# SSH + LDAP + Public key authentication - can it be done?



## dvdmandt (Feb 16, 2011)

Is it possible to use public key authentication together with ldap accounts?

I've setup LDAP authentication for SSH, so that all accounts are in LDAP. This is done using pretty much the way described in the handbook. That means sshd uses pam and pam_ldap to authenticate people. This works great, so there's no problem with the ldap config.

I figured I should be able to do something like this

`$ ssh-keygen`
`$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys`
`$ ssh localhost`

And not have to use my password. But it still asks for my password. This got me thinking.. Is what I want even possible? If the userdata is stored in ldap, such as the homedir (which you need to find the authorized_keys), you may need to bind to find the homedir, but to bind, you need the password..? Can I get around this somehow?


----------



## SirDice (Feb 16, 2011)

dvdmandt said:
			
		

> I figured I should be able to do something like this
> 
> `$ ssh-keygen`
> `$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys`
> ...


Did you set a password on the key? If so, it's that password that's being asked, not the account's password.


----------



## AndyUKG (Feb 16, 2011)

If I were you I'd turn on debug logging in /etc/ssh/sshd_config; that should tell you why the public key authentication isn't working. It could be as simple as directory permissions...

Thanks Andy.

PS debug info will be logged to /var/log/auth.log


----------



## Business_Woman (Feb 16, 2011)

Try running *sshd* with the *-d* flag set.


----------



## gordon@ (Feb 17, 2011)

As are insinuated here, there are a couple of things to check. First of all, sshd doesn't know anything about LDAP specifically, it's just using the library calls for getting user information. If you are using nss_ldap for directory services, a good way to check it is with the id(1) tool:
`% id -P`

This should give you a line that looks like it belongs in /etc/passwd.

Then you need to check your directory permissions, check that you do not have group or world writable on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys. Otherwise sshd will helpfully not authenticate you and it won't tell you why.


----------



## dvdmandt (Feb 17, 2011)

Hi, thank you everyone. It was because of permissions. I had homedirs group-writeable (using ACL) which sshd didn't like.


----------

