In a [[https://blog.laslabs.com/2016/08/storing-ssh-keys-in-active-directory/|previous blog post]] we discussed how we can allow users to store their keys in Active Directory and automatically deploy those keys. Now, we will explore how we can allow users to manage SSH keys stored in this manor.
First, we need to allow users to update their own `sshPublicKeys` attribute.
Allowing self-write to sshPublicKeys
First off, open ADUC and right click the top level OU for your company, then select “Delegate Control…”.
When presented with the wizard, immediately hit Next. On the next page, select the “Add” button under the User / Group selection. Input ‘SELF’ then ‘Check Names’.
[[image:Managing_SSH_Keys_Step_1.png]]
On the next page, select the option to delegate a custom task
[[image:Managing_SSH_Keys_Step_2.png]]
Next, we’ll delegate this permission to User objects only
[[image:Managing_SSH_Keys_Step_3.png]]
Under permissions, we’ll select “Property Specific” then both read and write for `sshPublicKeys`
[[image:Managing_SSH_Keys_Step_4.png]]
On the last page, verify your settings and complete the wizard.
[[image:Managing_SSH_Keys_Step_5.png]]
Now, head over to our Github and [[https://github.com/LasLabs/active-directory-tools/tree/master/ssh-keyman|download our mangagement scripts]]. These scripts are designed to allow your end users to manage their SSH keys on either *NIX based systems or Windows. Their usage is fairly simple:
OS X & Linux
1. You will need to install `python-ldap` as that is a requirement
{{{
pip install python-ldap
}}}
2. Now run the script and enter your log in info, keeping in mind that your
username should be your userPrincipleName ($username@corp.example.com).
Config items you will be asked for will be stored in ~/.ssh-keyman. The can be cleared later on by using the –clear switch.
{{{
$ python ssh-keyman.py
}}}
{{{
LDAP Server URI – The AD Server IP or FQDN
BASE DN – The top level OU where your user is located
SSH Key Attribute Name – The name of the attribute that holds your SSH keys in AD
}}}
Windows
This script requires an Administrator PowerShell prompt to execute. Please note
that it will run under whatever user you are logged in as.
1. Run the script
{{{
.\ssh-keyman.ps
}}}
and provide the SSH Key Attribute Name, SSH Host and key to be added.
That’s it! Your users should now have everything they need to manage their SSH keys!
Leave a Reply