Reference snippets for cloud-init provisioning

Cloud-init is an industry-standard method for cloud instance initialization. It can also be used to provision client machines during Ubuntu installation.

This page provides example snippets, which can be used in your own cloud config YAML files to deploy and configure authd on Ubuntu at scale.

Setup

If using these snippets as part of a cloud config file, set the appropriate header, identifying the file to cloud-init with #cloud-config and enabling Jinja templating with ## template: jinja.

## template: jinja
#cloud-config

Variables

Define the necessary environmental variables:

{% set ISSUER_ID = '<your_issuer_id>' %}
{% set CLIENT_ID = '<your_client_id>' %}

Install authd

Add the authd PPA to the system’s software sources and install authd:

apt:
  sources:
      source1:
          source: 'ppa:ubuntu-enterprise-desktop/authd'

packages:
  - authd

Install broker

Install the broker as a snap:

Google IAM

snap:
 commands:
   - ['install', 'authd-google']

Microsoft Entra ID

snap:
 commands:
   - ['install', 'authd-msentraid']

Tip

For more information on installing authd and its brokers, read the installation guide.

Install authd and apply configurations

To complete the setup:

• Configure SSH for user login

• Upgrade packages

• Configure authd and the broker

• Restart the services for the changes to take effect

Important

Edit the allowed suffixes as appropriate.

Google IAM

write_files:
  - path: /etc/ssh/sshd_config.d/authd.conf
    content: |
      UsePAM yes
      Match User *@example.com
          KbdInteractiveAuthentication yes

runcmd:
  - apt-get upgrade -y
  - sed -i 's|<CLIENT_ID>|{{ CLIENT_ID }}|g; s|<ISSUER_ID>|{{ ISSUER_ID }}|g' /var/snap/authd-google/current/broker.conf
  - echo 'ssh_allowed_suffixes = @example.com' >> /var/snap/authd-google/current/broker.conf
  - sed -i 's/^\(LOGIN_TIMEOUT\t\t\)[0-9]\+/\1360/' /etc/login.defs
  - mkdir -p /etc/authd/brokers.d/
  - cp /snap/authd-google/current/conf/authd/google.conf /etc/authd/brokers.d/
  - snap restart authd-google
  - systemctl restart authd ssh

Microsoft Entra ID

write_files:
  - path: /etc/ssh/sshd_config.d/authd.conf
    content: |
      UsePAM yes
      Match User *@example.onmicrosoft.com
          KbdInteractiveAuthentication yes

runcmd:
  - apt-get upgrade -y
  - sed -i 's|<CLIENT_ID>|{{ CLIENT_ID }}|g; s|<ISSUER_ID>|{{ ISSUER_ID }}|g' /var/snap/authd-msentraid/current/broker.conf
  - echo 'ssh_allowed_suffixes = @example.onmicrosoft.com' >> /var/snap/authd-msentraid/current/broker.conf
  - sed -i 's/^\(LOGIN_TIMEOUT\t\t\)[0-9]\+/\1360/' /etc/login.defs
  - mkdir -p /etc/authd/brokers.d/
  - cp /snap/authd-msentraid/current/conf/authd/msentraid.conf /etc/authd/brokers.d/
  - snap restart authd-msentraid
  - systemctl restart authd ssh

Tip

For more information on configuring authd, read the configuration guide.

Authentication

Once the script is deployed, user login should be possible with authd.

For example, using SSH:

ssh <username>@<host>

Additional information

• Blog on Entra ID authentication on Ubuntu at scale

• Video on Entra ID authentication on Ubuntu Desktop at scale