On 03/28/2012 09:59 AM, Olivier wrote:
Hello there
Not sure that this is feasable nor that this is the right place
to submit this question but I think it is.
I use sssd to deal with authentication on my linux boxes :
OK
I also know how to use external SASL_MECH to bind my
ldap server : I have produced and install a certificate with
an appropriate subject and signed it by a CA that is known
by my ldap server. Like this, I can bind the server over TLS
with my identity and without providing any passwd.
$ ldapsearch -ZZ uid=olivier
SASL/EXTERNAL authentication started
SASL username:
0.9.2342.19200300.100.1.1=guillard,ou=staff,dc=example,dc=fr
SASL SSF: 0
...response...
Right : nothing new.
I was now wondering if there would have any way to annonce
my certificate using the "external SASL_MECH" mechanism
over a login process to a linux box (let say using ssh), so that
pam would not ask me to type a "login" and a "password" to
log in ?
Don't hesitate to fire if my question is stupid.
Thanks,
---
Olivier
PS, to rephrase that : I'm looking for a way to use a personnal
key
to login without having to provide a password. ssh keys are not
the right solution because I would need to install the public key
in every authorized_key on my network ( I would like a centralized
solution ).
I also found this :
http://code.google.com/p/openssh-lpk/
But I don't want to patch ssh if possible since I highly prefere
to
use standard tools provided as much as possible
I'm on RedHat6
Are you sshing from Windows or Linux?
I am not sure how you can do it with just a key or a cert.
SSH does not support cert authentication but in RHEL there have been
some patches to support X509 certs though I am not sure how exactly
it would work.
If you use Kerberos and/or IPA for your Lunix/UNIX environment you
can provision a user keytab to the machine from which you ssh and
script around ssh call to do kinit with the user key in the keytab.
Then you will not be asked for anything. kinit will acquire the
ticket using the principal you scripted. It would use the key that
you provisioned. And the SSH would use GSSAPI to log you into the
box.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/