[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute for storing SSH RSA host keys

On 04/16/2014 11:20 AM, Michael Ströder wrote:
> It's quite usual nowadays to use this when dealing with SSH keys in LDAP entries:
> https://code.google.com/p/openssh-lpk/

Found this in sshd_config(5):

             Specifies a program to be used to look up the user's public keys.
             The program must be owned by root and not writable by group or
             others.  It will be invoked with a single argument of the
             username being authenticated, and should produce on standard
             output zero or more lines of authorized_keys output (see
             AUTHORIZED_KEYS in sshd(8) <http://www.openssh.com/cgi-bin/man.cgi?query=sshd&sektion=8&arch=&apropos=0&manpath=OpenBSD+Current>).  If a key supplied by
             AuthorizedKeysCommand does not successfully authenticate and
             authorize the user then public key authentication continues using
             the usual *AuthorizedKeysFile* files.  By default, no
             AuthorizedKeysCommand is run

> The schema file:
> http://code.google.com/p/openssh-lpk/source/browse/trunk/schemas/openssh-lpk_openldap.schema

You would still need a schema like that, though, but at least no
patching OpenSSH anymore.