Azure AD and schema for SSH public keys

Matthew Mellon · ‎Sep 29 2017

We are considering migrating our Novell eDirectory on-premise directory to AAD DS. One thing that we use our current directory for is storing SSH public keys for users, which are in turn used to allow users to log in to Linux instances.

I have seen documentation that states that AAD DS does not allow extending the LDAP schema (including adding User object attributes), but I cannot find documentation stating what the default schema looks like.

Is it possible to store users' public keys for SSH in AAD DS? Where can I see the documentation for the default schema (I'd like to know what I'm buying before I dive in)?

Fons Ullings · ‎Aug 17 2018

Dear Matthew Mellon

Did you indeed discover a method to store users public keys in a AAD ?

many thanks

Fons Ullings

Amsterdam UMC

astateofmind · ‎Feb 07 2020

@Matthew Mellon

Found any solution to this? I would be quite interested.

Thanks.

Fons Ullings · ‎Feb 13 2020

Indeed we found the solution within the Azure AD and we have even managed to provision complete Azure AD accounts via secure LDAP using this field. The field can also be out-of-the-box configured to be used in Linux distributions like RedHat, Ubunto, CentOS so that seamless SSH login is provided to our researchers. The Azure AD attribute field is: altSecurityIdentities

and configure Linux instaces:

# Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

# and under the [sssd] section add:
services = nss, pam, sudo, ssh
default_domain_suffix = XXXXXXXXX.onmicrosoft.com

# Then to the /etc/ssh/sshd_config add:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [--domain XXXXXXXXX.onmicrosoft.com]
AuthorizedKeysCommandUser root

Regards

Fons Ullings

yaegashi · ‎Nov 15 2020

@Fons Ullings What's the Azure AD resource property for altSecurityIdentities you found? I couldn't find any property with that name in Azure AD user resource. I found alternativeSecurityIds in device resource that's translated to AD's altSecurityIdentities for devices, but I don't think it appropriate to store SSH public keys for user authentication.

Can we modify altSecurityIdentities via Microsoft Graph API?

Fons_Ullings · ‎Nov 16 2020

@yaegashi

I am pretty sure you can also use the GRAPH API but we are using successfully a secure LDAP feed to the Azure AD to alter the user public key (for example from a Yubikey). For out-of-the-box Linux systems that are joined with the Azure AD that are configured (so without additional code in these Linux boxes) it works. An example of this LDAPs feed in Python/LDAPs

import ldap
import ldap.modlist as modlist
import base64

l = ldap.initialize('ldaps://ldaps.xxxx-cloud.nl')
l.simple_bind_s('XXXAdmin', 'OK....')

# c'est moi
dn="CN=Fons.Ullings,OU=people,OU=XXX,DC=xxxx-cloud,DC=nl"
# new RSA certificate
new_rsa = 'ssh-rsa XXXXXXYYYYY'
newrsa_utf8 = '"{0}"'.format(new_rsa).encode('utf-8')
print(newrsa_utf8)

mod_list = [
(ldap.MOD_REPLACE, "altSecurityIdentities", newrsa_utf8),
]
l.modify_s(dn, mod_list)
l.unbind_s()

Regards

Fons Ullings

Herbert_Mauerer_MSFT · ‎Mar 15 2023

@Fons_Ullings Please do not overload the AD schema attribute altSecurityIdentities. Define your own new custom schema attribute. This will cause conflicts with deployments where the attribute is used for its soriginal purpose.

Herbert

Azure AD and schema for SSH public keys

Azure AD and schema for SSH public keys

Re: Azure AD and schema for SSH public keys

Re: Azure AD and schema for SSH public keys

Re: Azure AD and schema for SSH public keys

Re: Azure AD and schema for SSH public keys

Re: Azure AD and schema for SSH public keys

Re: Azure AD and schema for SSH public keys

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Azure AD and schema for SSH public keys