[nycbug-talk] FreeIPA
Pete Wright
pete at nomadlogic.org
Thu May 19 14:13:34 EDT 2011
On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote:
> The last time I was looking at this stuff.. wink wink.. . I found myself
> pretty confused as to what (if any?) software worked with IPA. I mean it is
> Kerberos so I am guessing you can secure telnet and all the other mostly
> useless protocol Kerberos was designed to protect. I guess you can secure
> web browsing with kerberos tickets, but again, is that really common?
>
> I ended up with the ssh-public keys in LDAP.
> http://code.google.com/p/openssh-lpk/. The reason I chose this was
> 1) I know LDAP
> 2) People were comfortable with SSH-KEYS
>
> I still like it as a system actually. As to the IPA stuff, i could not
> figure out IF/HOW I could make it work with SSH, and the software stack
> needing it's own DNS server to control was a detraction.
>
hrm, i've used kerb-auth with ssh and i *know* that works...
(sshd.conf)
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
my understanding of the role of OpenIPA is to centralize the
management and auditing of ID management and authentication for
heterogeneous environments.
regarding the DNS requirements - that actually sorta makes sense, esp if
you need to support an AD forest and are using BIND for name services.
-pete
--
Pete Wright
pete at nomadlogic.org
More information about the talk
mailing list