Other formats |

22.4. Procedure – SSH usermapping and keymapping in AD with public key


A customer wants to be able to disable password authentication in SSH for admin users on the UNIX servers. However, the customer uses Active Directory, and would not like to enter the username/password at gateway authentication for every login over and over again. Therefore, the customer needs a quasi SSO-like system, with only one group logging in as root and another group as XY user.


  1. Create an LDAP authentication policy. For details on creating a new authentication policy, see Section 11.3, Authentication Policies. In this scenario, only a few important details will be highlighted.

    1. In the Client authentication backend field, set the authentication method used on the client-side to LDAP. This will be the Active Directory where the gateway will get the public key from, for authentication. Enable Publickey only from the Authentication methods and disable all other methods.

    2. In the Relayed authentication methods field, enable Publickey and disable all other methods. Under Publickey, set the Server side private and public key to Map so that end users will not know the key.

    3. Navigate to the bottom of the policy, and click .

    4. Enter the username in the Username field (for example: root). Generate a Private key and upload its public counterpart to the server.

  2. Set an LDAP server policy where you setup the active directory. For details on authenticating users to an LDAP server, see Procedure 7.9, Authenticating users to an LDAP server. In this scenario, only a few important details will be highlighted.

    1. If the domain name is DEMO.balabit, then enter the following:

    2. Base DN: DC=DEMO,DC=balabit

    3. Bind DN: CN=Administrator,CN=Users,DC=DEMO,DC=balabit

    4. Bind Password: <the password of the administrator>

    5. Publickey attribute name: sshPublicKey

  3. By default, the active directory does not have any attribute that could store the SSH public key. To solve this, perform the following steps:

    1. Enable Schema updates using the registry:

      1. Click Start, click Run, and then in the Open box, type: regedit. Press Enter.

      2. Locate and click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

      3. On the Edit menu, click New, and then click DWORD Value.

      4. Enter the value data when the following registry value is displayed:

        Value Name: Schema Update Allowed
        Data Type: REG_DWORD
        Base: Binary
        Value Data: 1

        Type 1 to enable this feature, or 0 (zero) to disable it.

      5. Quit Registry Editor.

    2. Install the Schema snap-in. For details, see https://technet.microsoft.com/en-us/library/cc732110.aspx. Note that you must have Administrator privileges to install the Schema snap-in.

    3. Click Start, click Run, and then in the Open box, type: MMC. Press Enter.

    4. Navigate to File > Add or Remove Snap-in, select Active Directory Schema and click Add. Note that you must have Schema Administrator privileges to complete the following steps.

      Add or Remove Snap-in

      Figure 22.4. Add or Remove Snap-in

    5. Expand the Active Directory schema and right click Attributes.

    6. Click Create Attribute. If a warning appears, click Continue.

      Creating Attribute - Warning

      Figure 22.5. Creating Attribute - Warning

    7. In Common name and LDAP name enter sshPublicKey.

    8. In OID enter .

    9. For Syntax, select IA5-String.

    10. Enable Multi-Valued. Click OK.

      Create New Attribute

      Figure 22.6. Create New Attribute

    11. Right click Classes and click Create class. If a warning appears, click Continue.

    12. Name the class as ldapPublicKey.

    13. In X500 OID enter

    14. In Parent Class enter top, and in Class Type enter Auxiliary.

      Create New Schema Class

      Figure 22.7. Create New Schema Class

    15. Click Next. Add sshPublicKey to the Optional field. Click Finish.

      Create New Schema Class (Optional)

      Figure 22.8. Create New Schema Class (Optional)

    16. Expand Classes and select User. Right click User and select Properties. Navigate to Relationship > Auxiliary class, click Add Class and add the ldapPublicKey class. Click Apply.

      User Properties

      Figure 22.9. User Properties

    17. Select the Attributes tab, and add an optional attribute called sshPublicKey. Click Apply.

  4. The next step is to map the public keys to users. This is not possible in a user editor, use a low-level LDAP utility instead.

    1. Add ADSI Edit as a snap-in to MMC.

      Adding ADSI Edit

      Figure 22.10. Adding ADSI Edit

    2. Right-click on the node and press Enter.

    3. Search for the user in the tree, right-click on it and select Properties. All attributes can be edited there, so sshPublicKey also. Add the public keys to openssh one by one.

  5. Create a usermapping policy where you will set those groups from the Active Directory who can become root. For details on creating usermapping policies, see Procedure 18.1, Configuring usermapping policies. In this scenario, only a few important details will be highlighted.

    1. Set the Username to root and select the group you intend to give these rights to.

    2. If you intend to allow other users in without usermapping, enable Allow other unmapped usernames.