Re: SSH Public keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jonathan Vaughn wrote:

We use Kerberos, with LDAP (389DS) as our storage backend, which makes
standing up Kerberos servers really easy, and keeps replication in
perfect sync unlike normal Kerberos "replication". Together with SSSD
and sudo-ldap this all makes a pretty powerful combination.

On RHEL/CentOS platforms, install krb5-server-ldap and configure
/etc/krb5.conf accordingly:

[dbmodules]
         REALM = {
                 db_library = kldap
                 ldap_kerberos_container_dn="dc=some,dc=container"
                 ldap_kdc_dn = "uid=kdc,cn=config"
                 ldap_kadmind_dn = "uid=kadmin,cn=config"
                 ldap_service_password_file =
/var/kerberos/krb5kdc/realm/service.keyfile
                 ldap_servers = "ldaps://ldap1.realm ldaps://ldap0.realm
ldaps://ldap2.realm"
         }

Of course there's more to it, but you'll have to google the details, I
can't remember the details off the top of my head. Create the
appropriate LDAP credentials of course, as well as creating the LDAP
service.keyfile ...
As an aside, if you're interested in doing Kerberos and LDAP together with a 389-ds backend you may want to look at the FreeIPA project which handles a lot of the integration for you. It also supports storing SSH keys. 

rob



On Thu, Jan 9, 2014 at 12:42 PM, Paul Robert Marino <prmarino1@xxxxxxxxx
<mailto:prmarino1@xxxxxxxxx>> wrote:

    have you considered using Kerberos instead of ssh keys?
    its fairly transparent and doesn't require any patches.


    On Thu, Jan 9, 2014 at 1:10 PM, Vesa Alho <listat@xxxxxxx
    <mailto:listat@xxxxxxx>> wrote:
     >>> I'm just wondering if anyone has experience storing public keys
    in 389
     >>> directory server to allow a user to login using an ssh-key
    rather than a
     >>> password? I am running the server on Ubuntu 13.10 and the client is
     >>> Ubuntu
     >>> 12.04.
     >
     >
     > Last time I checked it requires patched openssh-server for
    Ubuntu. Check
     > this: https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
     >
     > -Vesa
     >
     >
     > --
     > 389 users mailing list
     > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
     > https://admin.fedoraproject.org/mailman/listinfo/389-users
    --
    389 users mailing list
    389-users@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
    https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux