OpenSSH LDAP public key


Ubuntu (and Debian) don’t have official debian package of openssh-lpk package. So I applied openssh with openssh-lpk patch from Gentoo. I think it is enable to build with the same way in Debian. (But I have not tried)

Package build

Download patch and apply to source package.

$ wget
$ gzip -d openssh-lpk-5.9p1-0.3.14.patch.gz
$ sudo apt-get build-dep openssh
$ sudo apt-get install libldap2-dev quilt
$ apt-get source openssh
$ cd openssh-5.9p1
$ patch < ../openssh-lpk-5.9p1-0.3.14.patch
$ dpkg-source --commit

Remove line #234 because this patch has a bug.

$ vi ./auth-rsa.c (234 line delete)

Execute “quilt refresh”.

$ quilt refresh

Edit debian/rules

$ vi debian/rules
 --- a/rules 2012-04-02 10:38:04.000000000 +0000
 +++ b/rules 2012-06-12 21:46:43.000000000 +0000
 @@ -81,6 +81,7 @@

  # The deb build wants xauth; the udeb build doesn't.
  confflags += --with-xauth=/usr/bin/xauth
 +confflags += --with-ldap
  confflags_udeb += --without-xauth

  # Default paths. The udeb build has /usr/bin/X11 and /usr/games removed.
 @@ -93,6 +94,7 @@
  cflags := $(default_cflags)
  cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
 +cflags += -DWITH_LDAP_PUBKEY
  cflags_udeb := -Os
  confflags += --with-cflags='$(cflags)'

Append libldap2-dev to Build-Depends of debian/control.

$ vi debian/control
Build-Depends: ..., libldap2-dev

Build package with “debuild” and “pbuilder” after update debian/changelog. You install openssh-client, openssh-server, these two package at lease.

$ sudo dpkg -i openssh-client_5.9p1-5ubuntu1+cust1_amd64.deb openssh-server_5.9p1-5ubuntu1+cust1_amd64.deb

Setting of OpenSSH


UseLPK yes
LpkServers ldap://
LpkUserDN ou=People,dc=example,dc=org
LpkGroupDN ou=Group,dc=example,dc=org
LpkForceTLS no

Restart sshd.


I use patch in this time that does not support URL of IPv6 format at LpkServers. But, name base is no problem for IPv6. And you must use libnss-ldapd and libpam-ldapd.

CentOS 6

CentOS 6 supports openssh-lpk in default. So you will it, you only do install “openssh-ldap”, and set up.

$ sudo yum install openssh-ldap
$ sudo vi /etc/ssh/sshd_config


PubkeyAuthentication yes
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody


Copy from “/usr/share/doc/openssh-ldap-5.3p1/ldap.conf” as template to “/etc/ssh/ldap.conf”. openssh-ldap package of CentOS6 supports IPv6.

uri ldap://
port 389
base dc=example,dc=org
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
ssl no

Restart sshd.

See also

OpenSSH with LDAP public keys