[Freeipa-users] Cross-realm trust with AD and ssh keys management

Dmitri Pal dpal at redhat.com
Thu Sep 26 01:52:38 UTC 2013 

On 09/25/2013 06:34 AM, Martin Kosek wrote:
> On 09/25/2013 11:15 AM, Sumit Bose wrote:
>> On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote:
>>> On Wed, 25 Sep 2013, Sumit Bose wrote:
>>>> On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote:
>>>>> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
>>>>>> On Tue, 24 Sep 2013, Alexandre Ellert wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've successfully setup a testing environment with an IPA server (RHEL 6.4)
>>>>>>> and a cross realm trust with my Active Directory (Win2008 R2).
>>>>>>> Authentication works both with AD passwords and Kerberos GSS-API.
>>>>>>>
>>>>>>> Now, I'm trying to find the way to manage ssh key which belong to AD
>>>>>>> users. It seems that I can do that only with users declared on IPA
>>>>>>> domain.  Can you confirm that ?
>>>>>> Yes. AD users do not exist physically in IPA LDAP, therefore there is no
>>>>>> object to assign attributes into.
>>>>>>> Does winsync method provide a way to add ssh key to an AD user ?
>>>>>> Under winsync AD users would become 'normal' LDAP objects in IPA,
>>>>>> therefore you can assign additional values/attributes to them.
>>>>> Though note that winsync, one would loose all the SSO capabilities...
>>>>>
>>>>> Alexander, I am just thinking about possibilities. We now have the concept of
>>>>> external groups in FreeIPA which one can then use as members of normal POSIX
>>>>> groups and use them in HBAC or other policies.
>>>>>
>>>>> Would it be possible to create "external users", i.e. user entries identified
>>>>> by FQDN/SID and then be able to assign selected set of user attributes (like
>>>>> SSH public key, home directory, shell...) which could then be leveraged by SSSD?
>>>> Does anyone know if there is a ssh key management solution for AD? If
>>>> yes, I think it would be better to use this and enhance SSSD to fetch
>>>> them from AD. The data can then be stored in the sssd cache on the IPA
>>>> servers and distributed to the IPA clients with the LDAP exop we already
>>>> use to make the AD users available to the clients.
>>> Yes, there are few commercial solutions. Many of them use their own
>>> schemes so supporting them would need to work on multiple different
>>> schemes.
>>>
>>> http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices.
>> Thank you for the details. So it looks that this might be an interesting
>> RFE.
>>
>> bye,
>> Sumit
> Agreed.
>
> I filed a RFE ticket: https://fedorahosted.org/sssd/ticket/2099
>
> Martin
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


And to get back to the original question. When you have trusts and HBAC
why do you need SSH keys?
They do not add any value and become a burden to manage.
You can use you Kerberos ticket to access systems you need and systems
would check if you are allowed to access so I fail to see the need for
the SSH in this case at all. What am I missing?


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list