Forum Discussion

Copper Contributor

Sep 29, 2017

Azure AD and schema for SSH public keys

We are considering migrating our Novell eDirectory on-premise directory to AAD DS. One thing that we use our current directory for is storing SSH public keys for users, which are in turn used to allo...

Azure Active Directory (AAD)

Fons Ullings

Copper Contributor

Feb 14, 2020

Indeed we found the solution within the Azure AD and we have even managed to provision complete Azure AD accounts via secure LDAP using this field. The field can also be out-of-the-box configured to be used in Linux distributions like RedHat, Ubunto, CentOS so that seamless SSH login is provided to our researchers. The Azure AD attribute field is: altSecurityIdentities

and configure Linux instaces:

# Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

# and under the [sssd] section add:
services = nss, pam, sudo, ssh
default_domain_suffix = XXXXXXXXX.onmicrosoft.com

# Then to the /etc/ssh/sshd_config add:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [--domain XXXXXXXXX.onmicrosoft.com]
AuthorizedKeysCommandUser root

Regards

Fons Ullings

yaegashi

Copper Contributor

Nov 16, 2020

Fons Ullings What's the Azure AD resource property for altSecurityIdentities you found? I couldn't find any property with that name in Azure AD https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0. I found alternativeSecurityIds in https://docs.microsoft.com/en-us/graph/api/resources/device?view=graph-rest-1.0https://docs.microsoft.com/en-us/graph/api/resources/device?view=graph-rest-1.0 that's translated to AD's altSecurityIdentities for devices, but I don't think it appropriate to store SSH public keys for user authentication.

Can we modify altSecurityIdentities via Microsoft Graph API?