><\/pre>\n<h2>R\u00e9f\u00e9rences<\/h2>\n<h3>Ajout dans le schema AD<\/h3>\n<p><a href=\"https:\/\/github.com\/LasLabs\/ansible-ad-ssh-key-deployer\">https:\/\/github.com\/LasLabs\/ansible-ad-ssh-key-deployer<\/a><br \/>\n<a href=\"https:\/\/blog.laslabs.com\/2016\/08\/storing-ssh-keys-in-active-directory\/\">https:\/\/blog.laslabs.com\/2016\/08\/storing-ssh-keys-in-active-directory\/<\/a><br \/>\n<a href=\"https:\/\/blog.laslabs.com\/2017\/04\/managing-ssh-keys-stored-in-active-directory\/\">https:\/\/blog.laslabs.com\/2017\/04\/managing-ssh-keys-stored-in-active-directory\/<\/a><br \/>\n<a href=\"http:\/\/david-latham.blogspot.com\/2012\/12\/extending-ad-schema-on-samba4.html\">http:\/\/david-latham.blogspot.com\/2012\/12\/extending-ad-schema-on-samba4.html<\/a><\/p>\n<h3>OpenSSH et les cl\u00e9s publiques<\/h3>\n<p>https:\/\/github.com\/jirutka\/ssh-ldap-pubkey<br \/>\nhttps:\/\/www.ossramblings.com\/using-ldap-to-store-ssh-public-keys-with-sssd<br \/>\nhttps:\/\/patrikwm.github.io\/2016\/11\/11\/001-Centos-SSH-Active-Directory.html<br \/>\nhttps:\/\/wiki.lereset.org\/ateliers:serveurmail:ldap-ssh<\/p>\n","protected":false},"excerpt":{"rendered":"<p>L&rsquo;authentification par cl\u00e9 publique a longtemps \u00e9t\u00e9 consid\u00e9r\u00e9e comme l&rsquo;une des m\u00e9thodes les plus s\u00fbres d&rsquo;authentification SSH \u00e0 distance. Cependant, l&rsquo;utilisation de la m\u00eame paire de cl\u00e9s pour plus d&rsquo;une machine peut poser des risques de s\u00e9curit\u00e9, surtout si cette cl\u00e9 n&rsquo;est pas s\u00e9curis\u00e9e par une phrase de chiffrement. Pour cette raison, je vous propose [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,12],"tags":[9,2,67,4],"class_list":["post-468","post","type-post","status-publish","format-standard","hentry","category-linux","category-samba","tag-active-directory","tag-linux","tag-public-and-private-keys","tag-samba"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paBEVZ-7y","jetpack_likes_enabled":false,"_links":{"self":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/468","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/comments?post=468"}],"version-history":[{"count":3,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/468\/revisions"}],"predecessor-version":[{"id":471,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/468\/revisions\/471"}],"wp:attachment":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/media?parent=468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/categories?post=468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/tags?post=468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}