[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSH Gateway

To: Vishesh kumar <linuxtovishesh@gmail.com>
Subject: Re: SSH Gateway
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Tue, 7 May 2013 09:35:11 -0700
Cc: Stuart Watson <strtwtsn@gmail.com>, Kwame Bahena <informatux@gmail.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1367944514; bh=5L2AH4zCbPzHdlo51oDN2XKsKAcuBubkh20M8pCm5b4=; h=Date:From:Reply-To:To:cc:Subject:In-Reply-To:Message-ID: References:MIME-Version:Content-Type; b=hr9rXddIlh0maxO9fwYkY2sAjXZV6n1eeysQ42FzBB+cH2kyICR3jZdZO5u1lcnyJ oTmDcH7vJ1JSSpNK3At9GEaHa8YPayVA+7poBfHf4FKOz0qPUHlRlipJvQzMYjjhUO ANLO9GiDQeeJAFdTfB3H64QLKSxJdtjNXvV7oA0U=
In-reply-to: <CAKpaJ1x6H0X4G8J7RgGKe+5pJyBT2qRanFGWRjbJQ_GTckD7Gw@mail.gmail.com>
References: <CAASotFnKHy1CjRdJp5gY=t_wLEhrmajzp96VhzLvwMfT8A7L8Q@mail.gmail.com> <CANtpaPqosAwxoO_pbd+UxvnPuczFc8E5hArONQGrhXE_N0Ff+Q@mail.gmail.com> <CAASotFnRfGp-08phLfd1PC5rz3y7qsouELhrTC-RoUg2Dw2GYw@mail.gmail.com> <CANtpaPqMbVYhrnnSHavH4kU=9bANo4i6xRzPp4S=-D3nVDz65g@mail.gmail.com> <CAKpaJ1x6H0X4G8J7RgGKe+5pJyBT2qRanFGWRjbJQ_GTckD7Gw@mail.gmail.com>
User-agent: Alpine 2.03 (BSO 1266 2009-07-14)

On Tue, 7 May 2013, Vishesh kumar wrote:
> I think here "User Information" will be fetched from ldap. Openssh will 
> use library calls for getting ldap user information same as it do for 
> users in /etc/passwd. Key based authentication will work in normal way 
> but interested to see if key can be stored on ldap server.

[[This is not really OpenLDAP related, so I've set replies to me instead 
of the list.]]

As of OpenSSH 6.2, released on March 22, 2013:

* sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
   support fetching authorized_keys from a command in addition to (or
   instead of) from the filesystem. The command is run under an account
   specified by an AuthorizedKeysCommandUser sshd_config(5) option.

So, you can configure sshd to run a script which invokes ldapsearch and 
munges the output into the expected format.  No need to hack ldap calls 
directly into sshd.

Philip Guenther

References:
- SSH Gateway
  - From: Stuart Watson <strtwtsn@gmail.com>
- Re: SSH Gateway
  - From: Kwame Bahena <informatux@gmail.com>
- Re: SSH Gateway
  - From: Stuart Watson <strtwtsn@gmail.com>
- Re: SSH Gateway
  - From: Kwame Bahena <informatux@gmail.com>
- Re: SSH Gateway
  - From: Vishesh kumar <linuxtovishesh@gmail.com>

Prev by Date: Re: SSH Gateway
Next by Date: Re: SSH Gateway
Index(es):
- Chronological
- Thread