Authkeys: Making Key-Based LDAP Authentication Faster

Authkeys, Threat Stack’s new open source tool, performs LDAP lookups of SSH keys without the need for using scripts or other interpreted code.

You may recall from an earlier post that we’ve set up centralized authentication here at Threat Stack. Our motivation for doing so centered on the desire to achieve clearer access control for the servers that power our platform. By doing this, we no longer need to use Chef to deploy the majority of users to servers. Rather, we can use an internal application to add, lock, and update users and their associated metadata.

One piece of metadata that we want to control is the engineering team member’s SSH key, which is tied to their YubiKey. This asymmetric key is what authenticates a specific user to a specific server (authorization to access that server is handled with special PAM configuration). We don’t use passwords to log into machines, except in emergencies which require multiple people to be present (and even then, an SSH key is involved).

When we were using Chef to set up all user accounts, Chef would set up their home directory and place an authorized_keys file which contained the public component of the user’s private key. Now that we’re using LDAP, a question remained: How do we distribute these keys to the machine?

Fortunately, OpenSSH has a configuration option that allows the use of an external application on login that returns the appropriate keys for a user. This configuration option is called AuthorizedKeysCommand. A few open-source options exist for performing an LDAP lookup of SSH keys, but they rely on interpreters like Lua and Python to run. Lua and Python are great languages, but we felt more confident in putting an application into the mix that didn’t rely on an interpreter. So we created Authkeys, a small application written in Go that will perform a lookup and return the appropriate keys so that SSH can make an authentication decision.

Using Authkeys

Our has full instructions on using the tool, along with requirements. In summary:

  • You’ll use a configuration management tool to place a configuration file (/etc/authkeys.json is the default) on each host containing information about your LDAP setup.
  • You’ll also use a configuration management tool to distribute an Authkeys package. (We use FPM to make our own.)
  • Then, you’ll set the AuthorizedKeysCommand option in your sshd_config to wherever path you installed Authkeys to, and you’re off and authenticating in no time.

Wrapping it up . . .

Authkeys was a learning experience for this author in writing LDAP tooling with Go, and formed the foundation for creating other tools like Deputize. We hope you find it useful in your LDAP deployments, and look forward to your pull requests and comments!

Interested in Authkeys? Check it out on GitHub.

Additional Posts by Pat Cable

Balancing Security and Your On-Call Rotation Using Deputize

Reliable UNIX Log Collection in the Cloud

Securing User Credentials With the YubiKey

Five Lessons We Learned on Our Way to Centralized Authentication

Protecting Sensitive Credentials by Sharing Secrets in the Cloud