In 2022, we are moving the virtual machine that adminsters our ECE 551 course away from passwords. In fact, students won't even be able to use passwords at all! The only login option is an ssh key pair.
It turns out that setting this up at Duke is really easy, but requires knowing a bunch of things that are not easy to find. Accordingly, this guide is intended to help anyone who wants to do the same thing.
The first thing you need to know is that OIT has a place for user's to upload public keys:
https://idms-web-selfservice.oit.duke.edu/advanced
Our authentication plan is that users (in our case students) will upload a public key to this site, and we will use that to authenticate them on our system. We assume that you already have a system on which you need this authentication and that you have root on it. Note that if you need to explain to students how to make key pairs and upload them, I have a quick guide for that here https://adhilton.pratt.duke.edu/ssh-key-pair-setup-upload .
Step 1: LDAP key lookup
The first thing you need to do is install OIT's tool for looking up public keys from LDAP. The instructions for this tool are here:
https://gitlab.oit.duke.edu/devil-ops/installing-devil-ops-packages
but the TLDR version if you are on Ubuntu 22 is
wget -qO - https://oneget.oit.duke.edu/debian-feeds/devil-ops-debs.pub | sudo gpg --dearmor -o /etc/apt/keyrings/devil-ops-debs.gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/devil-ops-debs.gpg] https://oneget.oit.duke.edu/ devil-ops-debs main" | sudo tee /etc/apt/sources.list.d/devil-ops.list
sudo apt update
sudo apt install ldap-ssh-key-lookup
If you then run
ldap-ssh-key-lookup netid
You should get any registered keys for netid.
Step 2: Edit sshd's config
Next, you need to edit /etc/ssh/sshd_config (you need to do this as root of course). You need to add two lines:
AuthorizedKeysCommand /usr/bin/ldap-ssh-key-lookup
AuthorizedKeysCommandUser ldapsshkeys
Note that this refers to a user you dont have (ldapsshkeys), so adduser ldapsshkeys (as root or with sudo).
I'll note that I made a specific user just to do key look up, as the sshd_config manpage suggests. Some people just use user "nobody" for this. Either way, you MUST specify a user with AuthorizedKeysCommandUser or sshd will refuse to run if you have AuthorizedKeysCommand.
Note that this will enable keys from the LDAP directory, but does not disable passwords. If you want to disable passwords, you need to change the line
PasswordAuthentication yes
to
PasswordAuthentication no
Once that is done, save your sshd_config and run (still as root):
service sshd restart
Now you should be able to login by ssh key, and only by ssh key!
Please test this in another terminal before you logout!