Forum Discussion

Matthew Mellon's avatar
Matthew Mellon
Copper Contributor
Sep 29, 2017

Azure AD and schema for SSH public keys

We are considering migrating our Novell eDirectory on-premise directory to AAD DS. One thing that we use our current directory for is storing SSH public keys for users, which are in turn used to allo...
Azure Active Directory (AAD)
Fons Ullings's avatar
Fons Ullings
Copper Contributor
Feb 14, 2020

Indeed we found the solution within the Azure AD and we have even managed to provision complete Azure AD accounts via secure LDAP using this field. The field can also be out-of-the-box configured to be used in Linux distributions like RedHat, Ubunto, CentOS so that seamless SSH login is provided to our researchers. The Azure AD attribute field is: altSecurityIdentities

and configure Linux instaces:

 

# Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

# and under the [sssd] section add:
services = nss, pam, sudo, ssh
default_domain_suffix = XXXXXXXXX.onmicrosoft.com


# Then to the /etc/ssh/sshd_config add:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [--domain XXXXXXXXX.onmicrosoft.com]
AuthorizedKeysCommandUser root

 

 

Regards

Fons Ullings

  • yaegashi's avatar
    yaegashi
    Copper Contributor
    Nov 16, 2020

    Fons Ullings What's the Azure AD resource property for altSecurityIdentities you found?  I couldn't find any property with that name in Azure AD user resource.  I found alternativeSecurityIds in device resource that's translated to AD's altSecurityIdentities for devices, but I don't think it appropriate to store SSH public keys for user authentication.

     

    Can we modify altSecurityIdentities via Microsoft Graph API?

    • Fons_Ullings's avatar
      Fons_Ullings
      Copper Contributor
      Nov 16, 2020

      yaegashi 

      I am pretty sure you can also use the GRAPH API but we are using successfully a secure LDAP feed to the Azure AD to alter the user public key (for example from a Yubikey). For out-of-the-box Linux systems that are joined with the Azure AD that are configured (so without additional code in these Linux boxes) it works. An example of this LDAPs feed in Python/LDAPs

       

      import ldap
      import ldap.modlist as modlist
      import base64

      l = ldap.initialize('ldaps://ldaps.xxxx-cloud.nl')
      l.simple_bind_s('XXXAdmin', 'OK....')

      # c'est moi
      dn="CN=Fons.Ullings,OU=people,OU=XXX,DC=xxxx-cloud,DC=nl"
      # new RSA certificate
      new_rsa = 'ssh-rsa XXXXXXYYYYY'
      newrsa_utf8 = '"{0}"'.format(new_rsa).encode('utf-8')
      print(newrsa_utf8)

      mod_list = [
      (ldap.MOD_REPLACE, "altSecurityIdentities", newrsa_utf8),
      ]
      l.modify_s(dn, mod_list)
      l.unbind_s()

       

      Regards

      Fons Ullings

      • Herbert_Mauerer_MSFT's avatar
        Herbert_Mauerer_MSFT
        Icon for Microsoft rankMicrosoft
        Mar 16, 2023

        Fons_Ullings Please do not overload the AD schema attribute altSecurityIdentities. Define your own new custom schema attribute. This will cause conflicts with deployments where the attribute is used for its soriginal purpose.

         

        Herbert

Resources