[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute for storing SSH RSA host keys



Mike Jackson wrote:
> 
> On 16 Apr 2014, at 19.46, Michael Ströder <michael@stroeder.com> wrote:
> 
>> ML mail wrote:
>>> On my already existing OpenLDAP server I would like to add an attribute in
>>> order to store SSH RSA host keys. Currently there are no such attributes
>>> (for example: sshRSAHostKey) in any standard schemas.
>>>
>>> What would be the best strategy to add this attribute to my OpenLDAP
>>> server? Create a new objectClass? or simply add it to another already
>>> standard objectClass such as the NIS schema?
>>
>> Do you already have LDAP entries representing your host/systems? That's really
>> hard part.
>>
>> If you already have host entries, you can simply add aux object class
>> 'ldapPublicKey' to this entries and put the various host keys (different
>> algorithms) in the multi-valued attribute 'sshPublicKey'.
> 
> There doesn’t exist any sort of objectClass named ldapPublicKey in any
> standard LDAP objectClasses or in any submitted RFCs.

It's quite usual nowadays to use this when dealing with SSH keys in LDAP entries:

https://code.google.com/p/openssh-lpk/

The schema file:

http://code.google.com/p/openssh-lpk/source/browse/trunk/schemas/openssh-lpk_openldap.schema

> Of course anybody can register an OID with IANA and create their own
> schema, but it would really be best for the OpenBSD project to publish an
> SSH LDAP schema under 1.3.6.1.4.1.30155 .
> Nobody benefits when people who are not authoritative start publishing
> schema and OIDs to blog posts and HOWTOs around the net. What eventually
> ends up happening is that search results turn up multiple schemas assigning
> different OIDs to the same named objectClasses and attributes, people use
> them, and the OID, objectClass, and attribute namespaces all go into
> conflict.There are a lot of people who try to write LDAP schema just to get
> something working, who have absolutely zero idea of what an OID namespace
> means. Here in the LDAP world, we live by the IANA assigned namespace so
> that’s what we need to abide by.

Sorry, after 15 years working with LDAP I still assign OIDs from my own OID
arc - huhuhu - even when writing I-Ds.

> A better strategy would be to model these things with "ObjectClass:
> extensibleObject” in the short term and wait for something official.

Whatever you mean by "official".

But the worst recommendation you can ever give to someone is to use
'extensibleObject' which disables all schema checking for that entry. That
really sucks.

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature