Thanks Dmitri,
I'm sshing from linux boxes.
SSH does not support cert authentication but in RHEL there have
been some patches to support X509 certs though I am not sure
how exactly it would work.
I had this input also from someone else : if I find
something interesting I will report about it here.
My point is that there may have been some kind
of mecanism for the server on which to log in to
ask for the client to bind the ldap server ( when
pam knows that ldap is to be used ) rather than
presenting the usual "login/passwd" message.
This binding operation may have involved sssd
transactions between the client and the server
( so that sssd could bind directly the ldap server
using information passed by the client, and being
therefore able to certify about the requester identity ).
May be a wrong idea.
If you use Kerberos and/or IPA for your Lunix/UNIX environment you
can provision a user keytab
At this stage my goal is to properly deploy a rightly operated
ldap service for user authentication and authorization.
sso with kerberos or IPA are things that I consider but... as a
next step really ( and with no targetted deadline ! :-)
Thanks for your attention any way,
---
Olivier
2012/3/28 Dmitri Pal <dpal(a)redhat.com>
**
I was now wondering if there would have any way to annonce
my certificate using the "external SASL_MECH" mechanism
over a login process to a linux box (let say using ssh), so that
pam would not ask me to type a "login" and a "password" to
log in ?
Don't hesitate to fire if my question is stupid.
Thanks,
---
Olivier
$ ldapsearch -ZZ uid=olivier
Are you sshing from Windows or Linux?
I am not sure how you can do it with just a key or a cert.
SSH does not support cert authentication but in RHEL there have been some
patches to support X509 certs though I am not sure how exactly it would
work.
If you use Kerberos and/or IPA for your Lunix/UNIX environment you can
provision a user keytab to the machine from which you ssh and
script around ssh call to do kinit with the user key in the keytab. Then
you will not be asked for anything. kinit will acquire the ticket using the
principal you scripted. It would use the key that you provisioned. And the
SSH would use GSSAPI to log you into the box.
_______________________________________________
sssd-devel mailing
listsssd-devel@lists.fedorahosted.orghttps://fedorahosted.org/mailman/listinfo/sssd-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT
costs?www.redhat.com/carveoutcosts/
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel