Request for LPK patch to be merged

[Chris Wilson]

Hi all,

At my organisation we have an LDAP infrastructure built on OpenLDAP, 
between Unix boxes running OpenSSH at multiple sites. It works well but 
the SSH key management is something of an inconvenience, especially as we 
would like to implement SSO with ssh-agent and passphrased keys.

There is an OpenSSH patch called LPK which can allow the authorized_keys 
to be stored in LDAP, and that would be really useful in our environment. 
However we don't really want to maintain our own packages, and our default 
distro doesn't want to supply packages with the LPK patch as long as it's 
not supported upstream.

So I'd like to request that you consider the LPK patch for merging into 
OpenSSH. You can find it here:

  http://dev.inversepath.com/trac/openssh-lpk

Here is the description of what specifically we are trying to achieve:

  http://dev.inversepath.com/openssh-lpk/ldap_fosdem_2006.pdf

In particular: "The final goal is cross-platform authentication, being 
able to manage users globally on the LDAP server, without performing any 
action on the server pool (scalability for add/revoke a user to N servers 
scenarios)"

And here is another page giving another good reason for using LPK:

  http://blog.fupps.com/2006/03/02/ssh-public-keys-from-ldap/

"What happens when you have dozens or more [machines]? You have to 
maintain your public keys on all those systems, ensuring they are kept up 
to date. God forbid that you loose your private key, or that it becomes 
compromised: you'd have to quickly change all the authorized_keys files on 
all machines!"

I'm not the developer of the patch, but if there are specific issues that 
need to be addressed then I'd be happy to coordinate with the maintainer 
and/or lend a hand to see them addressed.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |