Yes, it does. I don't see what the problem is having to authenticate to each
server. It is more secure that way, I think they are just used to being able to
take shortcuts. I guess if they really fuss about it we could set up
forwardable tickets. I would definitely prefer to have all of the service
accounts be on the server rather than local
Thanks,
Sara Kline
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dale Macartney
Sent: Monday, June 04, 2012 10:37 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSH Keys?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/06/12 18:28, Kline, Sara wrote:
Some of my users have expressed concerns about moving to
FreeIPA because they prefer to use SSH. The main reason behind
that is because they can use agent forwarding and only have to
sign on once. I did find information on forwardable Kerberos
tickets, kinit ?f. Has anyone used this in place of SSH keys, or
do you have other suggestions? There are a few service accounts
scripted to work with SSH keys so we may have to leave a few local
accounts on the servers. I don?t particularly like that idea.
Hi Sara
The big difference here is your users will see this as you taking something
away from them. Yes kerberos tickets will work perfectly in this situation, I
do this myself. The issue you need to be aware of is that they will expire, as
they should. An SSH key is nothing more than bypassing an authentication
process.
I would recommend using centralized service accounts in place of more local
accounts, as this way you will always be able to manage them in the future.
Does this help?
Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495
-
This e-mail message is for the sole use of the intended
recipient(s)and may
contain confidential and privileged information of
Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is
prohibited. If you
are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original message.
___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPzPItAAoJEAJsWS61tB+qtfEP/irmelW0sGNW9l2W80DX4piY
E209XSH6/F6/5Duj6LpY3ISELjJdwS/eRikeG+49oivOZWbvEzZ9VSl3TE6TuI7U
wnrpvMt6kdxcgeeTZ31f97nPRwYv50xO9iWU+4ymzW3tzWQt96Er1LXxO8UP++KN
LQ5eUF2gxe0f5WMtKpWwJkTSZlqlCztco5red7Xadze4phUWt3y2OfzLJV3DUqig
/Y44kgtrQfI+Qm8mjrNfZFTnqSALW6kgZ3Ad7hh+1SuNn7D6WyOOkedn5169fYlf
UiDr28G2MM2wdWoh0l9ldqQN3acMDYFDdT0vHXeIq9ygbO1NfTBVC4iRnICCAc+O
GWnmVPY2qGM6/qA7BY11YRNG5Y7PVgEjB6P/zAkMgTds9m87VLpH4QjiifT77R5h
Gt/FNqnT/h9fTF2eoK9RjSdFHcPmplqCUDzfgoLrpDsscyS0RccG6O9z8QCKyeI5
wNl6NtSIb8yqGNN9wfZd3UAbGE5omaofDchMAOV7pcDnenYEju2bXXX9GU4VB09i
GSloEpXRyK189B+oRgd/kmb1DlUuDDMoevHZ/161QI6TuriORyQkqtAq9dOl1Xwl
H7RbwtW0iDxcYfslN3NlF+NOEXOemagQLb7uZU0ARPDbMFobJMdrVHSFTcDsa+Zg
L85opgHXJxOWs0nBERcc
=dvkx
-END PGP SIGNATURE-
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
