[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute for storing SSH RSA host keys

To: Mike Jackson <mj@netauth.com>
Subject: Re: attribute for storing SSH RSA host keys
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 16 Apr 2014 23:20:25 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <24B82E89-C89D-4D42-B4CE-E08A9BD13F88@netauth.com>
References: <1397640920.30162.YahooMailNeo@web162501.mail.bf1.yahoo.com> <534EB3D3.804@stroeder.com> <24B82E89-C89D-4D42-B4CE-E08A9BD13F88@netauth.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25

Mike Jackson wrote:
> 
> On 16 Apr 2014, at 19.46, Michael Ströder <michael@stroeder.com> wrote:
> 
>> ML mail wrote:
>>> On my already existing OpenLDAP server I would like to add an attribute in
>>> order to store SSH RSA host keys. Currently there are no such attributes
>>> (for example: sshRSAHostKey) in any standard schemas.
>>>
>>> What would be the best strategy to add this attribute to my OpenLDAP
>>> server? Create a new objectClass? or simply add it to another already
>>> standard objectClass such as the NIS schema?
>>
>> Do you already have LDAP entries representing your host/systems? That's really
>> hard part.
>>
>> If you already have host entries, you can simply add aux object class
>> 'ldapPublicKey' to this entries and put the various host keys (different
>> algorithms) in the multi-valued attribute 'sshPublicKey'.
> 
> There doesn’t exist any sort of objectClass named ldapPublicKey in any
> standard LDAP objectClasses or in any submitted RFCs.

It's quite usual nowadays to use this when dealing with SSH keys in LDAP entries:

https://code.google.com/p/openssh-lpk/

The schema file:

http://code.google.com/p/openssh-lpk/source/browse/trunk/schemas/openssh-lpk_openldap.schema

> Of course anybody can register an OID with IANA and create their own
> schema, but it would really be best for the OpenBSD project to publish an
> SSH LDAP schema under 1.3.6.1.4.1.30155 .
> Nobody benefits when people who are not authoritative start publishing
> schema and OIDs to blog posts and HOWTOs around the net. What eventually
> ends up happening is that search results turn up multiple schemas assigning
> different OIDs to the same named objectClasses and attributes, people use
> them, and the OID, objectClass, and attribute namespaces all go into
> conflict.There are a lot of people who try to write LDAP schema just to get
> something working, who have absolutely zero idea of what an OID namespace
> means. Here in the LDAP world, we live by the IANA assigned namespace so
> that’s what we need to abide by.

Sorry, after 15 years working with LDAP I still assign OIDs from my own OID
arc - huhuhu - even when writing I-Ds.

> A better strategy would be to model these things with "ObjectClass:
> extensibleObject” in the short term and wait for something official.

Whatever you mean by "official".

But the worst recommendation you can ever give to someone is to use
'extensibleObject' which disables all schema checking for that entry. That
really sucks.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: attribute for storing SSH RSA host keys
  - From: Stephan Fabel <sfabel@hawaii.edu>

References:
- attribute for storing SSH RSA host keys
  - From: ML mail <mlnospam@yahoo.com>
- Re: attribute for storing SSH RSA host keys
  - From: Michael Ströder <michael@stroeder.com>
- Re: attribute for storing SSH RSA host keys
  - From: Mike Jackson <mj@netauth.com>

Prev by Date: Re: attribute for storing SSH RSA host keys
Next by Date: Re: attribute for storing SSH RSA host keys
Index(es):
- Chronological
- Thread