I have configured this. I will see if I can find my notes and post them on here!
Sean O'Reilly
On Thu 09/01/14 4:59 PM , "Conor O'Callaghan" brioscaibriste@gmail.com sent:
Hi all,
I'm just wondering if anyone has experience storing public keys in 389 directory server to allow a user to login using an ssh-key rather than a password? I am running the server on Ubuntu 13.10 and the client is Ubuntu 12.04.
Thanks all,
Conor
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users [1]
Links:
[1] http://webmail.internetters.co.uk/parse.php?redirect=https://admin.fedorapr oject.org/mailman/listinfo/389-users
I'm just wondering if anyone has experience storing public keys in 389 directory server to allow a user to login using an ssh-key rather than a password? I am running the server on Ubuntu 13.10 and the client is Ubuntu 12.04.
Last time I checked it requires patched openssh-server for Ubuntu. Check this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
-Vesa
have you considered using Kerberos instead of ssh keys? its fairly transparent and doesn't require any patches.
On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho listat@alho.fi wrote:
I'm just wondering if anyone has experience storing public keys in 389 directory server to allow a user to login using an ssh-key rather than a password? I am running the server on Ubuntu 13.10 and the client is Ubuntu 12.04.
Last time I checked it requires patched openssh-server for Ubuntu. Check this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
-Vesa
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
We use Kerberos, with LDAP (389DS) as our storage backend, which makes standing up Kerberos servers really easy, and keeps replication in perfect sync unlike normal Kerberos "replication". Together with SSSD and sudo-ldap this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure /etc/krb5.conf accordingly:
[dbmodules] REALM = { db_library = kldap ldap_kerberos_container_dn="dc=some,dc=container" ldap_kdc_dn = "uid=kdc,cn=config" ldap_kadmind_dn = "uid=kadmin,cn=config" ldap_service_password_file = /var/kerberos/krb5kdc/realm/service.keyfile ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm ldaps://ldap2.realm" }
Of course there's more to it, but you'll have to google the details, I can't remember the details off the top of my head. Create the appropriate LDAP credentials of course, as well as creating the LDAP service.keyfile ...
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino prmarino1@gmail.comwrote:
have you considered using Kerberos instead of ssh keys? its fairly transparent and doesn't require any patches.
On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho listat@alho.fi wrote:
I'm just wondering if anyone has experience storing public keys in 389 directory server to allow a user to login using an ssh-key rather than
a
password? I am running the server on Ubuntu 13.10 and the client is Ubuntu 12.04.
Last time I checked it requires patched openssh-server for Ubuntu. Check this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
-Vesa
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Jonathan Vaughn wrote:
We use Kerberos, with LDAP (389DS) as our storage backend, which makes standing up Kerberos servers really easy, and keeps replication in perfect sync unlike normal Kerberos "replication". Together with SSSD and sudo-ldap this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure /etc/krb5.conf accordingly:
[dbmodules] REALM = { db_library = kldap ldap_kerberos_container_dn="dc=some,dc=container" ldap_kdc_dn = "uid=kdc,cn=config" ldap_kadmind_dn = "uid=kadmin,cn=config" ldap_service_password_file = /var/kerberos/krb5kdc/realm/service.keyfile ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm ldaps://ldap2.realm" }
Of course there's more to it, but you'll have to google the details, I can't remember the details off the top of my head. Create the appropriate LDAP credentials of course, as well as creating the LDAP service.keyfile ...
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys.
rob
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1@gmail.com mailto:prmarino1@gmail.com> wrote:
have you considered using Kerberos instead of ssh keys? its fairly transparent and doesn't require any patches. On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat@alho.fi <mailto:listat@alho.fi>> wrote: >>> I'm just wondering if anyone has experience storing public keys in 389 >>> directory server to allow a user to login using an ssh-key rather than a >>> password? I am running the server on Ubuntu 13.10 and the client is >>> Ubuntu >>> 12.04. > > > Last time I checked it requires patched openssh-server for Ubuntu. Check > this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap > > -Vesa > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I agree FreeIPA is a good solution but it does have limitations
the one down side to it is you loose some flexibility with FreeIPA for instance in in places where you may want strict security policy separations like a web application farm or a larger enterprises with many subsidiaries you may want to have multiple OU's with different replication policies and security ACL's FreeIPA doesn't support that. On a side note neither does the MIT kerberos V server strictly speaking but you can workaround that by running multiple instances on different ports or you can use a Heimdal kerberos V server.
On Thu, Jan 9, 2014 at 3:26 PM, Rob Crittenden rcritten@redhat.com wrote:
Jonathan Vaughn wrote:
We use Kerberos, with LDAP (389DS) as our storage backend, which makes standing up Kerberos servers really easy, and keeps replication in perfect sync unlike normal Kerberos "replication". Together with SSSD and sudo-ldap this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure /etc/krb5.conf accordingly:
[dbmodules] REALM = { db_library = kldap ldap_kerberos_container_dn="dc=some,dc=container" ldap_kdc_dn = "uid=kdc,cn=config" ldap_kadmind_dn = "uid=kadmin,cn=config" ldap_service_password_file = /var/kerberos/krb5kdc/realm/service.keyfile ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm ldaps://ldap2.realm" }
Of course there's more to it, but you'll have to google the details, I can't remember the details off the top of my head. Create the appropriate LDAP credentials of course, as well as creating the LDAP service.keyfile ...
