# [SOLVED] openssh, ldap and public keys

## Skillshot

Hi there,

i have trouble getting public key auth in openssh with openldap to work. OpenSSH insists that it can not find any keys for my user. The log on the LDAP server states

```
conn=8 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

conn=8 op=3 UNBIND
```

so one entry WAS found. If i use the filter from the ldap patch

```
(&(objectClass=posixAccount)(objectClass=ldapPublicKey)(uid=$USERNAME))
```

with the attribute-filter 'sshPublicKey' and do a manual ldapsearch from the console i also get the desired result set.

But when i connect via ssh the log on the ssh-machine says:

```
Dec  4 12:59:48 wtf sshd[7686]: [LDAP] no keys found for '$USERNAME'!
```

This message only gets logged if

```
k = ldap_getuserkey(&options.lpk, pw->pw_name)
```

yields NULL in auth2-pubkey.c (line 207, openssh with USE +ldap) but now i'm stuck, because i have no idea why the key returned by the ldap server is 'not found' while doing public key auth on the ssh server.

I'm using openssh-5.3_p1-r1 with openldap-2.4.19-r1 on a 64bit gentoo.

I searched all around the net but did not find any hint of what could be wrong here. Anyone here with an idea?

Thanks!

P.S.: I also checked the ssh output on client side to verify that it's trying the right keys ...Last edited by Skillshot on Fri Dec 04, 2009 2:36 pm; edited 1 time in total

----------

## John R. Graham

So, did you create keys for the user in question?  What's the contents of the ~/.ssh directory for that user?

- John

----------

## Skillshot

Yes, the user had authorized_keys in place. I put the key from the file into LDAP and moved the authorized_keys-file away to test that the public key from LDAP is used. But it's not ...

The user can log in (again) if i move back the file to it's place. But i want to use the public key from the LDAP on several server machines without having to distribute the key to every single machine.

----------

## Skillshot

Ok, got it.

After turning on debugging on the ssh server side i saw immediate time outs on the LDAP-search. After setting TIMELIMIT in /etc/openldap/ldap.conf on the client side everything went fine ...

*puh*

----------

