I’ve been working on a server that we are deploying at hack.bs: my goal was to allow users from a LDAP server to login with SSH and each get their own home directory with a bunch of storage. There’s a lot of documentation on that online, essentially all you need to do is make your users posixAccounts in the LDAP server and with a few NSS options and the pam_ldap.so module you are good to go. It’s relatively easy on any Linux distro, even more so on NixOS where you just have to enable users.ldap.enable (and possibly also users.ldap.daemon.enable).

However, I wasn’t satisfied with that: people tend to use weak password, which is why I would prefer to only use SSH pubkeys to authenticate logins. A quick Google search revealed a really neat way to do it: sshd has an option called AuthorizedKeysCommand which can be set to an arbitrary executable which will be called by sshd with one argument, the username that’s trying to login, and should return the list of allowed public keys for said username. You can use ldapsearch to fetch the public key from the LDAP server and return it to sshd, which will let the user in.

By itself this doesn’t disable passwords though, it only allows users to login with their public key, if they’d like to do so. One quick and dirty solution to disallow password logins would be to simply disallow passwords at the sshd level: this would prevent anonymous users from bruteforcing somebody’s password, but a valid user could login using his public key, and then try to escalate to another user with su.

Unfortunately NixOS doesn’t expose the LDAP options at the level of granularity we need to pull this off - so we’ll have to resort to writing the /etc/pam.d/sshd.pam file directly. The solution is to leave the pam_ldap.so module only for the account section. This will allow the system to find the user in the LDAP directory, but it will never authenticate it through it. On NixOS the option users.ldap.loginPam almost does what we want: if we disable it, it removes the ldap module from all the sections, but we still need it at least to find the users.

So now this seems to be working pretty well, but there’s one last thing I wanted to add: I would like to allow a few selected users to use sudo, to let them handle administrative tasks on the server. The problem here is that sudo will try to authenticate the user