[Freeipa-devel] SSH Public Key - Centralized Solution
Adam Young
ayoung at redhat.com
Tue Dec 23 14:15:34 UTC 2014
On 12/22/2014 08:40 PM, Prashant Bapat wrote:
> Hi,
>
> We are planning to roll out FreeIPA for our AWS infrastructure to be
> the central authentication service. Initially we plan to use the SSH
> publi keys, user and group management by FreeIPA. We are looking at
> rolling out the SSS on clients a little later.
>
> Two questions.
>
> 1. We need to be able to ensure that a user is limited only 2-3 SSH keys.
SSH keys are a string attribute with a validator. In order to limit the
number, you would need to modify the plugin here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/util.py#n310
> 2. We need some way of forcing these key rotation once in say 90 days.
>
> In our existing setup we use a SSH CA based authentication. It has its
> own issues. But the rotation is handled by cert expiry every 90 days.
This is going to be harder. With password you can validate on login,
but there is caching involved with the public key, and I think you would
need to take that into account to force invalidation. This is why certs
are probably a better idea.
Assuming you can flush the public keys fairly regularly, you would want
to put the expiration checking on the accessor for the key. This is a
direct ldap fetch and not managed by the IPA plugins.
>
> Any suggestions/help would be appreciated.
>
> Thanks in advance.
>
> --Prashant
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141223/c37ba7a5/attachment.htm>
More information about the Freeipa-devel
mailing list