[Freeipa-devel] SSH Public Key - Centralized Solution
Prashant Bapat
prashant at apigee.com
Tue Dec 30 00:57:45 UTC 2014
Hi Again,
For enforcing SSH key rotation every N days, I'm thinking the following.
Please let me know if this makes sense.
1. Limit the number of keys per user to 2. Control this via the webUI
during they public key upload.
2. Append the current timestamp to the key during the upload. This gets
stores in LDAP under "ipaSshPubKey" attribute.
3. Store all the key fingerprints permanently. Need to define a new
attribute for this. Idea is that a ssh key never gets reused. During the
upload verify that the key being uploaded is not already present in the
historical store.
4. On the clients, use a ForcedCommand in SSH server and verify the
timestamp from #2 above is older than N days. Deny user with a error
message if true, allow if false. On similar lines of http://www.sshark.org/
Please let me know your thoughts around this. This is the limiting feature
for us to implement FreeIPA in our org right now.
Thanks in advance.
--Prashant
On 23 December 2014 at 21:39, Prashant Bapat <prashant at apigee.com> wrote:
> Adam,
>
> Thanks much for the reply. I will take a look at the code.
>
> For the expiration part, do you think it would be a good idea to modify
> the LDAP schema to include the SSH Pubkey upload date and have a external
> script to scan the keys for their age and alert/remove the keys ? If yes
> could you please give me some pointers on how this can be done ?
>
> Thanks again.
> --Prashant
>
> On 23 December 2014 at 19:45, Adam Young <ayoung at redhat.com> wrote:
>>
>> On 12/22/2014 08:40 PM, Prashant Bapat wrote:
>>
>> Hi,
>>
>> We are planning to roll out FreeIPA for our AWS infrastructure to be
>> the central authentication service. Initially we plan to use the SSH publi
>> keys, user and group management by FreeIPA. We are looking at rolling out
>> the SSS on clients a little later.
>>
>> Two questions.
>>
>> 1. We need to be able to ensure that a user is limited only 2-3 SSH
>> keys.
>>
>> SSH keys are a string attribute with a validator. In order to limit the
>> number, you would need to modify the plugin here:
>>
>>
>> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/util.py#n310
>>
>>
>>
>> 2. We need some way of forcing these key rotation once in say 90 days.
>>
>> In our existing setup we use a SSH CA based authentication. It has its
>> own issues. But the rotation is handled by cert expiry every 90 days.
>>
>>
>> This is going to be harder. With password you can validate on login, but
>> there is caching involved with the public key, and I think you would need
>> to take that into account to force invalidation. This is why certs are
>> probably a better idea.
>>
>> Assuming you can flush the public keys fairly regularly, you would want
>> to put the expiration checking on the accessor for the key. This is a
>> direct ldap fetch and not managed by the IPA plugins.
>>
>>
>> Any suggestions/help would be appreciated.
>>
>> Thanks in advance.
>>
>> --Prashant
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing listFreeipa-devel at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141230/fdcb5b86/attachment.htm>
More information about the Freeipa-devel
mailing list