SSH key authentication for LDAP login
To be upfront about the concept of password login, I believe that it has been one of the worst invention in technology innovation, and we are sort of stuck here with it for long time. On the other hand, we have also been unleashing the power of ssh key authentication for login on most of the remote system access these days including Windows. That's why I have been always choosing key authentication over password for remote access login.
Due to the domination of Windows Active Directory for identity management in our industry, we are still heavily relaying on its password authentication even for Linux with LDAP integration. Sometimes it feels so bizarre to type in your LDAP username and password for Linux ssh remote session. Well, I am not a big fan of that at all. Fortunately I have found a way to use ssh key for LDAP login specifically for Linux. In this article, I will walk you through how it can be done with very simple few steps.
Prerequisites
Windows Server 2022 Active Directory
IP Address: 192.168.100.100/24
Domain Name: home.lab
Domain Admins privilege
RockyLinux 8 Linux as client for LDAP integration
IP Address: 192.168.100.205/24
Internet connectivity to download required software such as realmd, sssd, krb5-workstation, samba-common-tools and krb5-libs
Sudo privilege
Steps
Configuration on Windows Server 2022 Active Directory
Login to Windows AD server and run the following PowerShell commands
Create Windows AD group called "ssh".
New-ADGroup -Name "ssh" `
-SamAccountName "ssh" `
-GroupScope Global `
-Path "CN=Users,DC=home,DC=lab"Create Windows AD user called "user1" with its ssh public key added to the
altSecurityIdentitiesattribute.
New-ADUser -Name "user1" `
-GivenName "User" `
-Surname "One" `
-SamAccountName "user1" `
-UserPrincipalName "user1@home.lab" `
-Path "CN=Users,DC=home,DC=lab" `
-AccountPassword $(ConvertTo-SecureString -String "Change-Me-Right8-Away" -AsPlainText -Force) `
-Enabled $true `
-PassThru | Set-ADUser -Replace @{altSecurityIdentities = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0q/16qgSIBQwSDcXAIX/MWCLXyvxJMvRiAKcpvOxTs user1"}Add the user1 to the groups, ssh and Domain Admins to allow ssh login with sudo privilege.
$u="user1"; @("ssh","Domain Admins") | % { Add-ADGroupMember -Identity $_ -Members $u }That's it all on the Windows AD server side.
Configuration on RockyLinux 8
Install required software with DNF package manager
[tyla@rocky8 ~]$ sudo dnf -y install realmd sssd krb5-workstation samba-common-tools krb5-libs
Last metadata expiration check: 0:39:10 ago on Thu 22 May 2025 07:59:51 AEST.
Package realmd-0.17.1-2.el8.x86_64 is already installed.
Package sssd-2.9.4-5.el8_10.1.x86_64 is already installed.
Package krb5-libs-1.18.2-31.el8_10.x86_64 is already installed.
Dependencies resolved.
==============================================================================================================================================================================================================
Package Architecture Version Repository Size
==============================================================================================================================================================================================================
Installing:
krb5-workstation x86_64 1.18.2-31.el8_10 baseos 958 k
samba-common-tools x86_64 4.19.4-7.el8_10 baseos 541 k
Installing dependencies:
libkadm5 x86_64 1.18.2-31.el8_10 baseos 188 k
libnetapi x86_64 4.19.4-7.el8_10 baseos 217 k
samba-ldb-ldap-modules x86_64 4.19.4-7.el8_10 baseos 112 k
samba-libs x86_64 4.19.4-7.el8_10 baseos 203 k
Transaction Summary
==============================================================================================================================================================================================================
Install 6 Packages
Total download size: 2.2 M
Installed size: 5.7 M
Downloading Packages:
(1/6): libnetapi-4.19.4-7.el8_10.x86_64.rpm 507 kB/s | 217 kB 00:00
(2/6): krb5-workstation-1.18.2-31.el8_10.x86_64.rpm 1.2 MB/s | 958 kB 00:00
(3/6): libkadm5-1.18.2-31.el8_10.x86_64.rpm 225 kB/s | 188 kB 00:00
(4/6): samba-common-tools-4.19.4-7.el8_10.x86_64.rpm 843 kB/s | 541 kB 00:00
(5/6): samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64.rpm 159 kB/s | 112 kB 00:00
(6/6): samba-libs-4.19.4-7.el8_10.x86_64.rpm 157 kB/s | 203 kB 00:01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 815 kB/s | 2.2 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : samba-libs-4.19.4-7.el8_10.x86_64 1/6
Installing : samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64 2/6
Installing : libnetapi-4.19.4-7.el8_10.x86_64 3/6
Installing : libkadm5-1.18.2-31.el8_10.x86_64 4/6
Installing : krb5-workstation-1.18.2-31.el8_10.x86_64 5/6
Installing : samba-common-tools-4.19.4-7.el8_10.x86_64 6/6
Running scriptlet: samba-common-tools-4.19.4-7.el8_10.x86_64 6/6
Verifying : krb5-workstation-1.18.2-31.el8_10.x86_64 1/6
Verifying : libkadm5-1.18.2-31.el8_10.x86_64 2/6
Verifying : libnetapi-4.19.4-7.el8_10.x86_64 3/6
Verifying : samba-common-tools-4.19.4-7.el8_10.x86_64 4/6
Verifying : samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64 5/6
Verifying : samba-libs-4.19.4-7.el8_10.x86_64 6/6
Installed:
krb5-workstation-1.18.2-31.el8_10.x86_64 libkadm5-1.18.2-31.el8_10.x86_64 libnetapi-4.19.4-7.el8_10.x86_64 samba-common-tools-4.19.4-7.el8_10.x86_64 samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64
samba-libs-4.19.4-7.el8_10.x86_64
Complete!Configure DNS pointing to the Windows AD server in
/etc/sysconfig/network-scripts/ifcfg-enp1s0
TYPE=Ethernet
DEVICE=enp1s0
UUID=394d1e2d-6a64-4538-ab13-77bc017f27a2
ONBOOT=yes
IPADDR=192.168.100.205
NETMASK=255.255.255.0
GATEWAY=192.168.100.1
IPV6INIT=no
DNS1=192.168.100.100 # Windows AD Server IP Address
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp1s0Restart Network Manager to apply the change.
