Mailing List Archive

external storage of public keys and users
Hi all,

I'm looking for a way to allow a lot of users / public keys to be used
on a server via sshd and I'd like to manage them easily in some
repository (many such hosts would need access to it). I'd like to do
that without sshd modifications like lpk. The data store already
exists and cannot be changed, so kerberos unfortunately cannot be
used.
I do not want to use passwords (will be completely disabled) and would
like standard ssh clients to be able to connect to this server
(openssh and putty at least, but not only the latest versions).

Users will have a standard ssh key pair (or a certificate with private
key if that makes things any easier), but the client software is
pretty much out of my control. I really want to use keys kere, since
users will also use those for other purposes.
I know that GSSAPI exists and is potentially related, but couldn't
really find an answer for: can it be used here, what needs to be
implemented to support it and can it use private/public key
authentication?

I'm interested in RHEL6-based systems, so openssh version ~5.3.

Thanks a lot for any ideas

--
KTHXBYE,

Stanisław Pitucha
Re: external storage of public keys and users [ In reply to ]
2011/3/28 Stanisław Pitucha <viraptor@gmail.com>:
> Hi all,
>
> I'm looking for a way to allow a lot of users / public keys to be used
> on a server via sshd and I'd like to manage them easily in some
> repository (many such hosts would need access to it). I'd like to do
> that without sshd modifications like lpk. The data store already
> exists and cannot be changed, so kerberos unfortunately cannot be
> used.
> I do not want to use passwords (will be completely disabled) and would
> like standard ssh clients to be able to connect to this server
> (openssh and putty at least, but not only the latest versions).
>
> Users will have a standard ssh key pair (or a certificate with private
> key if that makes things any easier), but the client software is
> pretty much out of my control. I really want to use keys kere, since
> users will also use those for other purposes.
> I know that GSSAPI exists and is potentially related, but couldn't
> really find an answer for: can it be used here, what needs to be
> implemented to support it and can it use private/public key
> authentication?
>
> I'm interested in RHEL6-based systems, so openssh version ~5.3.
>

You might be able to write a PAM module for your customized
authentication needs.

--
regards,
kushal
Re: external storage of public keys and users [ In reply to ]
2011/3/29 Kushal Kumaran <kushal.kumaran@gmail.com>:
> You might be able to write a PAM module for your customized
> authentication needs.

From what I've seen I can handle either passwords, or out of band
communication (with regards to ssh connection itself) of some sorts
with PAM. Can PAM somehow provide public key based auth? Any links /
pointers would be really appreciated :)

--
KTHXBYE,

Stanisław Pitucha
Re: external storage of public keys and users [ In reply to ]
2011/3/29 Thompson, Jimi <JimiT@mail.cox.smu.edu>:
> What about using ldap?

Is there a way to do that without a patched SSH? (I mean the public
keys part) I know about LPK patches and lpkfuse, but maybe you had
something else in mind?

--
KTHXBYE,

Stanisław Pitucha
Re: external storage of public keys and users [ In reply to ]
Stanisław Pitucha wrote:
> 2011/3/29 Thompson, Jimi <JimiT@mail.cox.smu.edu>:
>> What about using ldap?
>
> Is there a way to do that without a patched SSH? (I mean the public
> keys part) I know about LPK patches and lpkfuse, but maybe you had
> something else in mind?

You might be interested in
https://bugzilla.mindrot.org/show_bug.cgi?id=1663 , which, AFAIU, is a
generalization of lpk.

Kind regards
Petr
--
Petr Cerny
Mozilla/OpenSSH maintainer for SUSE Linux
Re: external storage of public keys and users [ In reply to ]
2011/3/31 Petr Cerny <pcerny@suse.cz>:
> You might be interested in
> https://bugzilla.mindrot.org/show_bug.cgi?id=1663 , which, AFAIU, is a
> generalization of lpk.

That's all I need really - I knew about the patches, but wasn't aware
they made it into RHEL6. This is perfect!

Thanks a lot.

--
KTHXBYE,

Stanisław Pitucha