On Mon, 2007-04-02 at 16:11 +0200, Rob van der Heij wrote: > We did it slightly different with an experimental patch to OpenSSH > that allows for the public keys to be kept in LDAP. That means there's > only one place where the public key is held. That LDAP server would > allow the end-user to upload a (new) public key through some > authenticated interface. And the Linux servers can trust that LDAP to > provide the right public key. The same LDAP also gives user and group > information for Linux to allow login.
This is an excellent patch that needs a lot more airplay. I don't know why it's never been picked up by "mainstream" distros; Gentoo is the only one I know of that includes it (I don't have SLES10 and RHEL5 systems to check, though, they may have finally picked it up). Combined with the pam_ldap and nss_ldap configuration options[1] that allow you to restrict user accounts to a subset of all your hosts, you can have all your users in a single LDAP but still provide access only to certain hosts. On the general handling of SSH keys however, the important thing to remember is that the private key belongs to the USER (Rob and Adam have both implied this in their posts). Administering them centrally means that there are sysadmins that (literally) have everyone's keys[2]. You may find that some of your users would create their keys with a greater strength than your "default" policy might provide, and you shouldn't really tell your users that they have to make their key less safe than they want to. :) [1]ppaam_ldap -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
