On 8/3/11 4:47 AM, Ondrej Valousek wrote:
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you have IPA server with KDC installed, you can use Kerberos for authentication as well.
And you get single sign on as a special bonus :-)

If you only work in a single administrative domain, this is fine.  I am constantly accessing systems all over the US, and internationally, and the use of ssh-key-based authentication allows me to do this without continuous password prompts.  In fact, on many of the systems I can *only* access them by ssh-key.  Being able to hold those keys in central keystore like FreeIPA with a single passphrase, and the ability for an administrator to reset that passphrase, is very desirable for me and for the other users of the systems I'm a part of.  Resetting key-based access control if the private key passphrase is lost is always a nuisance.

Freeipa-users mailing list

Reply via email to