[](https://gitlab.com/cardoe/sakcl/commits/master)
[]()
[](https://crates.io/crates/sakcl)
[](https://crates.io/crates/sakcl)
[](https://crates.io/crates/sakcl)
SSH AuthorizedKeysCommand using LDAP (sakcl)
sakcl (pronounced 'sackle' like 'handle') is designed to be called
by OpenSSH as the [AuthorizedKeysCommand](http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5#AuthorizedKeysCommand).
It is simple to install and simple to configure and works with the other
defaults of OpenSSH.
## Installation
### Cargo
```bash
cargo install sakcl
```
### Binary Packages
```bash
wget 'https://gitlab.com/cardoe/sakcl/-/jobs/artifacts/master/download?job=release'
unzip artifacts.zip
```
## Configuration
The configuration file by default is located at `/etc/sakcl.conf`. This
can be overwritten by providing the `-c /path/to/config` argument before
the username.
The configuration file must look like:
```toml
uri = "ldaps://ldap.host.name"
base = "ou=Users,dc=company,dc=com"
# basedn and bindpw are optional parameters
basedn = "dn=serviceacct,ou=Users,dc=company,dc=com"
basspw = "12345"
# otherwise it is passed directly to the LDAP search
filter = "(&(objectClass=posixAccount)(uid=*))"
attr = "attribute-with-ssh-public-key"
```
Once this is configured you can test that it works by running:
```bash
sakcl your-ldap-uid
```
And you should see your SSH public key displayed on stdout. To finish
configuring your system to use this change the
[AuthorizedKeysCommand](http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5#AuthorizedKeysCommand)
to point to your `sakcl` binary and change
[AuthorizedKeysCommandUser](http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5#AuthorizedKeysCommandUser)
to an unpriviledged account name. Lastly change the ownership of
`/etc/sakcl.conf` to the unpriviledged account name and set the mode to
octal `0400`.