Managing SSH Keys Stored in Active Directory

In a [[|previous blog post]] we discussed how we can allow users to store their keys in Active Directory and automatically deploy those keys. Now, we will explore how we can allow users to manage SSH keys stored in this manor.

First, we need to allow users to update their own `sshPublicKeys` attribute.

Allowing self-write to sshPublicKeys

First off, open ADUC and right click the top level OU for your company, then select “Delegate Control…”.

When presented with the wizard, immediately hit Next. On the next page, select the “Add” button under the User / Group selection. Input ‘SELF’ then ‘Check Names’.

On the next page, select the option to delegate a custom task

Next, we’ll delegate this permission to User objects only

Under permissions, we’ll select “Property Specific” then both read and write for `sshPublicKeys`

On the last page, verify your settings and complete the wizard.

Now, head over to our Github and [[|download our mangagement scripts]]. These scripts are designed to allow your end users to manage their SSH keys on either *NIX based systems or Windows. Their usage is fairly simple:

OS X & Linux

1. You will need to install `python-ldap` as that is a requirement
pip install python-ldap

2. Now run the script and enter your log in info, keeping in mind that your
username should be your userPrincipleName ($
Config items you will be asked for will be stored in ~/.ssh-keyman. The can be cleared later on by using the –clear switch.
$ python

LDAP Server URI – The AD Server IP or FQDN
BASE DN – The top level OU where your user is located
SSH Key Attribute Name – The name of the attribute that holds your SSH keys in AD


This script requires an Administrator PowerShell prompt to execute. Please note
that it will run under whatever user you are logged in as.

1. Run the script
and provide the SSH Key Attribute Name, SSH Host and key to be added.

That’s it! Your users should now have everything they need to manage their SSH keys!







3 responses to “Managing SSH Keys Stored in Active Directory”

  1. Jens Avatar

    Nice little series on SSH Keys in AD!
    One question though – how would you go about ensuring that your users are rotating their keys every “X” months (lets say every 12 months)?

    1. Dave Lasley Avatar

      That’s a bit more tricky, and something we’re working at solving. It’s likely going to have to be an audit mechanism paired with a change date, but this is less than ideal because it would require an auditing service that is either always on or scheduled to run. We’ll be sure to update when we have something, and feel free to toss ideas out if you have them ;)

  2. Sree Avatar

    First of all, great contribution.

    Did you come up with any solution to enforce key rotation?

Leave a Reply

Your email address will not be published. Required fields are marked *