Discussion:
external storage of public keys and users
(too old to reply)
Stanisław Pitucha
2011-03-28 09:41:05 UTC
Permalink
Hi all,

I'm looking for a way to allow a lot of users / public keys to be used
on a server via sshd and I'd like to manage them easily in some
repository (many such hosts would need access to it). I'd like to do
that without sshd modifications like lpk. The data store already
exists and cannot be changed, so kerberos unfortunately cannot be
used.
I do not want to use passwords (will be completely disabled) and would
like standard ssh clients to be able to connect to this server
(openssh and putty at least, but not only the latest versions).

Users will have a standard ssh key pair (or a certificate with private
key if that makes things any easier), but the client software is
pretty much out of my control. I really want to use keys kere, since
users will also use those for other purposes.
I know that GSSAPI exists and is potentially related, but couldn't
really find an answer for: can it be used here, what needs to be
implemented to support it and can it use private/public key
authentication?

I'm interested in RHEL6-based systems, so openssh version ~5.3.

Thanks a lot for any ideas
--
KTHXBYE,

Stanisław Pitucha
Kushal Kumaran
2011-03-29 01:33:01 UTC
Permalink
Post by Stanisław Pitucha
Hi all,
I'm looking for a way to allow a lot of users / public keys to be used
on a server via sshd and I'd like to manage them easily in some
repository (many such hosts would need access to it). I'd like to do
that without sshd modifications like lpk. The data store already
exists and cannot be changed, so kerberos unfortunately cannot be
used.
I do not want to use passwords (will be completely disabled) and would
like standard ssh clients to be able to connect to this server
(openssh and putty at least, but not only the latest versions).
Users will have a standard ssh key pair (or a certificate with private
key if that makes things any easier), but the client software is
pretty much out of my control. I really want to use keys kere, since
users will also use those for other purposes.
I know that GSSAPI exists and is potentially related, but couldn't
really find an answer for: can it be used here, what needs to be
implemented to support it and can it use private/public key
authentication?
I'm interested in RHEL6-based systems, so openssh version ~5.3.
You might be able to write a PAM module for your customized
authentication needs.
--
regards,
kushal
Stanisław Pitucha
2011-03-29 09:14:38 UTC
Permalink
Post by Kushal Kumaran
You might be able to write a PAM module for your customized
authentication needs.
From what I've seen I can handle either passwords, or out of band
communication (with regards to ssh connection itself) of some sorts
with PAM. Can PAM somehow provide public key based auth? Any links /
pointers would be really appreciated :)
--
KTHXBYE,

Stanisław Pitucha
Stanisław Pitucha
2011-03-29 09:16:23 UTC
Permalink
What about using ldap?
Is there a way to do that without a patched SSH? (I mean the public
keys part) I know about LPK patches and lpkfuse, but maybe you had
something else in mind?
--
KTHXBYE,

Stanisław Pitucha
Petr Cerny
2011-03-31 08:22:18 UTC
Permalink
Post by Stanisław Pitucha
What about using ldap?
Is there a way to do that without a patched SSH? (I mean the public
keys part) I know about LPK patches and lpkfuse, but maybe you had
something else in mind?
You might be interested in
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 , which, AFAIU, is a
generalization of lpk.

Kind regards
Petr
--
Petr Cerny
Mozilla/OpenSSH maintainer for SUSE Linux
Stanisław Pitucha
2011-03-31 09:46:04 UTC
Permalink
Post by Petr Cerny
You might be interested in
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 , which, AFAIU, is a
generalization of lpk.
That's all I need really - I knew about the patches, but wasn't aware
they made it into RHEL6. This is perfect!

Thanks a lot.
--
KTHXBYE,

Stanisław Pitucha
Loading...