[389-users] SSH Public keys

Petr Spacek pspacek at redhat.com
Fri Jan 10 07:14:00 UTC 2014 

Hello Paul!

On 9.1.2014 22:56, Paul Robert Marino wrote:
> I agree FreeIPA is a good solution but it does have limitations
>
> the one down side to it is you loose some flexibility with FreeIPA for
> instance in  in places where you may want strict security policy
> separations like a web application farm or a larger enterprises with
> many subsidiaries you may want to have multiple OU's with different
> replication policies and security ACL's FreeIPA doesn't support that.

Could you elaborate what you miss in FreeIPA, please? We want to know what we 
miss for which use cases...

Naturally, we can't add missing functionality if nobody tells us what is 
missing and why it is useful! :-)

Thank you for your time.

Petr^2 Spacek

> On a side note neither does the MIT kerberos V server strictly
> speaking but you can workaround that by running multiple instances on
> different ports or you can use a Heimdal kerberos V server.
>
>
> On Thu, Jan 9, 2014 at 3:26 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Jonathan Vaughn wrote:
>>>
>>> We use Kerberos, with LDAP (389DS) as our storage backend, which makes
>>> standing up Kerberos servers really easy, and keeps replication in
>>> perfect sync unlike normal Kerberos "replication". Together with SSSD
>>> and sudo-ldap this all makes a pretty powerful combination.
>>>
>>> On RHEL/CentOS platforms, install krb5-server-ldap and configure
>>> /etc/krb5.conf accordingly:
>>>
>>> [dbmodules]
>>>           REALM = {
>>>                   db_library = kldap
>>>                   ldap_kerberos_container_dn="dc=some,dc=container"
>>>                   ldap_kdc_dn = "uid=kdc,cn=config"
>>>                   ldap_kadmind_dn = "uid=kadmin,cn=config"
>>>                   ldap_service_password_file =
>>> /var/kerberos/krb5kdc/realm/service.keyfile
>>>                   ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm
>>> ldaps://ldap2.realm"
>>>           }
>>>
>>> Of course there's more to it, but you'll have to google the details, I
>>> can't remember the details off the top of my head. Create the
>>> appropriate LDAP credentials of course, as well as creating the LDAP
>>> service.keyfile ...
>>
>>
>> As an aside, if you're interested in doing Kerberos and LDAP together with a
>> 389-ds backend you may want to look at the FreeIPA project which handles a
>> lot of the integration for you. It also supports storing SSH keys.
>>
>> rob
>>>
>>>
>>>
>>> On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1 at gmail.com
>>> <mailto:prmarino1 at gmail.com>> wrote:
>>>
>>>      have you considered using Kerberos instead of ssh keys?
>>>      its fairly transparent and doesn't require any patches.
>>>
>>>
>>>      On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat at alho.fi
>>>      <mailto:listat at alho.fi>> wrote:
>>>       >>> I'm just wondering if anyone has experience storing public keys
>>>      in 389
>>>       >>> directory server to allow a user to login using an ssh-key
>>>      rather than a
>>>       >>> password? I am running the server on Ubuntu 13.10 and the client
>>> is
>>>       >>> Ubuntu
>>>       >>> 12.04.
>>>       >
>>>       >
>>>       > Last time I checked it requires patched openssh-server for
>>>      Ubuntu. Check
>>>       > this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
>>>       >
>>>       > -Vesa


-- 
Petr^2 Spacek

More information about the 389-users mailing list