Reference snippets for Landscape deployment script

Landscape is a systems management tool for the remote provisioning and management of Ubuntu machines.

Landscape can be used to remotely execute scripts on client machines.

This page provides example snippets that can be used in your own deployment scripts to install and configure authd on Ubuntu machines at scale.

Note

When you deploy the final script using Landscape, ensure that the script is run as the root user.

Setup

Define the following environmental variables:

ISSUER_ID=<ISSUER_ID>
CLIENT_ID=<CLIENT_ID>

Installation

Install the authd deb and the broker snap:

Google IAM

add-apt-repository -y ppa:ubuntu-enterprise-desktop/authd
apt-get upgrade -y
apt-get install -y authd
snap install authd-google

Microsoft Entra ID

add-apt-repository -y ppa:ubuntu-enterprise-desktop/authd
apt-get upgrade -y
apt-get install -y authd
snap install authd-msentraid

Tip

For more information on installing authd and its brokers, read the installation guide.

Configuration

Configure authd and the broker:

Google IAM

sed -i "s|<CLIENT_ID>|$CLIENT_ID|g; s|<ISSUER_ID>|$ISSUER_ID|g" /var/snap/authd-google/current/broker.conf
echo "ssh_allowed_suffixes = @example.com" >> /var/snap/authd-google/current/broker.conf
mkdir -p /etc/authd/brokers.d/
cp /snap/authd-google/current/conf/authd/google.conf /etc/authd/brokers.d/
cat <<EOF >> /etc/ssh/sshd_config.d/authd.conf
UsePAM yes
Match User *@example.com
    KbdInteractiveAuthentication yes
EOF

Microsoft Entra ID

sed -i "s|<CLIENT_ID>|$CLIENT_ID|g; s|<ISSUER_ID>|$ISSUER_ID|g" /var/snap/authd-msentraid/current/broker.conf
echo "ssh_allowed_suffixes = @example.onmicrosoft.com" >> /var/snap/authd-msentraid/current/broker.conf
mkdir -p /etc/authd/brokers.d/
cp /snap/authd-msentraid/current/conf/authd/msentraid.conf /etc/authd/brokers.d/
cat <<EOF >> /etc/ssh/sshd_config.d/authd.conf
UsePAM yes
Match User *@example.onmicrosoft.com
    KbdInteractiveAuthentication yes
EOF

Tip

For more information on configuring authd, read the configuration guide.

Restart the services

Restart the authd daemon, the broker snap, and the SSH service:

Google IAM

systemctl restart authd ssh
snap restart authd-google

Microsoft Entra ID

systemctl restart authd ssh
snap restart authd-msentraid

When you have a complete script, add it to the Landscape dashboard to run as the root user before executing on the target machines.

Authentication

Once the script is deployed, user login should be possible with authd.

For example, using SSH:

ssh <username>@<host>

Additional information

• Blog on Entra ID authentication on Ubuntu at scale

• Video on Entra ID authentication on Ubuntu Desktop at scale