Public key authentication has long been considered one of the most secure methods of remote SSH authentication. However, using the same key-pair for more than one machine can pose security risks, especially if that key is not secured by a passphrase but managing unique keys for each system a user has access to can be nightmare inducing. For this reason, we have leveraged Active Directory as our SSH public key store. For the purpose of this article, you should already have your Linux machines pulling user data from Active Directory, you should be running Windows Server 2012 R2 and you should have access to your domain Administrator user.

Extending the Active Directory Schema

1. Our first tasks is to extend the schema. First off, launch a cmd prompt then spawn an Administrator cmd by running:
runas /user:DOMAIN\Administrator cmd


2. Now run regedit in that prompt

3. In the Registry Editor, we need to enable Schema updates.
I. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
II. Add a new DWORD key named Schema Update Allowed with value 1


4. Back in your Administrator command prompt, run regsvr32 schmmgmt.dll to enable the Schema Editor Snap-in.


5. Run mmc from the aforementioned Admin cmd
6. Hit Ctrl + M in the Management Console and add the Schema Editor


Now lets add the new Attribute:

I. Right Click on Attributes and click ‘Create New Attribute’
II. For ‘Common Name’ and ‘LDAP Display Name’, enter sshPublicKeys
III. For ‘Unique X500 Object ID’ enter
IV. For Syntax, select IA5-String
V. Check the ‘Multi-Valued’ box
VI. Minimum and Maximum can be left blank

We can now create a new class for the attribute:

I. Right click on Classes and click ‘Create class’
II. For ‘Common Name’ and ‘LDAP Display Name’, enter ldapPublicKey.
III. For ‘Unique X500 Object ID’ enter
IV. For Parent Class enter ‘top’ and for Class Type select ‘Auxiliary’.


Click next.

I. Under optional add sshPublicKeys


We can now associate that class to user objects.

I. Expand Classes and right click User then select properties.
II. Click on the Relationship tab then click Add Class under Auxiliary class
III. Add ldapPublicKey and click ‘Apply’


Close all windows.

Now, open ADUC (dsa.mmc) and enabled Advanced Features


Once complete, browse to a user and select the ‘Attribute Editor’ tab. You will now be able to add public keys to this user.


From here, you should create a script to automatically pull public keys from AD for a given box and schedule it via Cron. Please remember to disable your domain Administrator account when you’re done!

Good luck!