SSH key authentication for LDAP login

To be upfront about the concept of password login, I believe that it has been one of the worst invention in technology innovation, and we are sort of stuck here with it for long time. On the other hand, we have also been unleashing the power of ssh key authentication for login on most of the remote system access these days including Windows. That's why I have been always choosing key authentication over password for remote access login.

Due to the domination of Windows Active Directory for identity management in our industry, we are still heavily relaying on its password authentication even for Linux with LDAP integration. Sometimes it feels so bizarre to type in your LDAP username and password for Linux ssh remote session. Well, I am not a big fan of that at all. Fortunately I have found a way to use ssh key for LDAP login specifically for Linux. In this article, I will walk you through how it can be done with very simple few steps.

Prerequisites

Windows Server 2022 Active Directory
- IP Address: 192.168.100.100/24
- Domain Name: home.lab
- Domain Admins privilege
RockyLinux 8 Linux as client for LDAP integration
- IP Address: 192.168.100.205/24
- Internet connectivity to download required software such as realmd, sssd, krb5-workstation, samba-common-tools and krb5-libs
- Sudo privilege

Steps

Configuration on Windows Server 2022 Active Directory

Login to Windows AD server and run the following PowerShell commands
Create Windows AD group called "ssh".

New-ADGroup -Name "ssh" `
            -SamAccountName "ssh" `
            -GroupScope Global `
            -Path "CN=Users,DC=home,DC=lab"

Create Windows AD user called "user1" with its ssh public key added to the altSecurityIdentities attribute.

New-ADUser -Name "user1" `
           -GivenName "User" `
           -Surname "One" `
           -SamAccountName "user1" `
           -UserPrincipalName "[email protected]" `
           -Path "CN=Users,DC=home,DC=lab" `
           -AccountPassword $(ConvertTo-SecureString -String "Change-Me-Right8-Away" -AsPlainText -Force) `
           -Enabled $true `
           -PassThru | Set-ADUser -Replace @{altSecurityIdentities = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0q/16qgSIBQwSDcXAIX/MWCLXyvxJMvRiAKcpvOxTs user1"}

Add the user1 to the groups, ssh and Domain Admins to allow ssh login with sudo privilege.

$u="user1"; @("ssh","Domain Admins") | % { Add-ADGroupMember -Identity $_ -Members $u }

That's it all on the Windows AD server side.

Configuration on RockyLinux 8

Install required software with DNF package manager

[tyla@rocky8 ~]$ sudo dnf -y install realmd sssd krb5-workstation samba-common-tools krb5-libs 
Last metadata expiration check: 0:39:10 ago on Thu 22 May 2025 07:59:51 AEST.
Package realmd-0.17.1-2.el8.x86_64 is already installed.
Package sssd-2.9.4-5.el8_10.1.x86_64 is already installed.
Package krb5-libs-1.18.2-31.el8_10.x86_64 is already installed.
Dependencies resolved.
==============================================================================================================================================================================================================
 Package                                                    Architecture                               Version                                               Repository                                  Size
==============================================================================================================================================================================================================
Installing:
 krb5-workstation                                           x86_64                                     1.18.2-31.el8_10                                      baseos                                     958 k
 samba-common-tools                                         x86_64                                     4.19.4-7.el8_10                                       baseos                                     541 k
Installing dependencies:
 libkadm5                                                   x86_64                                     1.18.2-31.el8_10                                      baseos                                     188 k
 libnetapi                                                  x86_64                                     4.19.4-7.el8_10                                       baseos                                     217 k
 samba-ldb-ldap-modules                                     x86_64                                     4.19.4-7.el8_10                                       baseos                                     112 k
 samba-libs                                                 x86_64                                     4.19.4-7.el8_10                                       baseos                                     203 k

Transaction Summary
==============================================================================================================================================================================================================
Install  6 Packages

Total download size: 2.2 M
Installed size: 5.7 M
Downloading Packages:
(1/6): libnetapi-4.19.4-7.el8_10.x86_64.rpm                                                                                                                                   507 kB/s | 217 kB     00:00    
(2/6): krb5-workstation-1.18.2-31.el8_10.x86_64.rpm                                                                                                                           1.2 MB/s | 958 kB     00:00    
(3/6): libkadm5-1.18.2-31.el8_10.x86_64.rpm                                                                                                                                   225 kB/s | 188 kB     00:00    
(4/6): samba-common-tools-4.19.4-7.el8_10.x86_64.rpm                                                                                                                          843 kB/s | 541 kB     00:00    
(5/6): samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64.rpm                                                                                                                      159 kB/s | 112 kB     00:00    
(6/6): samba-libs-4.19.4-7.el8_10.x86_64.rpm                                                                                                                                  157 kB/s | 203 kB     00:01    
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                         815 kB/s | 2.2 MB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                      1/1 
  Installing       : samba-libs-4.19.4-7.el8_10.x86_64                                                                                                                                                    1/6 
  Installing       : samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64                                                                                                                                        2/6 
  Installing       : libnetapi-4.19.4-7.el8_10.x86_64                                                                                                                                                     3/6 
  Installing       : libkadm5-1.18.2-31.el8_10.x86_64                                                                                                                                                     4/6 
  Installing       : krb5-workstation-1.18.2-31.el8_10.x86_64                                                                                                                                             5/6 
  Installing       : samba-common-tools-4.19.4-7.el8_10.x86_64                                                                                                                                            6/6 
  Running scriptlet: samba-common-tools-4.19.4-7.el8_10.x86_64                                                                                                                                            6/6 
  Verifying        : krb5-workstation-1.18.2-31.el8_10.x86_64                                                                                                                                             1/6 
  Verifying        : libkadm5-1.18.2-31.el8_10.x86_64                                                                                                                                                     2/6 
  Verifying        : libnetapi-4.19.4-7.el8_10.x86_64                                                                                                                                                     3/6 
  Verifying        : samba-common-tools-4.19.4-7.el8_10.x86_64                                                                                                                                            4/6 
  Verifying        : samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64                                                                                                                                        5/6 
  Verifying        : samba-libs-4.19.4-7.el8_10.x86_64                                                                                                                                                    6/6 

