passwordless ssh authentication using active directory

ssh active-directory kerberos ssh-keys
Shyrka picture Shyrka · Aug 21, 2013 · Viewed 9.6k times · Source

Our current infrastructure uses ssh keys for passwordless login to our Linux servers. As our infrastructure grows, managing these authorised keys is getting harder.

As we also have an Active Directory (AD) server, I would like to authenticate the users over ssh using this mechanism, but maintain the passwordless nature of ssh keys.

Is it possible to authenticate the users over ssh without password, using some AD mechanism?

Answer

danny picture danny · Aug 4, 2017

This is usually done via SSH key certificates in order to keep the password-less nature and at the same time have a Central Authority that can be trusted to generate new certificates for each account.

LDAP/Active directory use on login is not advised - apart from having to use passwords, it also becomes a single point of failure for access to any system it manages.

See RedHat documentation on how to do this and also Facebook's good write up on their use of certificate authentication with SSH.

Related questions

ssh "permissions are too open" error

I had a problem with my mac where I couldn't save any kind of file on the disk anymore. I had to reboot OSX lion and reset the permissions on files and acls. But now when I want to commit …

Read More
How to download a file from server using SSH?

I need to download a file from server to my desktop. (UBUNTU 10.04) I don't have a web access to the server, just ssh. If it helps, my OS is Mac OS X and iTerm 2 as a terminal.

Read More
Could not open a connection to your authentication agent

I am running into this error of: $ git push heroku master Warning: Permanently added the RSA host key for IP address '50.19.85.132' to the list of known hosts. ! Your key with fingerprint b7:fd:15:25:02:8e:5f:06:4f:1c:af:…

Read More