Azure AD and schema for SSH public keys

%3CLINGO-SUB%20id%3D%22lingo-sub-233613%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20schema%20for%20SSH%20public%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-233613%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Matthew%20Mellon%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20indeed%20discover%20a%20method%20to%20store%20users%20public%20keys%20in%20a%20AAD%20%3F%3C%2FP%3E%3CP%3Emany%20thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFons%20Ullings%3C%2FP%3E%3CP%3EAmsterdam%20UMC%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158963%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20schema%20for%20SSH%20public%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158963%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F83184%22%20target%3D%22_blank%22%3E%40Matthew%20Mellon%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EFound%20any%20solution%20to%20this%3F%20I%20would%20be%20quite%20interested.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173328%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20schema%20for%20SSH%20public%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173328%22%20slang%3D%22en-US%22%3E%3CP%3EIndeed%20we%20found%20the%20solution%20within%20the%20Azure%20AD%20and%20we%20have%20even%20managed%20to%20provision%20complete%20Azure%20AD%20accounts%20via%20secure%20LDAP%20using%20this%20field.%20The%20field%20can%20also%20be%20out-of-the-box%20configured%20to%20be%20used%20in%20Linux%20distributions%20like%20RedHat%2C%20Ubunto%2C%20CentOS%20so%20that%20seamless%20SSH%20login%20is%20provided%20to%20our%20researchers.%20The%20Azure%20AD%20attribute%20field%20is%3A%26nbsp%3B%3CSPAN%3EaltSecurityIdentities%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eand%20configure%20Linux%20instaces%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%20Once%20domain%20joined%2C%20add%20the%20following%20to%20the%20%2Fetc%2Fsssd%2Fsssd.conf%20file%20under%20the%20%5Bdomain%2F%5D%20section%3A%3CBR%20%2F%3Eldap_user_extra_attrs%20%3D%20altSecurityIdentities%3AaltSecurityIdentities%3CBR%20%2F%3Eldap_user_ssh_public_key%20%3D%20altSecurityIdentities%3CBR%20%2F%3Eldap_use_tokengroups%20%3D%20True%3C%2FP%3E%3CP%3E%23%20and%20under%20the%20%5Bsssd%5D%20section%20add%3A%3CBR%20%2F%3Eservices%20%3D%20nss%2C%20pam%2C%20sudo%2C%20ssh%3CBR%20%2F%3Edefault_domain_suffix%20%3D%20XXXXXXXXX.onmicrosoft.com%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23%20Then%20to%20the%20%2Fetc%2Fssh%2Fsshd_config%20add%3A%3CBR%20%2F%3EAuthorizedKeysCommand%20%2Fusr%2Fbin%2Fsss_ssh_authorizedkeys%20%5B--domain%20XXXXXXXXX.onmicrosoft.com%5D%3CBR%20%2F%3EAuthorizedKeysCommandUser%20root%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EFons%20Ullings%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-112025%22%20slang%3D%22en-US%22%3EAzure%20AD%20and%20schema%20for%20SSH%20public%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-112025%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20considering%20migrating%20our%20Novell%20eDirectory%20on-premise%20directory%20to%20AAD%20DS.%20One%20thing%20that%20we%20use%20our%20current%20directory%20for%20is%20storing%20SSH%20public%20keys%20for%20users%2C%20which%20are%20in%20turn%20used%20to%20allow%20users%20to%20log%20in%20to%20Linux%20instances.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20seen%20documentation%20that%20states%20that%20AAD%20DS%20does%20not%20allow%20extending%20the%20LDAP%20schema%20(including%20adding%20User%20object%20attributes)%2C%20but%20I%20cannot%20find%20documentation%20stating%20what%20the%20default%20schema%20looks%20like.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20store%20users'%20public%20keys%20for%20SSH%20in%20AAD%20DS%3F%20Where%20can%20I%20see%20the%20documentation%20for%20the%20default%20schema%20(I'd%20like%20to%20know%20what%20I'm%20buying%20before%20I%20dive%20in)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-112025%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1889280%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20schema%20for%20SSH%20public%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1889280%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177466%22%20target%3D%22_blank%22%3E%40Fons%20Ullings%3C%2FA%3E%26nbsp%3BWhat's%20the%20Azure%20AD%20resource%20property%20for%26nbsp%3B%3CSPAN%3EaltSecurityIdentities%20you%20found%3F%26nbsp%3B%20I%20couldn't%20find%20any%20property%20with%20that%20name%20in%20Azure%20AD%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fuser%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Euser%20resource%3C%2FA%3E.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3EI%20found%20alternativeSecurityIds%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fdevice%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ed%3C%2FA%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fdevice%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eevice%20resource%3C%2FA%3E%26nbsp%3Bthat's%20translated%20to%20AD's%20altSecurityIdentities%20for%20devices%2C%20but%20I%20don't%20think%20it%20appropriate%20to%20store%20SSH%20public%20keys%20for%20user%20authentication.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20we%20modify%20altSecurityIdentities%20via%20Microsoft%20Graph%20API%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1889755%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20schema%20for%20SSH%20public%20keys%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1889755%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F441225%22%20target%3D%22_blank%22%3E%40yaegashi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20pretty%20sure%20you%20can%20also%20use%20the%20GRAPH%20API%20but%20we%20are%20using%20successfully%20a%20secure%20LDAP%20feed%20to%20the%20Azure%20AD%20to%20alter%20the%20user%20public%20key%20(for%20example%20from%20a%20Yubikey).%20For%20out-of-the-box%20Linux%20systems%20that%20are%20joined%20with%20the%20Azure%20AD%20that%20are%20configured%20(so%20without%20additional%20code%20in%20these%20Linux%20boxes)%20it%20works.%20An%20example%20of%20this%20LDAPs%20feed%20in%20Python%2FLDAPs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eimport%20ldap%3CBR%20%2F%3Eimport%20ldap.modlist%20as%20modlist%3CBR%20%2F%3Eimport%20base64%3C%2FP%3E%3CP%3El%20%3D%20ldap.initialize('ldaps%3A%2F%2Fldaps.xxxx-cloud.nl')%3CBR%20%2F%3El.simple_bind_s('XXXAdmin'%2C%20'OK....')%3C%2FP%3E%3CP%3E%23%20c'est%20moi%3CBR%20%2F%3Edn%3D%22CN%3DFons.Ullings%2COU%3Dpeople%2COU%3DXXX%2CDC%3Dxxxx-cloud%2CDC%3Dnl%22%3CBR%20%2F%3E%23%20new%20RSA%20certificate%3CBR%20%2F%3Enew_rsa%20%3D%20'ssh-rsa%20XXXXXXYYYYY'%3CBR%20%2F%3Enewrsa_utf8%20%3D%20'%22%7B0%7D%22'.format(new_rsa).encode('utf-8')%3CBR%20%2F%3Eprint(newrsa_utf8)%3C%2FP%3E%3CP%3Emod_list%20%3D%20%5B%3CBR%20%2F%3E(ldap.MOD_REPLACE%2C%20%22altSecurityIdentities%22%2C%20newrsa_utf8)%2C%3CBR%20%2F%3E%5D%3CBR%20%2F%3El.modify_s(dn%2C%20mod_list)%3CBR%20%2F%3El.unbind_s()%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EFons%20Ullings%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

