[ale] ssh + ldap

Jim Kinney jim.kinney at gmail.com
Thu Mar 19 09:29:01 EDT 2009 

Kenneth replied and I'll chime in as well. ssh will use pam
automagically (see conf file for flag - UsePAM yes) to authenticate a
user by password.But to get a user authentication by key requires a
patch to repoint the sshd lookup of ~/.ssh to become an ldap call.

A possible workaround is to have the pub key in ldap and etc/skel user
creation on initial login will use a sytem key to put the pub key in
place. That avoids the patch but does not make for the easy removal of
the now laid off sysadmin by blocking the ldap key. It also _still_
requires a manual, tunneled password once but that is good as it is
used to verify credentials for the newly touched system.

Hmm. That would be pretty slick.

Maybe a process can be inserted into this that logs to ldap what
machines have been touched by the user so there is a ready list of
revocation machines to work with.

2009/3/19 Jerald Sheets <questy at gmail.com>:
> Why not use the pam integration to LDAP through your /etc/pam.d/system-auth
> and/or sshd files.  In that way, let pam manage the communication with LDAP
> on behalf of SSH.
> There's also some real cool features of group-based authentication/access in
> /etc/security/access.conf you should look at.  It's the first time I've had
> opportunity to use it and is quite nice.
> It seems a little redundant to not just tie pam in rather than tying both
> pam and sshd in.
> Or, maybe I'm not understanding the way you're implementing.  Could you
> expand a little on that?  (I'm doing the same thing for CNN right now)
>
> --j
>
>
> On Mar 19, 2009, at 6:48 AM, Kenneth Ratliff wrote:
>
> On Mar 18, 2009, at 10:04 PM, Jim Kinney wrote:
>
> cool idea: park ssh pub keys in ldap for large installation.
>
> http://code.google.com/p/openssh-lpk/
>
>
> Yeah this occurred to me when I was busy integrating my home network with
> LDAP to get everything to single signon. There's just something about
> patching OpenSSH that makes me unhappy, though.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>



-- 
-- 
James P. Kinney III

More information about the Ale mailing list