Ssh – Central authentication and public key store

authenticationssh

What would the best solution be for central authentication?

I want to store all of our users centrally and use that for SSH access and other services. I also want our users to be able to authenticate on their machines (mostly macs) using the same authentication server.

Currently we use SSH with public keys, but each user generates their own keys and they add them themselves on our servers. This becomes hard to manage when we get new employees or others leave.

I need passwordless authentication though, as I don't trust users in creating their own passwords.

What other options are there apart from LDAP? All of our servers are running some flavour of Linux.

Thanks

Best Answer

You could use LDAP in this case both to authenticate your Mac boxes to as well as to centrally store your public keys. Though to get the public key storage you may need to compile your own OpenSSH package depending on the OS / Distribution your on. OpenSSH LPK

Related Solutions

Linux – Best practice for authenticating DMZ against AD in LAN

If you're using PAM for your authentication stack, you can use pam_krb5 to provide kerberos authentication for your services. Kerberos was designed out-of-the-box to deal with hostile environments, handles authentication-by-proxy, and is already a part of the AD spec. Why struggle with LDAP when you can get Kerberos to do the heavy lifting for you, and get on with life? Yeah, you'll have to do some reading, and yeah, it'll take a bit of time, but I've used Kerb-to-AD authentication for years and have found it to be the easiest, quickest way to get SSO working out of the box when you have Active Directory as the authentication backend.

The main thing you'll run into is that Microsoft decided to be very specific about the default encryption types (they basically made their own), so you'll need to set up your Kerberos clients to have the correct matching encryption types, or the AD servers will continue to reject it. This is thankfully an easy procedure and shouldn't require more than a few edits to krb5.conf.

And now, some links for you to consider...

Microsoft's View of Kerberos

Kerberos Explained

Meshing Kerberos and Active Directory

Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

ssh and Kerberos authentication via PAM

Apache and Kerberos

ProFTP and Kerberos

ProFTPD module mod_gss also via SourceForge

RFCs of Microsoft's Activities with Kerberos (which you really don't want to read about):

Ssh – Enforce SSH key passwords

The passphrase that can be set on the private key is unrelated to the SSH server or the connection to it. Setting a passphrase to the private key is merely a security measure the key owner may take in order to prevent access to his remote shell by a third party in case the private key gets stolen.

Unfortunately, you cannot force users to secure their private keys with passphrases. Sometimes, unprotected private keys are required in order to automate access to the remote SSH server. One good habit I highly recommend for such cases is to advise the users to hash the known_hosts file (stored at ~/.ssh/known_hosts), which keeps information about the remote hosts the user connects to, using the following command:

ssh-keygen -H -f ~/.ssh/known_hosts

This way, even if a third party gained access to an unprotected private key, it would be extremely difficult to find out for which remote hosts this key is valid. Of course, clearing the shell history is mandatory for this technique to be of any value.

Also, another thing you should always bear in mind, is not allow root to login remotely by adding the following in your SSH server's configuration (sshd_config):

PermitRootLogin no

On the other hand, if you want to prevent users from using keys to authenticate, but instead use passwords, you should add the following to your sshd_config:

PasswordAuthentication yes
PubkeyAuthentication no

Best Answer

Related Solutions

Linux – Best practice for authenticating DMZ against AD in LAN

Ssh – Enforce SSH key passwords

Related Topic