On 09/25/2013 06:34 AM, Martin Kosek wrote: > On 09/25/2013 11:15 AM, Sumit Bose wrote: >> On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: >>> On Wed, 25 Sep 2013, Sumit Bose wrote: >>>> On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: >>>>> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: >>>>>> On Tue, 24 Sep 2013, Alexandre Ellert wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I've successfully setup a testing environment with an IPA server (RHEL >>>>>>> 6.4) >>>>>>> and a cross realm trust with my Active Directory (Win2008 R2). >>>>>>> Authentication works both with AD passwords and Kerberos GSS-API. >>>>>>> >>>>>>> Now, I'm trying to find the way to manage ssh key which belong to AD >>>>>>> users. It seems that I can do that only with users declared on IPA >>>>>>> domain. Can you confirm that ? >>>>>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no >>>>>> object to assign attributes into. >>>>>>> Does winsync method provide a way to add ssh key to an AD user ? >>>>>> Under winsync AD users would become 'normal' LDAP objects in IPA, >>>>>> therefore you can assign additional values/attributes to them. >>>>> Though note that winsync, one would loose all the SSO capabilities... >>>>> >>>>> Alexander, I am just thinking about possibilities. We now have the >>>>> concept of >>>>> external groups in FreeIPA which one can then use as members of normal >>>>> POSIX >>>>> groups and use them in HBAC or other policies. >>>>> >>>>> Would it be possible to create "external users", i.e. user entries >>>>> identified >>>>> by FQDN/SID and then be able to assign selected set of user attributes >>>>> (like >>>>> SSH public key, home directory, shell...) which could then be leveraged >>>>> by SSSD? >>>> Does anyone know if there is a ssh key management solution for AD? If >>>> yes, I think it would be better to use this and enhance SSSD to fetch >>>> them from AD. The data can then be stored in the sssd cache on the IPA >>>> servers and distributed to the IPA clients with the LDAP exop we already >>>> use to make the AD users available to the clients. >>> Yes, there are few commercial solutions. Many of them use their own >>> schemes so supporting them would need to work on multiple different >>> schemes. >>> >>> http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended >>> practices. >> Thank you for the details. So it looks that this might be an interesting >> RFE. >> >> bye, >> Sumit > Agreed. > > I filed a RFE ticket: https://fedorahosted.org/sssd/ticket/2099 > > Martin > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users
And to get back to the original question. When you have trusts and HBAC why do you need SSH keys? They do not add any value and become a burden to manage. You can use you Kerberos ticket to access systems you need and systems would check if you are allowed to access so I fail to see the need for the SSH in this case at all. What am I missing? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
