Hi all,

At my organisation we have an LDAP infrastructure built on OpenLDAP,
between Unix boxes running OpenSSH at multiple sites. It works well but
the SSH key management is something of an inconvenience, especially as we
would like to implement SSO with ssh-agent and passphrased keys.

There is an OpenSSH patch called LPK which can allow the authorized_keys
to be stored in LDAP, and that would be really useful in our environment.
However we don't really want to maintain our own packages, and our default
distro doesn't want to supply packages with the LPK patch as long as it's
not supported upstream.

So I'd like to request that you consider the LPK patch for merging into
OpenSSH. You can find it here:

http://dev.inversepath.com/trac/openssh-lpk

Here is the description of what specifically we are trying to achieve:

http://dev.inversepath.com/openssh-l...osdem_2006.pdf

In particular: "The final goal is cross-platform authentication, being
able to manage users globally on the LDAP server, without performing any
action on the server pool (scalability for add/revoke a user to N servers
scenarios)"

And here is another page giving another good reason for using LPK:

http://blog.fupps.com/2006/03/02/ssh...eys-from-ldap/

"What happens when you have dozens or more [machines]? You have to
maintain your public keys on all those systems, ensuring they are kept up
to date. God forbid that you loose your private key, or that it becomes
compromised: you'd have to quickly change all the authorized_keys files on
all machines!"

I'm not the developer of the patch, but if there are specific issues that
need to be addressed then I'd be happy to coordinate with the maintainer
and/or lend a hand to see them addressed.

Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev