Dark Light

Pushing SSH keys from Okta to AD

Home / Blog / Pushing SSH keys from Okta to AD

Pushing SSH keys from Okta to AD

Published: Nov 15, 2020 / By Andrew Doering.

Introduction

I really would love to implement Okta Advanced Sever Access (ASA) to our server infrastructure in our environment. ASA has three downsides:

  • Expensive ($50,000 minimum) depending on the amount of servers being deployed to
  • Requires extensive management approval
  • Requires extensive security review from our team

Okta’s LDAP interface also does not support Linux/PAM officially, which appears to be (more or less) an artificial limit to push/advertise the ASA product.

So we need to find workarounds for this. This blog post covers details on how to do to 2 things:

  • Expand the Active Directory schema to store and use SSH keys over LDAP.
  • Allow for SSH Keys to be stored in Okta and pushed to Active Directory by the End User.

Configuring SSSD on Linux to work with Active Directory

We want to configure SSSD on Linux to hook up into Active Directory (a very basic configuration file, edit it to your needs):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
    
    [sssd]
    domains = LDAP
    services = nss, pam
    config_file_version = 2

    [nss]
    filter_groups = root
    filter_users = root

    [pam]

    [domain/LDAP]
    id_provider = ldap
    ldap_uri = ldap://ldap.example.com
    ldap_search_base = dc=example,dc=com

    auth_provider = krb5
    krb5_server = kerberos.example.com
    krb5_realm = EXAMPLE.COM

    cache_credentials = true
    min_id = 10000
    max_id = 20000
    enumerate = False
    

I would suggest reading through Red Hat’s documentation for validating the configuration. I won’t go into SSSD more in-depth here.

Modifying the Active Directory Schema

We will need to modify the Active Directory schema to create an attribute called sshPublicKey.

Enable Schema Updates

  1. Open up an administrative command prompt session
  2. Open up an administrative registry editor session by running regedit
  3. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry Path
  4. Add a new DWORD key that is called Schema Update Allowed with a value of 1 Schema Update Allowed
  5. In the administrative session of the command prompt, run regsvr32 schmmgmt.dll to enable Schema Management MMC Plug-in and accept the prompt. Register module

Adding the attribute in AD schema

I would highly recommend putting the project number/name in the description below, as well as what I have written.

  1. Once the mmc window has been opened, add the schema module to the running mmc window. Open MMC window
  2. Expand the listing on the left hand side.
  3. Right Click on Attributes, and then select Create New Attribute. Add new attribute
  4. Accept the warning that pops up and continue on.
  5. For Common Name, enter sshPublicKeys in the field.
  6. For LDAP Display Name, enter sshPublicKeys in the field.
  7. For Description, enter For Public SSH Key storage for sssd.
  8. For Unique X500 Object ID enter the following OID, 1.3.6.1.4.1.24552.1.1.1.13.
  9. For Syntax, select IA5-String.
  10. Check the Multi-Valued box.
  11. Leave both Minimum and Maximum blank. Register module
  12. Click Ok.

Adding a new class for the attribute

Once we have added the attribute into Active Directory, we need to add a class for the attribute to be associated with it. I would highly recommend putting the project number/name in the description as well.

  1. Right-click on Classes, then click Create class.
  2. If presented, click Continue on the warning.
  3. For Common Name, enter ldapPublicKey in the text field.
  4. For LDAP Display Name, enter ldapPublicKey in the text field.
  5. For Unique X500 Object ID, enter 1.3.6.1.4.1.24552.500.1.1.2.0.
  6. For Description, enter For use with sshPublicKeys attribute.
  7. For Parent Class enter top.
  8. For Class Type, select Auxiliary. Register module
  9. Click Next
  10. Under Optional, select Add, and scroll to find sshPublicKeys, click Ok. Register module
  11. Click Finish and leave the Schema MMC window open.

