On Mon, 2007-04-02 at 16:11 +0200, Rob van der Heij wrote: > We did it slightly different with an experimental patch to OpenSSH > that allows for the public keys to be kept in LDAP. That means there's > only one place where the public key is held. That LDAP server would > allow the end-user to upload a (new) public key through some > authenticated interface. And the Linux servers can trust that LDAP to > provide the right public key. The same LDAP also gives user and group > information for Linux to allow login.
This OpenSSH patch[1] is (IMHO) in need of more "airplay". AFAIK Gentoo is the only distro that includes it as part of their OpenSSH package (I don't have SLES10 or RHEL5 nearby, they may have finally picked it up). For shops using LDAP for authentication, it makes a lot of sense -- you can have all your user detail in a sturdy LDAP directory, and using appropriate filter configurations for nss_ldap and pam_ldap you can still provide per-server access control[2]. The 'uploading' of the key can be done with any of the LDAP administration tools, such as phpldapadmin, LAM, or Luma -- the authorised key is just an ASCII text field so cut-and-paste will work. Another method that works is to share user home directories via NFS. When a user logs on to a system their home directory is automounted, which makes their ~/.ssh/ and consequently their authorised keys available. I used to keep my private key on a USB-key, but convenience (or the lack thereof) was a barrier. I'm wondering if some little mobile-phone app that worked over IR or Bluetooth would be a substitute -- people sometimes take more care of these. ;) Cheerio, Vic Cross [1] Known as OpenSSH-LPK. Used to be hosted by the OpenDarwin project, but now seems to have new owners... There's a Trac at http://dev.inversepath.com/trac/openssh-lpk. [2] pam_ldap provides it's own function for access checking based on an attribute in LDAP, but we found it was better to use a filter in the "nss_base_*" settings. If you only use the pam_ldap setting, ALL accounts in LDAP show up as accounts on the system even though the users don't have access, which will confuse your auditors... Better to filter out the unauthorised accounts at the NSS level so they don't even show up. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390