Public storage for public keys
Ed Phillips
ed at UDel.Edu
Tue Jan 15 09:10:12 EST 2002
On Mon, 14 Jan 2002, Simon Wilkinson wrote:
> Date: Mon, 14 Jan 2002 21:38:40 +0000 (GMT)
> From: Simon Wilkinson <sxw at dcs.ed.ac.uk>
> To: openssh-unix-dev at mindrot.org
> Subject: Re: Public storage for public keys
>
> On Mon, 14 Jan 2002, Markus Friedl wrote:
>
> > how can you trust ldap? or dns?
>
> In the LDAP case, you use a connection method that securely authenticates
> the server. The two obvious options here are Kerberos or TLS. Of course,
> if you're using Kerberos you can just use GSSAPI key exchange, and you
> don't need to distribute your public keys, but thats another can of worms.
>
> I've got code that pushes both ssh v1 and v2 keys into LDAP and uses this
> to maintain known hosts maps. I've been promising to package this up and
> distribute it for ages - its now nearing the top of my list.
That would be nice... ssh could query the LDAP directory to decide if sshd
on the server side is who it claims to be, instead of looking in
~/.ssh/known_hosts. Very nice... especially for sites where there are
many server keys that ssh must verify.
What attribute do you use in your code for storing host public keys in the
LDAP directory? What class(es) do you use for the "known_hosts" entries
that hold these attribute values? Are these custom-defined
attributes/classes or has someone already done this and put it in an RFC?
I was thinking about the possibilty of putting public keys for users into
an LDAP directory so that users would be able to use RSA authenticatation
to login to a server... but insteaf of sshd using ~/.ssh/authorized_keys
on the server side, it would fetch the user's public key from the
directory. Have you tried implementing anything like this?
Thanks,
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list