[nycbug-talk] FreeIPA

Pete Wright pete at nomadlogic.org
Thu May 19 14:13:34 EDT 2011


On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote:
> The last time I was looking at this stuff.. wink wink.. . I found myself
> pretty confused as to what (if any?) software worked with IPA. I mean it is
> Kerberos so I am guessing you can secure telnet and all the other mostly
> useless protocol Kerberos was designed to protect. I guess you can secure
> web browsing with kerberos tickets, but again, is that really common?
> 
> I ended up with the ssh-public keys in LDAP.
> http://code.google.com/p/openssh-lpk/. The reason I chose this was
> 1) I know LDAP
> 2) People were comfortable with SSH-KEYS
> 
> I still like it as a system actually. As to the IPA stuff, i could not
> figure out IF/HOW I could make it work with SSH, and the software stack
> needing it's own DNS server to control was a detraction.
> 

hrm, i've used kerb-auth with ssh and i *know* that works...

(sshd.conf)
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no


my understanding of the role of OpenIPA is to centralize the
management and auditing of ID management and authentication for
heterogeneous environments.

regarding the DNS requirements - that actually sorta makes sense, esp if
you need to support an AD forest and are using BIND for name services.


-pete

-- 
Pete Wright
pete at nomadlogic.org




More information about the talk mailing list