Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
I did not try that setup because the config-redhat-sssd-before-1-9 because its description says it works with version 1.5 - 1.8, and Amazon linux has 1.2 config-redhat-sssd-before-1-9: Instructions for configuring a system with an old version of SSSD (1.5-1.8) as a IPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. It is good to know that it works. I'll give it a try. Thanks, Gustavo On Mon, Sep 14, 2015 at 7:01 AM, Pawel Fiuto wrote: > Hi Gustavo, > > Using settings from 'ipa-advise config-redhat-sssd-before-1-9' with below > modifications seems to work quite well: > > - on ipa server add permisson to read ipaSshPubKey anonymously: > > [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user > --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read > > [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig > 2c2 > < services = nss, pam, ssh > --- > > services = nss, pam > 12c12 > < ldap_search_base = cn=accounts,dc=example,dc=org > --- > > ldap_search_base = cn=compat,dc=example,dc=org > 14d13 > < ldap_user_ssh_public_key = ipaSshPubKey > > > > -- > *From:* freeipa-users-boun...@redhat.com > on behalf of Gustavo Mateus > *Sent:* 11 September 2015 00:30 > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] AuthorizedKeysCommand for clients using > nss-pam-ldapd > > Hi, > > I'm trying to setup my Amazon Linux instances to be able to fetch the IPA > users public ssh key. > > Do I have to setup a binddn and bindpw in the ldap.conf file and use > /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? > > Thanks, > Gustavo > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
Hi Gustavo, Using settings from 'ipa-advise config-redhat-sssd-before-1-9' with below modifications seems to work quite well: - on ipa server add permisson to read ipaSshPubKey anonymously: [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user --attrs=ipaSshPubKey --bindtype=anonymous --permissions=read [ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig 2c2 < services = nss, pam, ssh --- > services = nss, pam 12c12 < ldap_search_base = cn=accounts,dc=example,dc=org --- > ldap_search_base = cn=compat,dc=example,dc=org 14d13 < ldap_user_ssh_public_key = ipaSshPubKey From: freeipa-users-boun...@redhat.com on behalf of Gustavo Mateus Sent: 11 September 2015 00:30 To: freeipa-users@redhat.com Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
One way to do it is write a small script which will fetch the keys from LDAP. As for authentication, I make the SSH public key anonymously readable for everyone. On 11 September 2015 at 05:00, Gustavo Mateus wrote: > Hi, > > I'm trying to setup my Amazon Linux instances to be able to fetch the IPA > users public ssh key. > > Do I have to setup a binddn and bindpw in the ldap.conf file and use > /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? > > Thanks, > Gustavo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd
Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project