[ale] ssh + ldap

[Kenneth Ratliff]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Mar 19, 2009, at 9:29 AM, Jim Kinney wrote:
> A possible workaround is to have the pub key in ldap and etc/skel user
> creation on initial login will use a sytem key to put the pub key in
> place. That avoids the patch but does not make for the easy removal of
> the now laid off sysadmin by blocking the ldap key. It also _still_
> requires a manual, tunneled password once but that is good as it is
> used to verify credentials for the newly touched system.

Yeah, this is how I got around it, login script calls the LDAP server  
and queries for the key for the username and then writes it out to  
authorized_keys. It does this on every login, so if the users public  
key changes at any point, they'll be prompted via a password login  
once and then their new key will take effect.

Revocation is pretty easy too, I just added a user attribute for  
account enabled/disabled. I have another script that pulls the list of  
servers out of LDAP and goes one by one and nulls out the  
authorized_keys file for each username who's account is flagged  
disabled (alternatively, I can supply the username I want deactivated  
and it will only null out that users authorized keys file). And just  
to be thorough, I have a nightly script on each server which queries  
ldap for the public keys of the directories in /home and writes them  
out to authorized_keys. Eventually, I'll get around to extending that  
script to remove the home directories of any user which doesn't exist  
in either /etc/passwd or in ldap


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iEYEARECAAYFAknCUKYACgkQXzanDlV0VY5lZgCg3g99dSyTJeVB4IHDFb6PPv05
eM8AoOjhv9DUORV3VPCo9rEefOn6Ccx5
=7hyx
-----END PGP SIGNATURE-----