Cloud VPS instances do some interesting things with sshd config. This page will try to explain what we do, why we do it, and offer some troubleshooting tips for when things go wrong.
The ::ldap::client::utils Puppet class provisions our custom /usr/sbin/ssh-key-ldap-lookup script. This script is used by sshd to fetch a list of authorized keys for a given user from the LDAP directory.
- /etc/pam.d/common-session - we configure pam_mkhomedir.so to create missing $HOME directories
- /etc/security/access.conf - we add config to restrict authn to a particular group ($::projectgroup)
Check the ssh keys
Compare auth.log records to /usr/sbin/ssh-key-ldap-lookup <user> output to validate the key being presented. Be warned that ed25519 keys may not look the same in both outputs even when they are due to differences in the hash logging.
Check for project membership
If the auth.log output has something like "Fatal: Access denied for user $USER by PAM account configuration [preauth]", chances are pretty good that the user exists in LDAP but is not a member of the project.