LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-06-2009, 11:48 AM   #1
caveden
LQ Newbie
 
Registered: Oct 2009
Posts: 3

Rep: Reputation: 0
Question pam_ssh searching private key on a LDAP server


Hello everybody,

First of all, sorry if this was not the proper forum to ask this question (I hesitated among this and the "networking" one) or if it has been answered somewhere, but I really couldn't find it.

I'm testing the pam_ssh module in order to have a single sign on behavior in my network, but even that isn't working perfectly: the users logs in with his private key passphrase, but the ssh-agent apparently doesn't load at this moment, since at the first attempt to do a ssh the passphrase is asked again - from this point on, it's not asked anymore during this session.

Couldn't it be loaded at the login to the workstation?

Anyway, what I really would like to do was to make this single sign on integrated with LDAP. The user, registered on LDAP and maybe with no homedir on the workstation yet (therefore, no private key), would type his LDAP password and the system would not only authenticate him, but also download the private key from the LDAP server and instantiate the ssh-agent so he never has to type his password again during this session - this is important because we would like to have some scripts opening ssh sessions without prompting the user for his password again (and also because single sign on is quite nice too )

I haven't found any tutorial explaining how I could integrate pam_ssh with ldap. Am I really the first person wanting to do such a thing?

For information, all stations (clients and servers) run Ubuntu 9.04.

Thank you!
 
Old 10-06-2009, 01:37 PM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Hi there,

Single Sign On is definitely one of those magnificent holy grail type things that we have alot of trouble implementing. Conventional wisdom in the Windows world points to Active Directory integration of applications, theoretically including something like ssh. As you probably know, AD implements a Kerberos key distribution center, and it is thought this is the way to go in linux also. LDAP can be used as a backend to the KDC, though it must be said, there is no current standalone implementation of LDAP and Kerberos that suits what you are looking for.

This article describes a SSO solution for ubuntu: https://help.ubuntu.com/community/SingleSignOn, but it requires some careful planning to get right!

Last edited by irishbitte; 10-06-2009 at 01:51 PM.
 
Old 10-06-2009, 08:16 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
LDAP and ssh are 2 separate things, and each has its own pam module:
http://linux.die.net/man/8/pam_ssh
http://linux.die.net/man/5/pam_ldap

For a secure centralized login, try LDAP+TLS
http://www.linuxhomenetworking.com/w...DAP_and_RADIUS
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 05:09 AM
Can't use private key for ssh t0ken407 Linux - Server 9 05-31-2009 02:50 PM
Public key, private key explained calande Linux - Security 3 06-12-2008 05:23 AM
if they got my gpg private key...... qwijibow Linux - Security 1 10-21-2003 12:22 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 01:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration