The following describes how to fetch the public keys of the users from an LDAP server and have One Identity Safeguard for Privileged Sessions (SPS) generate a keypair that is used in the server-side connection on-the-fly, and upload the public key of this pair to the LDAP database.
To configure public-key authentication using an LDAP server and generated keys
-
Navigate to Traffic Controls > SSH > Authentication Policies and create a new Authentication Policy.
-
Select Authenticate the client to SPS using > LDAP > Public key, deselect all other options.
-
Select Relayed authentication methods > Public key > Publish to LDAP, deselect all other options.
-
Click .
-
Navigate to Policies > LDAP Servers and click to create a new LDAP policy.
-
Enter the parameters of the LDAP server. For details, see Authenticating users to an LDAP server.
-
If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.
Caution: The public keys stored in the LDAP database must be in OpenSSH format.
-
Enter the name of the LDAP attribute where SPS shall upload the generated keys into the Generated publickey attribute name field.
-
Click .
-
Navigate to Traffic Controls > SSH > Connections and create a new Connection.
-
Enter the IP addresses of the clients and the servers into the From and To fields.
-
Select the authentication policy created in Step 1 from the Authentication Policy field.
-
Select the LDAP policy created in Step 7 from the LDAP Server field.
-
If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.
-
Configure the other options of the connection as necessary.
-
Click .
-
To test the above settings, initiate a connection from the client machine to the server.