Ping! Any pointers for doing this would be appreciated.
On 30 December 2014 at 06:27, Prashant Bapat <prash...@apigee.com> wrote: > Hi Again, > > For enforcing SSH key rotation every N days, I'm thinking the following. > Please let me know if this makes sense. > > 1. Limit the number of keys per user to 2. Control this via the webUI > during they public key upload. > 2. Append the current timestamp to the key during the upload. This gets > stores in LDAP under "ipaSshPubKey" attribute. > 3. Store all the key fingerprints permanently. Need to define a new > attribute for this. Idea is that a ssh key never gets reused. During the > upload verify that the key being uploaded is not already present in the > historical store. > 4. On the clients, use a ForcedCommand in SSH server and verify the > timestamp from #2 above is older than N days. Deny user with a error > message if true, allow if false. On similar lines of > http://www.sshark.org/ > > Please let me know your thoughts around this. This is the limiting feature > for us to implement FreeIPA in our org right now. > > Thanks in advance. > > --Prashant > > On 23 December 2014 at 21:39, Prashant Bapat <prash...@apigee.com> wrote: > >> Adam, >> >> Thanks much for the reply. I will take a look at the code. >> >> For the expiration part, do you think it would be a good idea to modify >> the LDAP schema to include the SSH Pubkey upload date and have a external >> script to scan the keys for their age and alert/remove the keys ? If yes >> could you please give me some pointers on how this can be done ? >> >> Thanks again. >> --Prashant >> >> On 23 December 2014 at 19:45, Adam Young <ayo...@redhat.com> wrote: >>> >>> On 12/22/2014 08:40 PM, Prashant Bapat wrote: >>> >>> Hi, >>> >>> We are planning to roll out FreeIPA for our AWS infrastructure to be >>> the central authentication service. Initially we plan to use the SSH publi >>> keys, user and group management by FreeIPA. We are looking at rolling out >>> the SSS on clients a little later. >>> >>> Two questions. >>> >>> 1. We need to be able to ensure that a user is limited only 2-3 SSH >>> keys. >>> >>> SSH keys are a string attribute with a validator. In order to limit the >>> number, you would need to modify the plugin here: >>> >>> >>> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/util.py#n310 >>> >>> >>> >>> 2. We need some way of forcing these key rotation once in say 90 days. >>> >>> In our existing setup we use a SSH CA based authentication. It has its >>> own issues. But the rotation is handled by cert expiry every 90 days. >>> >>> >>> This is going to be harder. With password you can validate on login, >>> but there is caching involved with the public key, and I think you would >>> need to take that into account to force invalidation. This is why certs >>> are probably a better idea. >>> >>> Assuming you can flush the public keys fairly regularly, you would want >>> to put the expiration checking on the accessor for the key. This is a >>> direct ldap fetch and not managed by the IPA plugins. >>> >>> >>> Any suggestions/help would be appreciated. >>> >>> Thanks in advance. >>> >>> --Prashant >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing >>> listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel >>> >>> >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
