On Tue, May 27, 2014 at 7:10 AM, Rob Crittenden <rcritten@xxxxxxxxxx> wrote: > Trey Dockendorf wrote: >> I'm attempting to manage user ssh authorized keys in 389 with clients >> using SSSD. I came across the RHEL docs [1] regarding the >> sss_ssh_authorizedkeys application but I do not see mention of the >> expected attributes for a user account to use this method. Does 389 >> include the necessary schema? If so, what attributes should I look >> into? If the schema does not exist, is there a place I can reference to >> see how FreeIPA implements the schema to then add as a custom schema to >> my 389 instance? > > There is some training material on this at > http://www.freeipa.org/images/1/1f/Freeipa30_SSH_Public_Keys.odp > > The schema is buried in > https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/60basev3.ldif. > Look for ipaSsh* Thanks, I'll look into adding those schema elements to my 389 instance. > >> I realize FreeIPA contains this functionality but I can not use FreeIPA >> because our authentication is provided by our campus' Kerberos realm and >> we use 389 PAM pass through plugin to authenticate users. As far as I'm >> aware this functionality cannot be used in FreeIPA without OTP which is >> not available in EL6 or EL7. > > ssh keys have nothing to do with OTP. Support for managing ssh keys has > been available in FreeIPA for quite some time now. Sorry, I was a bit vague in my statement. I should have said "As far as I'm aware the PAM pass through to external Kerberos cannot be used in FreeIPA without OTP". > > rob > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
