Home / Blog / Pushing SSH keys from Okta to AD
Published: Nov 15, 2020 / By Andrew DoeringI really would love to implement Okta Advanced Sever Access (ASA) to our server infrastructure in our environment. ASA has three downsides:
Okta’s LDAP interface also does not support Linux/PAM officially, which appears to be (more or less) an artificial limit to push/advertise the ASA product.
So we need to find workarounds for this. This blog post covers details on how to do to 2 things:
We want to configure SSSD on Linux to hook up into Active Directory (a very basic configuration file, edit it to your needs):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = true
min_id = 10000
max_id = 20000
enumerate = False
I would suggest reading through Red Hat’s documentation for validating the configuration. I won’t go into SSSD more in-depth here.
We will need to modify the Active Directory schema to create an attribute called sshPublicKey.
regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Schema Update Allowed
with a value of 1
regsvr32 schmmgmt.dll
to enable Schema Management MMC Plug-in and accept the prompt.
I would highly recommend putting the project number/name in the description below, as well as what I have written.
Attributes
, and then select Create New Attribute
.
Common Name
, enter sshPublicKeys
in the field.LDAP Display Name
, enter sshPublicKeys
in the field.Description
, enter For Public SSH Key storage for sssd
.Unique X500 Object ID
enter the following OID, 1.3.6.1.4.1.24552.1.1.1.13
.Syntax
, select IA5-String
.Multi-Valued
box.Minimum
and Maximum
blank.
Ok
.Once we have added the attribute into Active Directory, we need to add a class for the attribute to be associated with it. I would highly recommend putting the project number/name in the description as well.
Classes
, then click Create class
.Continue
on the warning.Common Name
, enter ldapPublicKey
in the text field.LDAP Display Name
, enter ldapPublicKey
in the text field.Unique X500 Object ID
, enter 1.3.6.1.4.1.24552.500.1.1.2.0
.Description
, enter For use with sshPublicKeys attribute
.Parent Class
enter top
.Class Type
, select Auxiliary
.
Next
Optional
, select Add
, and scroll to find sshPublicKeys
, click Ok
.
Finish
and leave the Schema MMC window open.Classes
, find the user
class
properties
.
Relationship
tab, and click Add Class...
ldapPublicKey
and click Ok
.
Attributes
tab and click Add
under Optional
.
sshPublicKey
and click Ok
.
Apply
and then click Ok
We will begin to create the attribute under Okta’s Universal Directory.
https://yourdomain.okta.com/admin/universaldirectory
Select Profile
under User (default)
Select Add Attribute
Once the Add Attribute
window has appeared, fill out the prompts with the following options:
SSH Public Key
sshPublicKey
Save
Once the attribute is created, scroll down to the bottom, and find the newly created Okta attribute and click the pencil icon to edit the attribute.
The reason for this is to allow user’s to modify the contents of the attribute value, and to not have a profile master potentially override or own the attribute contents.
https://yourdomain.okta.com/enduser/settings
Edit Profile
Edit
[]
, add your SSH Key wrapped in "
. An example of this would be shown below.
1
["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoi9tCoNOkZgrOpEm2aoVY3uWNUq3MvNSHrgC9r2ELyVpODAz7eCFswszhtYB2o1FPqarJxJq3QQjflhEAZ16o7oaMD8kWzTdGMBjy9vynCr9dMQTuWoEBlAFNsjK1xdaJyWM2sEFV7p6c85yxeeDei1wBPc1AA4X9H2uS4ZTjaNm/Zobe7j7q8lc/e2Sb0tvY0auLv1sRRScxgZFQ5X/uMK0VtcubXxWxh6JceOb4BZRmHDCXOmX3z3wevtuDw6udafyZ6sjowSFH+PD+p7V97m9S81mQAuXfXzgmd/LrRlxHuzx0DpHKbi623lDvWWNb9QJwlLKbfMEP/DGPiEdsw== example-key"]
Save
From here, if you need to add new keys, simply put them in a comma delimited format. So multiple keys would look like ["key 1", "key 2", "key 3"]
.
One crucial step in allowing us to push the content down is to add the attribute from Active Directory so that Okta is aware of it.
https://yourdomain.okta.com/admin/universaldirectory
and select Directories
, then select your domain.
Profile
, once the page finishes loading, select Add Attribute
, and then search for sshPublicKey
Save
Before doing this, announce to your users will use a change. This could be a breaking change if SSH Keys are not saved into the user’s Okta profile. We will use Active Directory as the example application here, but this could be used in other ways.
https://yourdomain.okta.com/admin/universaldirectory
and select Directories
, then select your domain.
Mappings
, and then select Configure User Mappings
Okta User to domain.com
sshPublicKey
attribute on the right column and search for sshPublicKey
on the left column.
Save mapping
.From here, your user’s SSH keys should be in a multi value format pushed down to Active Directory. Note, there are two values here, as I added the SSH key twice to the Okta profile to show the multi-valued aspect.
From here, you could use tools like Ansible, SSSD, and others, to pull the content/value out of Active Directory for use with other services and systems. This could also be done directly to the LDAP Interface on Okta, however, that is not officially supported.