[olug] Making SSH key distribution and verification easier
Rob Townley
rob.townley at gmail.com
Thu Feb 9 18:40:37 UTC 2012
I don't remember key fingerprints, let alone go to the trouble of
verifying. Currently, with DNSSEC and SSH Finger Print dns resource
records, one can remove some of the drudgery of hand verifying public
key signatures.
With FreeIPA using DNSSEC and automating the verification and
distribution and redistribution of ssh keys for both machine and user
via ldap, it should be easier yet once these patches are applied.
For the fun of it, i put some SSHFP keys into a DNS server because the
documentation in man ssh was just too easy. (However, since we are
not doing DNSSEC yet, it does not do much.)
http://tools.ietf.org/html/rfc4255
Fwd: [Freeipa-devel] [PATCHES] 59-65 SSH public key management
---------- Forwarded message ----------
From: Jan Cholasta <jcholast at redhat.com>
Date: Wed, Dec 7, 2011 at 10:28 AM
Subject: [Freeipa-devel] [PATCHES] 59-65 SSH public key management
To: freeipa-devel <freeipa-devel at redhat.com>
Hi,
this patchset fixes the following tickets:
https://fedorahosted.org/freeipa/ticket/754
https://fedorahosted.org/freeipa/ticket/1634
https://fedorahosted.org/freeipa/ticket/1978
[PATCH] 59 Add LDAP schema for SSH public keys.
[PATCH] 60 Add LDAP ACIs for SSH public key schema.
[PATCH] 61 Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH
public keys to both user and host objects. The accepted value is
base64-encoded public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
[PATCH] 62 Add API initialization to ipa-client-install.
This change makes it possible to call IPA commands from ipa-client-install.
[PATCH] 63 Move the nsupdate functionality to separate function in
ipa-client-install.
[PATCH] 64 Update host SSH public keys on the server during client install.
This is done by calling host-mod to update the keys on IPA server and
nsupdate to update DNS SSHFP records. DNS update can be disabled using
--no-dns-sshfp ipa-client-install option.
[PATCH] 65 Configure ssh and sshd during ipa-client-install.
For ssh, VerifyHostKeyDNS option is enabled.
For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).
Note that user impersonation is not part of this patchset, I'm still
working on it.
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the OLUG
mailing list