Going Passwordless at Duke

In 2022, we are moving the virtual machine that adminsters our ECE 551 course away from passwords.  In fact, students won't even be able to use passwords at all!  The only login option is an ssh key pair.  

It turns out that setting this up at Duke is really easy, but requires knowing a bunch of things that are not easy to find.  Accordingly, this guide is intended to help anyone who wants to do the same thing.

The first thing you need to know is that OIT has a place for user's to upload public keys: 

https://idms-web-selfservice.oit.duke.edu/advanced 

Our authentication plan is that users (in our case students) will upload a public key to this site, and we will use that to authenticate them on our system.  We assume that you already have a system on which you need this authentication and that you have root on it.  Note that if you need to explain to students how to make key pairs and upload them, I have a quick guide for that here https://adhilton.pratt.duke.edu/ssh-key-pair-setup-upload .

 

Step 1:  LDAP key lookup

The first thing you need to do is install OIT's tool for looking up public keys from LDAP.   The instructions for this tool are here:

https://gitlab.oit.duke.edu/devil-ops/installing-devil-ops-packages

but the TLDR version if you are on Ubuntu 22 is 

wget -qO - https://oneget.oit.duke.edu/debian-feeds/devil-ops-debs.pub | sudo gpg --dearmor -o /etc/apt/keyrings/devil-ops-debs.gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/devil-ops-debs.gpg] https://oneget.oit.duke.edu/ devil-ops-debs main" | sudo tee /etc/apt/sources.list.d/devil-ops.list

sudo apt update

sudo apt install ldap-ssh-key-lookup

If you then run 

ldap-ssh-key-lookup netid

You should get any registered keys for netid.

Step 2: Edit sshd's config

Next, you need to edit /etc/ssh/sshd_config  (you need to do this as root of course).  You need to add two lines:

AuthorizedKeysCommand /usr/bin/ldap-ssh-key-lookup

AuthorizedKeysCommandUser ldapsshkeys

Note that this refers to a user you dont have (ldapsshkeys), so adduser ldapsshkeys (as root or with sudo).

I'll note that I made a specific user just to do key look up, as the sshd_config manpage suggests.  Some people just use user "nobody" for this.  Either way, you MUST specify a user with AuthorizedKeysCommandUser or sshd will refuse to run if you have AuthorizedKeysCommand.

Note that this will enable keys from the LDAP directory, but does not disable passwords.  If you want to disable passwords, you need to change the line

PasswordAuthentication yes

to

PasswordAuthentication no

Once that is done, save your sshd_config and run (still as root):

service sshd restart

Now you should be able to login by ssh key, and only by ssh key!

Please test this in another terminal before you logout!