Associate the attribute and class to the user property

  1. With the schema window still open on Classes, find the user class Schema window
  2. Right-click select on properties. Properties value
  3. Select the Relationship tab, and click Add Class... Relationship Tab
  4. Select ldapPublicKey and click Ok. Selecting ldapPublicKey class
  5. Select the Attributes tab and click Add under Optional. Associate attribute tab
  6. Select sshPublicKey and click Ok. Associate attribute tab
  7. Click Apply and then click Ok
  8. Proceed to close the MMC window.

Creating an attribute in Okta’s User Directory Schema

We will begin to create the attribute under Okta’s Universal Directory.

  1. Go to https://yourdomain.okta.com/admin/universaldirectory
  2. Select Profile under User (default) Okta Universal Directory

  3. Select Add Attribute Okta Profile

  4. Once the Add Attribute window has appeared, fill out the prompts with the following options: Okta step 3

    • Display Name: SSH Public Key
    • Variable Name: sshPublicKey
    • Description: Add what you would like here, an example is below in the photograph
    • Once done, select Save
  5. Once the attribute is created, scroll down to the bottom, and find the newly created Okta attribute and click the pencil icon to edit the attribute. Okta step 4

  6. You will want to change the attributes to match to the picture below. Okta step 5

The reason for this is to allow user’s to modify the contents of the attribute value, and to not have a profile master potentially override or own the attribute contents.

Adding an ssh key to Okta profile

  1. Go to https://yourdomain.okta.com/enduser/settings
  2. Select Edit Profile Edit Profile
  3. If prompted enter your pasword, if not proceed to the next step.
  4. Click Edit Edit
  5. Within the [], add your SSH Key wrapped in ". An example of this would be shown below.
    1
    
      ["ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoi9tCoNOkZgrOpEm2aoVY3uWNUq3MvNSHrgC9r2ELyVpODAz7eCFswszhtYB2o1FPqarJxJq3QQjflhEAZ16o7oaMD8kWzTdGMBjy9vynCr9dMQTuWoEBlAFNsjK1xdaJyWM2sEFV7p6c85yxeeDei1wBPc1AA4X9H2uS4ZTjaNm/Zobe7j7q8lc/e2Sb0tvY0auLv1sRRScxgZFQ5X/uMK0VtcubXxWxh6JceOb4BZRmHDCXOmX3z3wevtuDw6udafyZ6sjowSFH+PD+p7V97m9S81mQAuXfXzgmd/LrRlxHuzx0DpHKbi623lDvWWNb9QJwlLKbfMEP/DGPiEdsw== example-key"]
    

    Profile with ssh key

  6. Select Save

From here, if you need to add new keys, simply put them in a comma delimited format. So multiple keys would look like ["key 1", "key 2", "key 3"].

Add the new AD attribute to the Directories Profile in Okta

One crucial step in allowing us to push the content down is to add the attribute from Active Directory so that Okta is aware of it.

  1. Go to https://yourdomain.okta.com/admin/universaldirectory and select Directories, then select your domain. Okta Universal Directory - Profile Editor
  2. Click Profile, once the page finishes loading, select Add Attribute, and then search for sshPublicKey Okta Universal Directory - Profile Editor
  3. Click Save

Pushing Attributes from Okta to Application

Before doing this, announce to your users will use a change. This could be a breaking change if SSH Keys are not saved into the user’s Okta profile. We will use Active Directory as the example application here, but this could be used in other ways.

  1. Go to https://yourdomain.okta.com/admin/universaldirectory and select Directories, then select your domain. Okta Universal Directory - Profile Editor
  2. Click Mappings, and then select Configure User Mappings Okta Universal Directory - Configure Mappings
  3. Select the Okta User to domain.com Okta to User
  4. Scroll down to your sshPublicKey attribute on the right column and search for sshPublicKey on the left column. sshPublicKey Push
  5. Validate with a user that has saved SSH Keys to their Okta profile, before clicking save. Once validated, select Save mapping.

From here, your user’s SSH keys should be in a multi value format pushed down to Active Directory. Note, there are two values here, as I added the SSH key twice to the Okta profile to show the multi-valued aspect. Finished Result

From here, you could use tools like Ansible, SSSD, and others, to pull the content/value out of Active Directory for use with other services and systems. This could also be done directly to the LDAP Interface on Okta, however, that is not officially supported.