[Freeipa-users] Not able to replicate user keys across master and client
Brian Candler
b.candler at pobox.com
Sun Jan 15 18:25:39 UTC 2017
On 12/01/2017 10:59, hirofumi.morikawa at accenture.com wrote:
>
> Let me further clarify the question that is asked by Niraj below.
>
> Currently, we have 1 master FreeIPA server and 1 client server.
> Evaluating your product for production deployment
>
> Master and client connectivity is established and when creating the
> user in the web console, it is indeed creating the user in the client
> machine
>
> However, When we add public key through the web console below, this
> key is not created(or transfered) to the client machine
>
That's correct: it doesn't copy them anywhere, nor is it supposed to.
Instead, the keys sit in the FreeIPA LDAP database. When you install the
ipa-client package on a host, it configures sshd so it communicates via
sssd to query the authorized keys in LDAP. You will find:
# /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
# /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, sudo
That means you have central control of your authorized_keys with
FreeIPA, without copying them onto every hosts' filesystem.
You also have central control of your user accounts, group memberships,
uid and gid mappings, sudo policy, host access policy (i.e. which users
are allowed to login to which hosts), ... All this is done via sssd and
LDAP as well.
HTH,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170115/b64ba05d/attachment.htm>
More information about the Freeipa-users
mailing list