[Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
Stephen Gallagher
sgallagh at redhat.com
Wed Aug 3 14:37:45 UTC 2011
On Wed, 2011-08-03 at 10:14 -0400, Ian Stokes-Rees wrote:
>
>
> On 8/3/11 4:47 AM, Ondrej Valousek wrote:
> > Maybe stupid question, but I have to ask:
> > Why would anyone want to store user RSA keys in LDAP? Once you have
> > IPA server with KDC installed, you can use Kerberos for
> > authentication as well.
> > And you get single sign on as a special bonus :-)
>
> If you only work in a single administrative domain, this is fine. I
> am constantly accessing systems all over the US, and internationally,
> and the use of ssh-key-based authentication allows me to do this
> without continuous password prompts. In fact, on many of the systems
> I can *only* access them by ssh-key. Being able to hold those keys in
> central keystore like FreeIPA with a single passphrase, and the
> ability for an administrator to reset that passphrase, is very
> desirable for me and for the other users of the systems I'm a part of.
> Resetting key-based access control if the private key passphrase is
> lost is always a nuisance.
As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really dangerous. Most especially if this
private key was being used to access sites in other administrative
domains.
That really sounds like an accident waiting to happen...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/d072d591/attachment.sig>
More information about the Freeipa-users
mailing list