[ale] ssh + ldap

Jeremy T. Bouse jeremy.bouse at undergrid.net
Thu Mar 19 09:33:12 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	You can use PAM to authenticate the accounts, but the patch goes
further in allowing you to actually store the authorized public SSH keys
within the LDAP tree rather than having to store them in the account on
the server. For a large implementation this is a big time saver.

	Debian makes use of storing SSH keys within LDAP but to maintain the
upstream code without patching they have scripted routines that run on
the servers to pull the SSH keys from LDAP and install them on the
servers. This just means a delay when you change or update your
authorized keys; whereas this patch would allow you to immediately make
use of a new key added to LDAP.

Jerald Sheets wrote:
> Why not use the pam integration to LDAP through your
> /etc/pam.d/system-auth and/or sshd files.  In that way, let pam manage
> the communication with LDAP on behalf of SSH.
> 
> There's also some real cool features of group-based
> authentication/access in /etc/security/access.conf you should look at. 
> It's the first time I've had opportunity to use it and is quite nice.
> 
> It seems a little redundant to not just tie pam in rather than tying
> both pam and sshd in.
> 
> Or, maybe I'm not understanding the way you're implementing.  Could you
> expand a little on that?  (I'm doing the same thing for CNN right now)
> 
> 
> --j
> 
> 
> 
> On Mar 19, 2009, at 6:48 AM, Kenneth Ratliff wrote:
> 
>>
>> On Mar 18, 2009, at 10:04 PM, Jim Kinney wrote:
>>
>>> cool idea: park ssh pub keys in ldap for large installation.
>>>
>>> http://code.google.com/p/openssh-lpk/
>>
>>
>> Yeah this occurred to me when I was busy integrating my home network
>> with LDAP to get everything to single signon. There's just something
>> about patching OpenSSH that makes me unhappy, though.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iF0EARECAB0FAknCSZAWGGhrcDovL3N1YmtleXMucGdwLm5ldAAKCRCagQNPdb5V
OckeAJ9I+4/cEM1zpNdFg7Zldn5rbUT9uQCfXnGVM133pejDBK3EE1TXByS5miI=
=GUKb
-----END PGP SIGNATURE-----

More information about the Ale mailing list