On Wed, 2011-08-03 at 10:14 -0400, Ian Stokes-Rees wrote:
> 
> 
> On 8/3/11 4:47 AM, Ondrej Valousek wrote: 
> > Maybe stupid question, but I have to ask:
> > Why would anyone want to store user RSA keys in LDAP? Once you have
> > IPA server with KDC installed, you can use Kerberos for
> > authentication as well.
> > And you get single sign on as a special bonus :-)
> 
> If you only work in a single administrative domain, this is fine.  I
> am constantly accessing systems all over the US, and internationally,
> and the use of ssh-key-based authentication allows me to do this
> without continuous password prompts.  In fact, on many of the systems
> I can *only* access them by ssh-key.  Being able to hold those keys in
> central keystore like FreeIPA with a single passphrase, and the
> ability for an administrator to reset that passphrase, is very
> desirable for me and for the other users of the systems I'm a part of.
> Resetting key-based access control if the private key passphrase is
> lost is always a nuisance.


As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really dangerous. Most especially if this
private key was being used to access sites in other administrative
domains.

That really sounds like an accident waiting to happen...

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to