Tuesday, May 27, 2014

Re: [389-users] Schema for sss_ssh_authorizedkeys

On Tue, May 27, 2014 at 7:10 AM, Rob Crittenden <rcritten@redhat.com> wrote:
> Trey Dockendorf wrote:
>> I'm attempting to manage user ssh authorized keys in 389 with clients
>> using SSSD. I came across the RHEL docs [1] regarding the
>> sss_ssh_authorizedkeys application but I do not see mention of the
>> expected attributes for a user account to use this method. Does 389
>> include the necessary schema? If so, what attributes should I look
>> into? If the schema does not exist, is there a place I can reference to
>> see how FreeIPA implements the schema to then add as a custom schema to
>> my 389 instance?
>
> There is some training material on this at
> http://www.freeipa.org/images/1/1f/Freeipa30_SSH_Public_Keys.odp
>
> The schema is buried in
> https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/60basev3.ldif.
> Look for ipaSsh*

Thanks, I'll look into adding those schema elements to my 389 instance.

>
>> I realize FreeIPA contains this functionality but I can not use FreeIPA
>> because our authentication is provided by our campus' Kerberos realm and
>> we use 389 PAM pass through plugin to authenticate users. As far as I'm
>> aware this functionality cannot be used in FreeIPA without OTP which is
>> not available in EL6 or EL7.
>
> ssh keys have nothing to do with OTP. Support for managing ssh keys has
> been available in FreeIPA for quite some time now.

Sorry, I was a bit vague in my statement. I should have said "As far
as I'm aware the PAM pass through to external Kerberos cannot be used
in FreeIPA without OTP".

>
> rob
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

No comments:

Post a Comment