Installed:
  krb5-workstation-1.18.2-31.el8_10.x86_64   libkadm5-1.18.2-31.el8_10.x86_64   libnetapi-4.19.4-7.el8_10.x86_64   samba-common-tools-4.19.4-7.el8_10.x86_64   samba-ldb-ldap-modules-4.19.4-7.el8_10.x86_64  
  samba-libs-4.19.4-7.el8_10.x86_64         

Complete!

Configure DNS pointing to the Windows AD server in /etc/sysconfig/network-scripts/ifcfg-enp1s0

TYPE=Ethernet
DEVICE=enp1s0
UUID=394d1e2d-6a64-4538-ab13-77bc017f27a2
ONBOOT=yes
IPADDR=192.168.100.205
NETMASK=255.255.255.0
GATEWAY=192.168.100.1
IPV6INIT=no
DNS1=192.168.100.100 # Windows AD Server IP Address
PROXY_METHOD=none
BROWSER_ONLY=no
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp1s0

Restart Network Manager to apply the change.

[tyla@rocky8 ~]$ sudo systemctl restart NetworkManager

Verify if the Windows AD domain is available.

[tyla@rocky8 ~]$ sudo realm discover home.lab
home.lab
  type: kerberos
  realm-name: HOME.LAB
  domain-name: home.lab
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

Join the node to the Windows AD domain home.lab.

[tyla@rocky8 ~]$ sudo realm join --verbose HOME.LAB -U administrator
 * Resolving: _ldap._tcp.home.lab
 * Performing LDAP DSE lookup on: 192.168.100.100
 * Successfully discovered: home.lab
Password for [email protected]: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain home.lab --domain-realm HOME.LAB --domain-controller 192.168.100.100 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-ECBZ62
 * Using domain name: home.lab
 * Calculated computer account name from fqdn: ROCKY8
 * Using domain realm: home.lab
 * Sending NetLogon ping to domain controller: 192.168.100.100
 * Received NetLogon info from: win2k22.home.lab
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-8a6VuS/krb5.d/adcli-krb5-conf-Mo87SK
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: HOME
 * Looked up domain SID: S-1-5-21-1903661991-4098553732-3226728262
 * Received NetLogon info from: win2k22.home.lab
 * Using fully qualified name: rocky8.home.lab
 * Using domain name: home.lab
 * Using computer account name: ROCKY8
 * Using domain realm: home.lab
 * Calculated computer account name from fqdn: ROCKY8
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * A computer account for ROCKY8$ does not exist
 * Found well known computer container at: CN=Computers,DC=home,DC=lab
 * Calculated computer account: CN=ROCKY8,CN=Computers,DC=home,DC=lab
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=ROCKY8,CN=Computers,DC=home,DC=lab
 * Trying to set computer password with Kerberos
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=ROCKY8,CN=Computers,DC=home,DC=lab
 * Checking RestrictedKrbHost/rocky8.home.lab
 *    Added RestrictedKrbHost/rocky8.home.lab
 * Checking RestrictedKrbHost/ROCKY8
 *    Added RestrictedKrbHost/ROCKY8
 * Checking host/rocky8.home.lab
 *    Added host/rocky8.home.lab
 * Checking host/ROCKY8
 *    Added host/ROCKY8
 * Discovered which keytab salt to use
 * Added the entries to the keytab: [email protected]: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2025-05-21-23-17-33.m0v4Lg
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm

Update /etc/ssh/sshd_config to allow ssh key authentication for LDAP users.

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Restart the sshd daemon to apply the change.

[tyla@rocky8 ~]$ sudo systemctl restart sshd

Configure /etc/sssd/sssd.conf for ssh authentication for LDAP attributes.

[sssd]
domains = home.lab
config_file_version = 2
services = nss, pam, ssh # Add ssh here allow ssh login with domain account

[domain/home.lab]
ad_domain = home.lab
krb5_realm = HOME.LAB
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False # Change True to False not to use FQDN
fallback_homedir = /home/%u # Change it for home directory format
access_provider = ad
ad_access_filter = (memberOf=CN=ssh,CN=Users,DC=home,DC=lab) # AD group filter
# Add following parameters to ssh key input in each AD account's altSecurityIdentities
ldap_user_extra_attrs = altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities

Restart sssd daemon to apply the change

[tyla@rocky8 ~]$ sudo systemctl restart sssd

It's also possible to grant sudo privilege without password prompt if a user is the members of both Domain Admins and ssh groups by adding following line to /etc/sudoers file.

%home.lab\\Domain\ Admins       ALL=(ALL)       NOPASSWD: ALL

Now verify the user1 ssh login and sudo privilege on RockyLinux 8 end.

tyla@laptop:~$ ssh [email protected]
Activate the web console with: systemctl enable --now cockpit.socket

[user1@rocky8 ~]$ sudo -i
[root@rocky8 ~]#

That's all we have to configure on RockyLinux 8 end for ssh key authentication to work with LDAP login.

PreviousSSH certificate authentication NextUsing GPG to encrypt/decrypt files or messages

Last updated 7 months ago

Was this helpful?