On 12/22/2014 08:40 PM, Prashant Bapat wrote:
Hi,

We are planning to roll out FreeIPA for our AWS infrastructure to be the central authentication service. Initially we plan to use the SSH publi keys, user and group management by FreeIPA. We are looking at rolling out the SSS on clients a little later.

Two questions.

1. We need to be able to ensure that a user is limited only 2-3 SSH keys.
SSH keys are a string attribute with a validator. In order to limit the number, you would need to modify the plugin here:


https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/util.py#n310



2. We need some way of forcing these key rotation once in say 90 days.

In our existing setup we use a SSH CA based authentication. It has its own issues. But the rotation is handled by cert expiry every 90 days.

This is going to be harder. With password you can validate on login, but there is caching involved with the public key, and I think you would need to take that into account to force invalidation. This is why certs are probably a better idea.

Assuming you can flush the public keys fairly regularly, you would want to put the expiration checking on the accessor for the key. This is a direct ldap fetch and not managed by the IPA plugins.


Any suggestions/help would be appreciated.

Thanks in advance.

--Prashant


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to