[Freeipa-users] Cross-realm trust with AD and ssh keys management
Sumit Bose
sbose at redhat.com
Wed Sep 25 09:15:43 UTC 2013
On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote:
> On Wed, 25 Sep 2013, Sumit Bose wrote:
> >On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote:
> >>On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
> >>> On Tue, 24 Sep 2013, Alexandre Ellert wrote:
> >>>> Hi,
> >>>>
> >>>> I've successfully setup a testing environment with an IPA server (RHEL 6.4)
> >>>> and a cross realm trust with my Active Directory (Win2008 R2).
> >>>> Authentication works both with AD passwords and Kerberos GSS-API.
> >>>>
> >>>> Now, I'm trying to find the way to manage ssh key which belong to AD
> >>>> users. It seems that I can do that only with users declared on IPA
> >>>> domain. Can you confirm that ?
> >>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no
> >>> object to assign attributes into.
> >>>> Does winsync method provide a way to add ssh key to an AD user ?
> >>> Under winsync AD users would become 'normal' LDAP objects in IPA,
> >>> therefore you can assign additional values/attributes to them.
> >>
> >>Though note that winsync, one would loose all the SSO capabilities...
> >>
> >>Alexander, I am just thinking about possibilities. We now have the concept of
> >>external groups in FreeIPA which one can then use as members of normal POSIX
> >>groups and use them in HBAC or other policies.
> >>
> >>Would it be possible to create "external users", i.e. user entries identified
> >>by FQDN/SID and then be able to assign selected set of user attributes (like
> >>SSH public key, home directory, shell...) which could then be leveraged by SSSD?
> >
> >Does anyone know if there is a ssh key management solution for AD? If
> >yes, I think it would be better to use this and enhance SSSD to fetch
> >them from AD. The data can then be stored in the sssd cache on the IPA
> >servers and distributed to the IPA clients with the LDAP exop we already
> >use to make the AD users available to the clients.
> Yes, there are few commercial solutions. Many of them use their own
> schemes so supporting them would need to work on multiple different
> schemes.
>
> http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices.
Thank you for the details. So it looks that this might be an interesting
RFE.
bye,
Sumit
>
>
> --
> / Alexander Bokovoy
More information about the Freeipa-users
mailing list