openssh keys in ldap
Simon Wilkinson
simon at sxw.org.uk
Tue Jul 17 04:39:45 EST 2001
On Monday 16 July 2001 15:16, you wrote:
> Is there any work going into placing keys in a central directory such as
> LDAP ?
We're doing it ...
I've got a script which uploads the keys to the LDAP server (over a Kerberos
authenticated connection) and generates the ssh_known_hosts file (again using
a Kerberos authenticated connection). We drive this from an rc.d style script
which generates and uploads the key as necessary, and updates the known_hosts
file nightly. All of this doesn't require touching the ssh code base at all.
Our LDAP map is RFC2307-compliant - we add a new 'sshHost' auxiliary object
class to the host records in it, which adds 'sshKey' and 'sshRSAKey'
attributes to each host's information. These are used for version 2 and
version 1 host keys respectively - the sshKey attribute is multi-valued
allowing the use of different types of version 2 keys.
If you're interested I can package up the script, our schema definitions, and
the (OpenLDAP) server configuration thats required to make all of this work
and make it available.
Cheers,
Simon.
--
Simon Wilkinson <simon at sxw.org.uk> http://www.sxw.org.uk
"I don't want to live on in my work, I want to live on in my apartment."
-- Woody Allen
More information about the openssh-unix-dev
mailing list