What would the best solution be for central authentication?
I want to store all of our users centrally and use that for SSH access and other services. I also want our users to be able to authenticate on their machines (mostly macs) using the same authentication server.
Currently we use SSH with public keys, but each user generates their own keys and they add them themselves on our servers. This becomes hard to manage when we get new employees or others leave.
I need passwordless authentication though, as I don't trust users in creating their own passwords.
What other options are there apart from LDAP? All of our servers are running some flavour of Linux.
Thanks
You could use LDAP in this case both to authenticate your Mac boxes to as well as to centrally store your public keys. Though to get the public key storage you may need to compile your own OpenSSH package depending on the OS / Distribution your on. OpenSSH LPK
If you implement NFS-shared homes, each user's key only needs to be deployed once. Combine that with standard LDAP and/or Kerberos authentication/authorization, and you have a stable, easy-to-maintain system.
You should consider setting up an SSH gateway box protected by two-factor authentication. Make all the users go through it, but allow them to use keys from there. Use PAM to require 2FA (or passwords, but it sounds like you're security-minded enough to see the benefits of 2FA). Here's a doc that can guide you. Should be helpful no matter which way you go: http://www.howtoforge.net/secure_ssh_with_wikid_two_factor_authentication