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys.
rob
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1@gmail.com mailto:prmarino1@gmail.com> wrote:
have you considered using Kerberos instead of ssh keys? its fairly transparent and doesn't require any patches. On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat@alho.fi <mailto:listat@alho.fi>> wrote: >>> I'm just wondering if anyone has experience storing public keys in 389 >>> directory server to allow a user to login using an ssh-key rather than a >>> password? I am running the server on Ubuntu 13.10 and the clientis >>> Ubuntu >>> 12.04. > > > Last time I checked it requires patched openssh-server for Ubuntu. Check > this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap > > -Vesa > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hello Paul!
On 9.1.2014 22:56, Paul Robert Marino wrote:
I agree FreeIPA is a good solution but it does have limitations
the one down side to it is you loose some flexibility with FreeIPA for instance in in places where you may want strict security policy separations like a web application farm or a larger enterprises with many subsidiaries you may want to have multiple OU's with different replication policies and security ACL's FreeIPA doesn't support that.
Could you elaborate what you miss in FreeIPA, please? We want to know what we miss for which use cases...
Naturally, we can't add missing functionality if nobody tells us what is missing and why it is useful! :-)
Thank you for your time.
Petr^2 Spacek
On a side note neither does the MIT kerberos V server strictly speaking but you can workaround that by running multiple instances on different ports or you can use a Heimdal kerberos V server.
On Thu, Jan 9, 2014 at 3:26 PM, Rob Crittenden rcritten@redhat.com wrote:
Jonathan Vaughn wrote:
We use Kerberos, with LDAP (389DS) as our storage backend, which makes standing up Kerberos servers really easy, and keeps replication in perfect sync unlike normal Kerberos "replication". Together with SSSD and sudo-ldap this all makes a pretty powerful combination.
On RHEL/CentOS platforms, install krb5-server-ldap and configure /etc/krb5.conf accordingly:
[dbmodules] REALM = { db_library = kldap ldap_kerberos_container_dn="dc=some,dc=container" ldap_kdc_dn = "uid=kdc,cn=config" ldap_kadmind_dn = "uid=kadmin,cn=config" ldap_service_password_file = /var/kerberos/krb5kdc/realm/service.keyfile ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm ldaps://ldap2.realm" }
Of course there's more to it, but you'll have to google the details, I can't remember the details off the top of my head. Create the appropriate LDAP credentials of course, as well as creating the LDAP service.keyfile ...
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys.
rob
On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1@gmail.com mailto:prmarino1@gmail.com> wrote:
have you considered using Kerberos instead of ssh keys? its fairly transparent and doesn't require any patches. On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat@alho.fi <mailto:listat@alho.fi>> wrote: >>> I'm just wondering if anyone has experience storing public keys in 389 >>> directory server to allow a user to login using an ssh-key rather than a >>> password? I am running the server on Ubuntu 13.10 and the clientis >>> Ubuntu >>> 12.04. > > > Last time I checked it requires patched openssh-server for Ubuntu. Check > this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap > > -Vesa
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys.
rob
Freeipa looks very very nice indeed, but it doesn't look like it's built and available for ubuntu :(
On 10.1.2014 12:06, Conor O'Callaghan wrote:
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys.
rob
Freeipa looks very very nice indeed, but it doesn't look like it's built and available for ubuntu :(
There is ongoing effort to port it to Debian/Ubuntu. You are more than welcome to contact freeipa-devel list [1] and help us with that.
Have a nice day!
[1] https://www.redhat.com/mailman/listinfo/freeipa-devel
Ah it seems it can be done in the newer versions of openssh 6.2p2 with the command mentioned on the blog ( https://marc.waeckerlin.org/computer/blog/ssh_and_ldap ) , the fix has now been ported to ubuntu also, allowing the AuthorizedKeysCommand to be used without any need for patching. Shame I'm not using openssh 6.2 everywhere :), but well soon see to that.
On 10 January 2014 12:52, Petr Spacek pspacek@redhat.com wrote:
On 10.1.2014 12:06, Conor O'Callaghan wrote:
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys.
rob
Freeipa looks very very nice indeed, but it doesn't look like it's built and available for ubuntu :(
There is ongoing effort to port it to Debian/Ubuntu. You are more than welcome to contact freeipa-devel list [1] and help us with that.
Have a nice day!
[1] https://www.redhat.com/mailman/listinfo/freeipa-devel
-- Petr^2 Spacek
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Conor O'Callaghan -
Jonathan Vaughn -
Paul Robert Marino -
Petr Spacek -
Rob Crittenden -
s.oreilly -
Vesa Alho