[Freeipa-devel] SSH Public Key - Centralized Solution
Prashant Bapat
prashant at apigee.com
Tue Dec 23 16:09:40 UTC 2014
Adam,
Thanks much for the reply. I will take a look at the code.
For the expiration part, do you think it would be a good idea to modify the
LDAP schema to include the SSH Pubkey upload date and have a external
script to scan the keys for their age and alert/remove the keys ? If yes
could you please give me some pointers on how this can be done ?
Thanks again.
--Prashant
On 23 December 2014 at 19:45, Adam Young <ayoung at redhat.com> wrote:
>
> On 12/22/2014 08:40 PM, Prashant Bapat wrote:
>
> Hi,
>
> We are planning to roll out FreeIPA for our AWS infrastructure to be the
> central authentication service. Initially we plan to use the SSH publi
> keys, user and group management by FreeIPA. We are looking at rolling out
> the SSS on clients a little later.
>
> Two questions.
>
> 1. We need to be able to ensure that a user is limited only 2-3 SSH
> keys.
>
> SSH keys are a string attribute with a validator. In order to limit the
> number, you would need to modify the plugin here:
>
>
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/util.py#n310
>
>
>
> 2. We need some way of forcing these key rotation once in say 90 days.
>
> In our existing setup we use a SSH CA based authentication. It has its
> own issues. But the rotation is handled by cert expiry every 90 days.
>
>
> This is going to be harder. With password you can validate on login, but
> there is caching involved with the public key, and I think you would need
> to take that into account to force invalidation. This is why certs are
> probably a better idea.
>
> Assuming you can flush the public keys fairly regularly, you would want to
> put the expiration checking on the accessor for the key. This is a direct
> ldap fetch and not managed by the IPA plugins.
>
>
> Any suggestions/help would be appreciated.
>
> Thanks in advance.
>
> --Prashant
>
>
> _______________________________________________
> Freeipa-devel mailing listFreeipa-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141223/3e0abdc3/attachment.htm>
More information about the Freeipa-devel
mailing list