From b058a8d891d5956c29874dd97522e69b7a4b8d93 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Wed, 21 Feb 2024 08:38:44 +0100 Subject: [PATCH] common: support looking up sshPublicKey from LDAP --- host_vars/oxygen.binary-kitchen.net | 2 +- host_vars/sulis.binary.kitchen | 1 + roles/common/templates/sshd_config.j2 | 9 +++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/host_vars/oxygen.binary-kitchen.net b/host_vars/oxygen.binary-kitchen.net index 195942d..afeea6c 100644 --- a/host_vars/oxygen.binary-kitchen.net +++ b/host_vars/oxygen.binary-kitchen.net @@ -1,4 +1,4 @@ --- +sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys" sshd_password_authentication: "yes" -uau_reboot: "false" diff --git a/host_vars/sulis.binary.kitchen b/host_vars/sulis.binary.kitchen index b98fe23..afeea6c 100644 --- a/host_vars/sulis.binary.kitchen +++ b/host_vars/sulis.binary.kitchen @@ -1,3 +1,4 @@ --- +sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys" sshd_password_authentication: "yes" diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2 index 3c122a1..e74eb43 100644 --- a/roles/common/templates/sshd_config.j2 +++ b/roles/common/templates/sshd_config.j2 @@ -43,8 +43,17 @@ PermitRootLogin {{ sshd_permit_root_login }} #AuthorizedPrincipalsFile none +{% if sshd_authkeys_command is defined and sshd_authkeys_command %} +AuthorizedKeysCommand {{ sshd_authkeys_command }} +{% if sshd_authkeys_user is defined and sshd_authkeys_user %} +AuthorizedKeysCommandUser {{ sshd_authkeys_user }} +{% else %} +AuthorizedKeysCommandUser nobody +{% endif %} +{% else %} #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody +{% endif %} # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no