Home / server / Questions / 1088994
In Process
okapi
Asked: 2022-01-05 13:30:24 +0800 CST

Putting .k5login credentials in ldap with freeipa

  • 772

On the systems I administer, in addition to human user accounts, we have a number of accounts associated with roles, software and specific data.

By using a .k5login file in home directories, it is possible to use ssh to connect to a different machine as a different user. With freeipa it is possible to add sudo rules so that members of a specific group can change to a particular role account. But I'd like to enable the same functionality directly with ssh. This is more convenient in many cases, especially where things like X forwarding are concerned. Is it possible to have the data that is otherwise in .k5login files stored directly in LDAP via freeipa?

I'd also be open to other possible solutions such as composing the SSH authorized_keys (which does appear to be in LDAP) from the public keys of users that are permitted access.

ldap kerberos freeipa mitkerberos

2 Answers

  1. It is not implemented anywhere, thus not available. However, I'd recommend against using this approach. Aside from convenience you would be losing audit of the actions performed. Going with sudo rules would still allow you to keep access to X forwarding anyway (it is pretty much a socket access to something advertised through an environmental variable). What you get, however, is a set of audited events for such access.

    With SSSD in Fedora 35+ or RHEL 8.5+, you also get pam_sss_gss.so PAM module that allows to authenticate to PAM services with Kerberos tickets you already have, so this might make it working well in the case you have no passwords but use PKINIT (smartcards) instead.

    In short, while implementing group-based SSH keys access might be tempting, keeping audit of login and role transition events available is more important, in my opinion.

    • 1

  2. I am not aware of any way to share .k5login using ldap.

    It is however possible to derive authorized_keys like functionality using ldap. If you are using sssd have a look at sss_ssh_authorizedkeys command (sssd-common package on AlmaLinux 8.5) and AuthorizedKeysCommand sshd_config option.

    For plain ldap functionality have a look at ssh-ldap-helper program. It is a part of openssh-ldap package (same distro).

    • 0