Putting .k5login credentials in ldap with freeipa

okapi

5/4/23, 9:30 PM

On the systems I administer, in addition to human user accounts, we have a number of accounts associated with roles, software and specific data.

By using a .k5login file in home directories, it is possible to use ssh to connect to a different machine as a different user. With freeipa it is possible to add sudo rules so that members of a specific group can change to a particular role account. But I'd like to enable the same functionality directly with ssh. This is more convenient in many cases, especially where things like X forwarding are concerned. Is it possible to have the data that is otherwise in .k5login files stored directly in LDAP via freeipa?

I'd also be open to other possible solutions such as composing the SSH authorized_keys (which does appear to be in LDAP) from the public keys of users that are permitted access.

0 + 0

ldap

kerberos

mitkerberos

freeipa

Score:1

Server

abbra

5/8/23, 11:29 AM

It is not implemented anywhere, thus not available. However, I'd recommend against using this approach. Aside from convenience you would be losing audit of the actions performed. Going with sudo rules would still allow you to keep access to X forwarding anyway (it is pretty much a socket access to something advertised through an environmental variable). What you get, however, is a set of audited events for such access.

With SSSD in Fedora 35+ or RHEL 8.5+, you also get pam_sss_gss.so PAM module that allows to authenticate to PAM services with Kerberos tickets you already have, so this might make it working well in the case you have no passwords but use PKINIT (smartcards) instead.

In short, while implementing group-based SSH keys access might be tempting, keeping audit of login and role transition events available is more important, in my opinion.

0 + 0

Score:0

Server

Tomek

5/4/23, 9:56 PM

I am not aware of any way to share .k5login using ldap.

It is however possible to derive authorized_keys like functionality using ldap. If you are using sssd have a look at sss_ssh_authorizedkeys command (sssd-common package on AlmaLinux 8.5) and AuthorizedKeysCommand sshd_config option.

For plain ldap functionality have a look at ssh-ldap-helper program. It is a part of openssh-ldap package (same distro).

0 + 0

okapi

5/4/23, 11:57 PM

Thanks yes, it is possible to add ssh public keys to users in freeipa. The thing I can't find with that is any way to put multiple together so that running sss_ssh_authorizedkeys would return a list generated from users that are members of a group. Having to maintain lists of keys in conjunction with the groups is what I want to avoid.

Tomek

5/5/23, 4:31 PM

I don't believe this is currently possible using tools I know. You probably can achieve this by writing your own AuthorizedKeysCommand to provide the list of acceptable ssh keys based on some criteria.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Putting .k5login credentials in ldap with freeipa

TH: ใส่ข้อมูลประจำตัว .k5login ใน ldap ด้วย freeipa

RO: Introducerea acreditărilor .k5login în ldap cu freeipa

RU: Помещение учетных данных .k5login в ldap с помощью freeipa

VI: Đưa thông tin đăng nhập .k5 vào ldap với freeipa

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.