<div>do you mean you store the path to the authorized_keys file in ldap? Or the actual list of public keys?</div>
<div><br> </div>
<div><span class="gmail_quote">On 16/09/2008, <b class="gmail_sendername">Neel Upadhyaya</b> <<a href="mailto:bahulneel@gmail.com">bahulneel@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div dir="ltr">You can offload this to ldap. We do that here.<br><br>
<div class="gmail_quote"><span class="q">2008/9/16 Mark Stewart <span dir="ltr"><<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:markwstewart@gmail.com" target="_blank">markwstewart@gmail.com</a>></span><br>
</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">good - point. I want to avoid a PKI style role out - I'm looking at
<div><span class="e" id="q_11c6c27027a03c63_3"><br>ways of locking/changing location of the authorized_key file.<br>
<div>
<div></div>
<div><br>On 16/09/2008, Yvan Seth <<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://watford.lug.org.uk/" target="_blank">watford.lug.org.uk</a>@<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://malignity.net/" target="_blank">malignity.net</a>> wrote:<br>
> On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:<br>>> Hi Magnus, thanks for your input. I think that what Yvan said is true<br>>> and that it will come down to policy even if I distributed the keys<br>
>> myself as users can update their own authorized_keys file in their<br>>> .ssh folder. I guess if I get time I could police by locking down the<br>>> authorized_keys file so users can't update it but will involve some<br>
>> testing.<br>>><br>>> I could also check the authorized key file to ensure it only has keys<br>>> generated by me inside it. mmmm, I need to go and do some testing.<br>><br>> Alas, Magnus's suggestion doesn't quite work. You can distribute<br>
> pre-passphrased keys but then your users (who obviously must know the<br>> passphrase) can "unwwap" the key to an unprotected version (see the<br>> ssh-keygen manpage.) Assuming you have mischievous users.<br>
><br>> There is another completely different option... use an external key<br>> dongle of some kind. See the -I option for the command-line SSH client.<br>> I've never seen this in action and have no idea what the caveats are.<br>
> Top Google links for "ssh smartcard":<br>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://smartcard-auth.de/ssh-en.html" target="_blank">http://smartcard-auth.de/ssh-en.html</a><br>
> <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html" target="_blank">http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html</a><br>> (Question for further research: what's to stop someone from simply<br>
> dumping the key data from the "smart" card?)<br>><br>> -Yvan<br>><br>> _______________________________________________<br>> Watford mailing list<br>> <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
> <a onclick="return top.js.OpenExtLink(window,event,this)" href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>><br><br>_______________________________________________<br>
Watford mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</div></div></span></div></blockquote></div><br><br clear="all"><span class="q"><br>-- <br>MCSE is to computers as McDonalds Certified Chef is to fine cuisine.<br></span></div><br>_______________________________________________<br>
Watford mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br></blockquote></div><br>