[tyla@rocky8 ~]$ sudo systemctl restart NetworkManagerVerify if the Windows AD domain is available.
[tyla@rocky8 ~]$ sudo realm discover home.lab
home.lab
type: kerberos
realm-name: HOME.LAB
domain-name: home.lab
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-toolsJoin the node to the Windows AD domain home.lab.
[tyla@rocky8 ~]$ sudo realm join --verbose HOME.LAB -U administrator
* Resolving: _ldap._tcp.home.lab
* Performing LDAP DSE lookup on: 192.168.100.100
* Successfully discovered: home.lab
Password for administrator@HOME.LAB:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
* LANG=C /usr/sbin/adcli join --verbose --domain home.lab --domain-realm HOME.LAB --domain-controller 192.168.100.100 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-ECBZ62
* Using domain name: home.lab
* Calculated computer account name from fqdn: ROCKY8
* Using domain realm: home.lab
* Sending NetLogon ping to domain controller: 192.168.100.100
* Received NetLogon info from: win2k22.home.lab
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-8a6VuS/krb5.d/adcli-krb5-conf-Mo87SK
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: HOME
* Looked up domain SID: S-1-5-21-1903661991-4098553732-3226728262
* Received NetLogon info from: win2k22.home.lab
* Using fully qualified name: rocky8.home.lab
* Using domain name: home.lab
* Using computer account name: ROCKY8
* Using domain realm: home.lab
* Calculated computer account name from fqdn: ROCKY8
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* A computer account for ROCKY8$ does not exist
* Found well known computer container at: CN=Computers,DC=home,DC=lab
* Calculated computer account: CN=ROCKY8,CN=Computers,DC=home,DC=lab
* Encryption type [16] not permitted.
* Encryption type [23] not permitted.
* Encryption type [3] not permitted.
* Encryption type [1] not permitted.
* Created computer account: CN=ROCKY8,CN=Computers,DC=home,DC=lab
* Trying to set computer password with Kerberos
* Set computer password
* Retrieved kvno '2' for computer account in directory: CN=ROCKY8,CN=Computers,DC=home,DC=lab
* Checking RestrictedKrbHost/rocky8.home.lab
* Added RestrictedKrbHost/rocky8.home.lab
* Checking RestrictedKrbHost/ROCKY8
* Added RestrictedKrbHost/ROCKY8
* Checking host/rocky8.home.lab
* Added host/rocky8.home.lab
* Checking host/ROCKY8
* Added host/ROCKY8
* Discovered which keytab salt to use
* Added the entries to the keytab: ROCKY8$@HOME.LAB: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ROCKY8@HOME.LAB: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/rocky8.home.lab@HOME.LAB: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ROCKY8@HOME.LAB: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/rocky8.home.lab@HOME.LAB: FILE:/etc/krb5.keytab
* /usr/bin/systemctl enable sssd.service
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2025-05-21-23-17-33.m0v4Lg
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled and active
- systemctl enable --now oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service β /usr/lib/systemd/system/oddjobd.service.
* Successfully enrolled machine in realmUpdate
/etc/ssh/sshd_configto allow ssh key authentication for LDAP users.
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobodyRestart the sshd daemon to apply the change.
[tyla@rocky8 ~]$ sudo systemctl restart sshdConfigure
/etc/sssd/sssd.conffor ssh authentication for LDAP attributes.
[sssd]
domains = home.lab
config_file_version = 2
services = nss, pam, ssh # Add ssh here allow ssh login with domain account
[domain/home.lab]
ad_domain = home.lab
krb5_realm = HOME.LAB
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False # Change True to False not to use FQDN
fallback_homedir = /home/%u # Change it for home directory format
access_provider = ad
ad_access_filter = (memberOf=CN=ssh,CN=Users,DC=home,DC=lab) # AD group filter
# Add following parameters to ssh key input in each AD account's altSecurityIdentities
ldap_user_extra_attrs = altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentitiesRestart sssd daemon to apply the change
[tyla@rocky8 ~]$ sudo systemctl restart sssdIt's also possible to grant sudo privilege without password prompt if a user is the members of both Domain Admins and ssh groups by adding following line to
/etc/sudoersfile.
%home.lab\\Domain\ Admins ALL=(ALL) NOPASSWD: ALLNow verify the user1 ssh login and sudo privilege on RockyLinux 8 end.
tyla@laptop:~$ ssh user1@192.168.100.205
Activate the web console with: systemctl enable --now cockpit.socket
[user1@rocky8 ~]$ sudo -i
[root@rocky8 ~]# That's all we have to configure on RockyLinux 8 end for ssh key authentication to work with LDAP login.
Last updated
Was this helpful?