[389-users] SSH Public keys
Paul Robert Marino
prmarino1 at gmail.com
Thu Jan 9 21:56:53 UTC 2014
I agree FreeIPA is a good solution but it does have limitations
the one down side to it is you loose some flexibility with FreeIPA for
instance in in places where you may want strict security policy
separations like a web application farm or a larger enterprises with
many subsidiaries you may want to have multiple OU's with different
replication policies and security ACL's FreeIPA doesn't support that.
On a side note neither does the MIT kerberos V server strictly
speaking but you can workaround that by running multiple instances on
different ports or you can use a Heimdal kerberos V server.
On Thu, Jan 9, 2014 at 3:26 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jonathan Vaughn wrote:
>>
>> We use Kerberos, with LDAP (389DS) as our storage backend, which makes
>> standing up Kerberos servers really easy, and keeps replication in
>> perfect sync unlike normal Kerberos "replication". Together with SSSD
>> and sudo-ldap this all makes a pretty powerful combination.
>>
>> On RHEL/CentOS platforms, install krb5-server-ldap and configure
>> /etc/krb5.conf accordingly:
>>
>> [dbmodules]
>> REALM = {
>> db_library = kldap
>> ldap_kerberos_container_dn="dc=some,dc=container"
>> ldap_kdc_dn = "uid=kdc,cn=config"
>> ldap_kadmind_dn = "uid=kadmin,cn=config"
>> ldap_service_password_file =
>> /var/kerberos/krb5kdc/realm/service.keyfile
>> ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm
>> ldaps://ldap2.realm"
>> }
>>
>> Of course there's more to it, but you'll have to google the details, I
>> can't remember the details off the top of my head. Create the
>> appropriate LDAP credentials of course, as well as creating the LDAP
>> service.keyfile ...
>
>
> As an aside, if you're interested in doing Kerberos and LDAP together with a
> 389-ds backend you may want to look at the FreeIPA project which handles a
> lot of the integration for you. It also supports storing SSH keys.
>
> rob
>>
>>
>>
>> On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1 at gmail.com
>> <mailto:prmarino1 at gmail.com>> wrote:
>>
>> have you considered using Kerberos instead of ssh keys?
>> its fairly transparent and doesn't require any patches.
>>
>>
>> On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat at alho.fi
>> <mailto:listat at alho.fi>> wrote:
>> >>> I'm just wondering if anyone has experience storing public keys
>> in 389
>> >>> directory server to allow a user to login using an ssh-key
>> rather than a
>> >>> password? I am running the server on Ubuntu 13.10 and the client
>> is
>> >>> Ubuntu
>> >>> 12.04.
>> >
>> >
>> > Last time I checked it requires patched openssh-server for
>> Ubuntu. Check
>> > this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
>> >
>> > -Vesa
>> >
>> >
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> <mailto:389-users at lists.fedoraproject.org>
>>
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> <mailto:389-users at lists.fedoraproject.org>
>>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list