PC²

For thoughts greater than 280 characters.

Authkeys: Making Key-Based LDAP Authentication Faster

21 April 2017

You may recall from an earlier post that we’ve set up centralized authentication here at Threat Stack. Our motivation for doing so centered on the desire to achieve clearer access control for the servers that power our platform. By doing this, we no longer need to use Chef to deploy the majority of users to servers. Rather, we can use an internal application to add, lock, and update users and their associated metadata.

One piece of metadata that we want to control is the engineering team member’s SSH key, which is tied to their YubiKey. This asymmetric key is what authenticates a specific user to a specific server (authorization to access that server is handled with special PAM configuration). We don’t use passwords to log into machines, except in emergencies which require multiple people to be present (and even then, an SSH key is involved).

When we were using Chef to set up all user accounts, Chef would set up their home directory and place an authorized_keys file which contained the public component of the user’s private key. Now that we’re using LDAP, a question remained: How do we distribute these keys to the machine?

Fortunately, OpenSSH has a configuration option that allows the use of an external application on login that returns the appropriate keys for a user. This configuration option is called AuthorizedKeysCommand. A few open-source options exist for performing an LDAP lookup of SSH keys, but they rely on interpreters like Lua and Python to run. Lua and Python are great languages, but we felt more confident in putting an application into the mix that didn’t rely on an interpreter. So we created Authkeys, a small application written in Go that will perform a lookup and return the appropriate keys so that SSH can make an authentication decision.

Using Authkeys Our README.md has full instructions on using the tool, along with requirements. In summary:

  • You’ll use a configuration management tool to place a configuration file (/etc/authkeys.json is the default) on each host containing information about your LDAP setup.
  • You’ll also use a configuration management tool to distribute an Authkeys package. (We use FPM to make our own.)
  • Then, you’ll set the AuthorizedKeysCommand option in your sshd_config to wherever path you installed Authkeys to, and you’re off and authenticating in no time.

This was originally posted on the Threat Stack blog