[nycbug-talk] FreeIPA

Edward Capriolo edlinuxguru at gmail.com
Thu May 19 14:57:31 EDT 2011


I was under the impression that the Kerberos +SSH setup you describe above
requires a kerberos capable SSH Client. Is that correct? If so do all SSH
tools like putty support this? That was the problem I was getting at, that
in the environment I was in I was not able to control the SSH client, or the
web browser in use, so even though technically SSH and HTTP support this.
You can not count on a tool like putty, or someone favourite FTP client to
have Kerberos.


On Thu, May 19, 2011 at 2:13 PM, Pete Wright <pete at nomadlogic.org> wrote:

> On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote:
> > The last time I was looking at this stuff.. wink wink.. . I found myself
> > pretty confused as to what (if any?) software worked with IPA. I mean it
> is
> > Kerberos so I am guessing you can secure telnet and all the other mostly
> > useless protocol Kerberos was designed to protect. I guess you can secure
> > web browsing with kerberos tickets, but again, is that really common?
> >
> > I ended up with the ssh-public keys in LDAP.
> > http://code.google.com/p/openssh-lpk/. The reason I chose this was
> > 1) I know LDAP
> > 2) People were comfortable with SSH-KEYS
> >
> > I still like it as a system actually. As to the IPA stuff, i could not
> > figure out IF/HOW I could make it work with SSH, and the software stack
> > needing it's own DNS server to control was a detraction.
> >
> hrm, i've used kerb-auth with ssh and i *know* that works...
> (sshd.conf)
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> my understanding of the role of OpenIPA is to centralize the
> management and auditing of ID management and authentication for
> heterogeneous environments.
> regarding the DNS requirements - that actually sorta makes sense, esp if
> you need to support an AD forest and are using BIND for name services.
> -pete
> --
> Pete Wright
> pete at nomadlogic.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20110519/439c1f65/attachment.html>

More information about the talk mailing list