We are considering migrating our Novell eDirectory on-premise directory to AAD DS. One thing that we use our current directory for is storing SSH public keys for users, which are in turn used to allow users to log in to Linux instances.

 

I have seen documentation that states that AAD DS does not allow extending the LDAP schema (including adding User object attributes), but I cannot find documentation stating what the default schema looks like.

 

Is it possible to store users' public keys for SSH in AAD DS? Where can I see the documentation for the default schema (I'd like to know what I'm buying before I dive in)?

5 Replies

Dear Matthew Mellon

 

Did you indeed discover a method to store users public keys in a AAD ?

many thanks

 

Fons Ullings

Amsterdam UMC

 

@Matthew Mellon 

Found any solution to this? I would be quite interested.

Thanks.

Indeed we found the solution within the Azure AD and we have even managed to provision complete Azure AD accounts via secure LDAP using this field. The field can also be out-of-the-box configured to be used in Linux distributions like RedHat, Ubunto, CentOS so that seamless SSH login is provided to our researchers. The Azure AD attribute field is: altSecurityIdentities

and configure Linux instaces:

 

# Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

# and under the [sssd] section add:
services = nss, pam, sudo, ssh
default_domain_suffix = XXXXXXXXX.onmicrosoft.com


# Then to the /etc/ssh/sshd_config add:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [--domain XXXXXXXXX.onmicrosoft.com]
AuthorizedKeysCommandUser root

 

 

Regards

Fons Ullings

@Fons Ullings What's the Azure AD resource property for altSecurityIdentities you found?  I couldn't find any property with that name in Azure AD user resource.  I found alternativeSecurityIds in device resource that's translated to AD's altSecurityIdentities for devices, but I don't think it appropriate to store SSH public keys for user authentication.

 

Can we modify altSecurityIdentities via Microsoft Graph API?

@yaegashi 

I am pretty sure you can also use the GRAPH API but we are using successfully a secure LDAP feed to the Azure AD to alter the user public key (for example from a Yubikey). For out-of-the-box Linux systems that are joined with the Azure AD that are configured (so without additional code in these Linux boxes) it works. An example of this LDAPs feed in Python/LDAPs

 

import ldap
import ldap.modlist as modlist
import base64

l = ldap.initialize('ldaps://ldaps.xxxx-cloud.nl')
l.simple_bind_s('XXXAdmin', 'OK....')

# c'est moi
dn="CN=Fons.Ullings,OU=people,OU=XXX,DC=xxxx-cloud,DC=nl"
# new RSA certificate
new_rsa = 'ssh-rsa XXXXXXYYYYY'
newrsa_utf8 = '"{0}"'.format(new_rsa).encode('utf-8')
print(newrsa_utf8)

mod_list = [
(ldap.MOD_REPLACE, "altSecurityIdentities", newrsa_utf8),
]
l.modify_s(dn, mod_list)
l.unbind_s()

 

Regards

Fons Ullings