On Wed, 2011-08-03 at 10:14 -0400, Ian Stokes-Rees wrote: > > > On 8/3/11 4:47 AM, Ondrej Valousek wrote: > > Maybe stupid question, but I have to ask: > > Why would anyone want to store user RSA keys in LDAP? Once you have > > IPA server with KDC installed, you can use Kerberos for > > authentication as well. > > And you get single sign on as a special bonus :-) > > If you only work in a single administrative domain, this is fine. I > am constantly accessing systems all over the US, and internationally, > and the use of ssh-key-based authentication allows me to do this > without continuous password prompts. In fact, on many of the systems > I can *only* access them by ssh-key. Being able to hold those keys in > central keystore like FreeIPA with a single passphrase, and the > ability for an administrator to reset that passphrase, is very > desirable for me and for the other users of the systems I'm a part of. > Resetting key-based access control if the private key passphrase is > lost is always a nuisance.
As a general rule, I would think that having your private key stored somewhere that an admin other than yourself can reset the password and have access to would be really dangerous. Most especially if this private key was being used to access sites in other administrative domains. That really sounds like an accident waiting to happen...
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users