Public storage for public keys

Simon Wilkinson sxw at dcs.ed.ac.uk
Tue Jan 15 10:34:16 EST 2002 

On Monday 14 January 2002 22:10, Ed Phillips wrote:
> That would be nice... ssh could query the LDAP directory to decide if sshd
> on the server side is who it claims to be, instead of looking in
> ~/.ssh/known_hosts. 

At present we just build a known_hosts file out of the LDAP map at regular 
intervals. It would be nice to have an interface for the ssh client to query 
this directly (perhaps via a helper program, similar to LPRng's filterfile 
function?)

> Very nice... especially for sites where there are  many server keys that 
ssh must verify.
>
> What attribute do you use in your code for storing host public keys in the
> LDAP directory? 

I'm in the process of writing a draft that details what we're doing here. 
Basically we use the 'sshKey' attribute, with an OID out of our enterprise 
space. This attribute contains the public key in the format of the known 
hosts file.

> What class(es) do you use for the "known_hosts" entries
> that hold these attribute values?  

I've defined a supplemental class which we use with the RFC2306 ipHost class.
It's possible that other definitions which don't require organizations to 
have a 2306 based directory structure would be possible (and better!)

> Are these custom-defined
> attributes/classes or has someone already done this and put it in an RFC?

Currently custom defined, although documenting it all is very high up my 
list! I've been asked by a number of people to write all of this up as an 
Internet-Draft, which I'm doing currently.

> I was thinking about the possibilty of putting public keys for users into
> an LDAP directory so that users would be able to use RSA authenticatation
> to login to a server... but insteaf of sshd using ~/.ssh/authorized_keys
> on the server side, it would fetch the user's public key from the
> directory.  Have you tried implementing anything like this?

No. We're using Kerberos for our secure authentication - using LDAP as a 
means of distributing keys was devised as a means of supporting our legacy 
systems.

Cheers,

Simon.

More information about the openssh-unix-dev mailing list