#754 Manage SSH keys
Closed: Fixed None Opened 13 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=766068

Add a way to manage SSH keys, hosts and other elements centrally.

Here are some ideas from our attempt to reach out to the SSH community:

1) Centrally managing the user public keys. Instead of having user public keys in a key file on each system the appropriate key(s) can be delivered to the server host via SSSD and IPA (or other LDAP server). It is similar to openssh-lpk effort but a bit different (see below).

2) Centrally managing fingerprints of the server keys. If the server host fingerprint is loaded into the central server like IPA the SSSD would be able to get and cache it. openssh in turn can fetch it from SSSD on as needed basis and do a silent fingerprint verification without requiring user interaction. I see that there is a DNS option supported but this lacks caching that SSSD will be able to provide.

3) IPA introduces concept of hosts and host groups. SSSD has/will have a capability to take advantage of such functionality. This means that SSSD would be able to help openssh with .shosts and .rhosts contents too.

It would be nice to have some kind of pluggable interface in openssh that would abstract the source of the public keys, fingerprints and access checks (may be something else we can help with too). Such pluggable interface would allow projects like openssh-lpk and SSSD to build pluggable providers for those crucial pieces of information.


Start the investigation and come up with the design.

Moving the ticket to the next month iteration.

Moving to next month iteration.

master:[[br]]
431286a[[br]]
6488378[[br]]
e5c0750[[br]]
ca3f304[[br]]
3c2b0fc[[br]]
9b6baf9[[br]]
63ea0a3[[br]]

ipa-2-2:[[br]]
9625bf4[[br]]
dc5c6b1[[br]]
f2d3f91[[br]]
36eefa2[[br]]
502eafb[[br]]
8539044[[br]]
0708ea2[[br]]

Metadata Update from @dpal:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02

7 years ago

Login to comment on this ticket.

Metadata