Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Users

external storage of public keys and users

 

 

OpenSSH users RSS feed   Index | Next | Previous | View Threaded


viraptor at gmail

Mar 28, 2011, 2:41 AM

Post #1 of 6 (2261 views)
Permalink
external storage of public keys and users

Hi all,

I'm looking for a way to allow a lot of users / public keys to be used
on a server via sshd and I'd like to manage them easily in some
repository (many such hosts would need access to it). I'd like to do
that without sshd modifications like lpk. The data store already
exists and cannot be changed, so kerberos unfortunately cannot be
used.
I do not want to use passwords (will be completely disabled) and would
like standard ssh clients to be able to connect to this server
(openssh and putty at least, but not only the latest versions).

Users will have a standard ssh key pair (or a certificate with private
key if that makes things any easier), but the client software is
pretty much out of my control. I really want to use keys kere, since
users will also use those for other purposes.
I know that GSSAPI exists and is potentially related, but couldn't
really find an answer for: can it be used here, what needs to be
implemented to support it and can it use private/public key
authentication?

I'm interested in RHEL6-based systems, so openssh version ~5.3.

Thanks a lot for any ideas

--
KTHXBYE,

Stanisław Pitucha


kushal.kumaran at gmail

Mar 28, 2011, 6:33 PM

Post #2 of 6 (2162 views)
Permalink
Re: external storage of public keys and users [In reply to]

2011/3/28 Stanisław Pitucha <viraptor [at] gmail>:
> Hi all,
>
> I'm looking for a way to allow a lot of users / public keys to be used
> on a server via sshd and I'd like to manage them easily in some
> repository (many such hosts would need access to it). I'd like to do
> that without sshd modifications like lpk. The data store already
> exists and cannot be changed, so kerberos unfortunately cannot be
> used.
> I do not want to use passwords (will be completely disabled) and would
> like standard ssh clients to be able to connect to this server
> (openssh and putty at least, but not only the latest versions).
>
> Users will have a standard ssh key pair (or a certificate with private
> key if that makes things any easier), but the client software is
> pretty much out of my control. I really want to use keys kere, since
> users will also use those for other purposes.
> I know that GSSAPI exists and is potentially related, but couldn't
> really find an answer for: can it be used here, what needs to be
> implemented to support it and can it use private/public key
> authentication?
>
> I'm interested in RHEL6-based systems, so openssh version ~5.3.
>

You might be able to write a PAM module for your customized
authentication needs.

--
regards,
kushal


viraptor at gmail

Mar 29, 2011, 2:14 AM

Post #3 of 6 (2166 views)
Permalink
Re: external storage of public keys and users [In reply to]

2011/3/29 Kushal Kumaran <kushal.kumaran [at] gmail>:
> You might be able to write a PAM module for your customized
> authentication needs.

From what I've seen I can handle either passwords, or out of band
communication (with regards to ssh connection itself) of some sorts
with PAM. Can PAM somehow provide public key based auth? Any links /
pointers would be really appreciated :)

--
KTHXBYE,

Stanisław Pitucha


viraptor at gmail

Mar 29, 2011, 2:16 AM

Post #4 of 6 (2178 views)
Permalink
Re: external storage of public keys and users [In reply to]

2011/3/29 Thompson, Jimi <JimiT [at] mail>:
> What about using ldap?

Is there a way to do that without a patched SSH? (I mean the public
keys part) I know about LPK patches and lpkfuse, but maybe you had
something else in mind?

--
KTHXBYE,

Stanisław Pitucha


pcerny at suse

Mar 31, 2011, 1:22 AM

Post #5 of 6 (2162 views)
Permalink
Re: external storage of public keys and users [In reply to]

Stanisław Pitucha wrote:
> 2011/3/29 Thompson, Jimi <JimiT [at] mail>:
>> What about using ldap?
>
> Is there a way to do that without a patched SSH? (I mean the public
> keys part) I know about LPK patches and lpkfuse, but maybe you had
> something else in mind?

You might be interested in
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 , which, AFAIU, is a
generalization of lpk.

Kind regards
Petr
--
Petr Cerny
Mozilla/OpenSSH maintainer for SUSE Linux


viraptor at gmail

Mar 31, 2011, 2:46 AM

Post #6 of 6 (2163 views)
Permalink
Re: external storage of public keys and users [In reply to]

2011/3/31 Petr Cerny <pcerny [at] suse>:
> You might be interested in
> https://bugzilla.mindrot.org/show_bug.cgi?id=1663 , which, AFAIU, is a
> generalization of lpk.

That's all I need really - I knew about the patches, but wasn't aware
they made it into RHEL6. This is perfect!

Thanks a lot.

--
KTHXBYE,

Stanisław Pitucha

OpenSSH users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.