[nycbug-talk] FreeIPA

Pete Wright pete at nomadlogic.org
Thu May 19 14:13:34 EDT 2011

On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote:
> The last time I was looking at this stuff.. wink wink.. . I found myself
> pretty confused as to what (if any?) software worked with IPA. I mean it is
> Kerberos so I am guessing you can secure telnet and all the other mostly
> useless protocol Kerberos was designed to protect. I guess you can secure
> web browsing with kerberos tickets, but again, is that really common?
> I ended up with the ssh-public keys in LDAP.
> http://code.google.com/p/openssh-lpk/. The reason I chose this was
> 1) I know LDAP
> 2) People were comfortable with SSH-KEYS
> I still like it as a system actually. As to the IPA stuff, i could not
> figure out IF/HOW I could make it work with SSH, and the software stack
> needing it's own DNS server to control was a detraction.

hrm, i've used kerb-auth with ssh and i *know* that works...

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no

my understanding of the role of OpenIPA is to centralize the
management and auditing of ID management and authentication for
heterogeneous environments.

regarding the DNS requirements - that actually sorta makes sense, esp if
you need to support an AD forest and are using BIND for name services.


Pete Wright
pete at nomadlogic.org

More information about the talk mailing list