<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Colonna MT";
panose-1:4 2 8 5 6 2 2 3 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yes, it does. I don’t see what the problem is having to authenticate to each server. It is more secure that way, I think they are just used to being able to
take shortcuts. I guess if they really fuss about it we could set up forwardable tickets. I would definitely prefer to have all of the service accounts be on the server rather than local<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Colonna MT";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Colonna MT";color:#1F497D">Sara Kline<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> freeipa-users-bounces@redhat.com [mailto:freeipa-users-bounces@redhat.com]
<b>On Behalf Of </b>Dale Macartney<br>
<b>Sent:</b> Monday, June 04, 2012 10:37 AM<br>
<b>To:</b> freeipa-users@redhat.com<br>
<b>Subject:</b> Re: [Freeipa-users] SSH Keys?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
<br>
On 04/06/12 18:28, Kline, Sara wrote:<br>
><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Some of my users have expressed concerns about moving to<o:p></o:p></p>
<p class="MsoNormal"> FreeIPA because they prefer to use SSH. The main reason behind<o:p></o:p></p>
<p class="MsoNormal"> that is because they can use agent forwarding and only have to<o:p></o:p></p>
<p class="MsoNormal"> sign on once. I did find information on forwardable Kerberos<o:p></o:p></p>
<p class="MsoNormal"> tickets, kinit ?f. Has anyone used this in place of SSH keys, or<o:p></o:p></p>
<p class="MsoNormal"> do you have other suggestions? There are a few service accounts<o:p></o:p></p>
<p class="MsoNormal"> scripted to work with SSH keys so we may have to leave a few local<o:p></o:p></p>
<p class="MsoNormal"> accounts on the servers. I don?t particularly like that idea.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
Hi Sara<br>
<br>
The big difference here is your users will see this as you taking something away from them. Yes kerberos tickets will work perfectly in this situation, I do this myself. The issue you need to be aware of is that they will expire, as they should. An SSH key
is nothing more than bypassing an authentication process.<br>
<br>
I would recommend using centralized service accounts in place of more local accounts, as this way you will always be able to manage them in the future.<br>
<br>
Does this help?<br>
<br>
> <br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Sara Kline<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > System Administrator<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Transaction Network Services, Inc<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > 4501 Intelco Loop, Lacey WA 98503<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Wk: (360) 493-6736<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Cell: (360) 280-2495<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > <br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > -------------------------<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > This e-mail message is for the sole use of the intended<o:p></o:p></p>
<p class="MsoNormal"> recipient(s)and may<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > contain confidential and privileged information of<o:p></o:p></p>
<p class="MsoNormal"> Transaction Network Services.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Any unauthorised review, use, disclosure or distribution is<o:p></o:p></p>
<p class="MsoNormal"> prohibited. If you<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > are not the intended recipient, please contact the sender by<o:p></o:p></p>
<p class="MsoNormal"> reply e-mail and destroy all copies of the original message.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> ><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > _______________________________________________<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > Freeipa-users mailing list<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<br>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">
https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQIcBAEBAgAGBQJPzPItAAoJEAJsWS61tB+qtfEP/irmelW0sGNW9l2W80DX4piY<br>
E209XSH6/F6/5Duj6LpY3ISELjJdwS/eRikeG+49oivOZWbvEzZ9VSl3TE6TuI7U<br>
wnrpvMt6kdxcgeeTZ31f97nPRwYv50xO9iWU+4ymzW3tzWQt96Er1LXxO8UP++KN<br>
LQ5eUF2gxe0f5WMtKpWwJkTSZlqlCztco5red7Xadze4phUWt3y2OfzLJV3DUqig<br>
/Y44kgtrQfI+Qm8mjrNfZFTnqSALW6kgZ3Ad7hh+1SuNn7D6WyOOkedn5169fYlf<br>
UiDr28G2MM2wdWoh0l9ldqQN3acMDYFDdT0vHXeIq9ygbO1NfTBVC4iRnICCAc+O<br>
GWnmVPY2qGM6/qA7BY11YRNG5Y7PVgEjB6P/zAkMgTds9m87VLpH4QjiifT77R5h<br>
Gt/FNqnT/h9fTF2eoK9RjSdFHcPmplqCUDzfgoLrpDsscyS0RccG6O9z8QCKyeI5<br>
wNl6NtSIb8yqGNN9wfZd3UAbGE5omaofDchMAOV7pcDnenYEju2bXXX9GU4VB09i<br>
GSloEpXRyK189B+oRgd/kmb1DlUuDDMoevHZ/161QI6TuriORyQkqtAq9dOl1Xwl<br>
H7RbwtW0iDxcYfslN3NlF+NOEXOemagQLb7uZU0ARPDbMFobJMdrVHSFTcDsa+Zg<br>
L85opgHXJxOWs0nBERcc<br>
=dvkx<br>
-----END PGP SIGNATURE-----<o:p></o:p></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1">This e-mail message is for the sole use of the intended recipient(s)and may<br>
contain confidential and privileged information of Transaction Network Services.<br>
Any unauthorised review, use, disclosure or distribution is prohibited. If you<br>
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.<br>
<br>
</font>
</body>
</html>