1

second question, second problem:

I am searching for a way to dynamically let sshd search for public keys on my server. So, shortly spoken, I want, when authorized_keys is accessed by sshd, a helper process is started, connecting to a central database (in this cas postgres) and fetch all keys.

I want to achieve real-time updates of the authorized_keys file.

I read something here: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/156636 (its far down), and I want to know how I can trigger such a helper program? It would be ideal to me, as it seems to asbtract the authorized_keys file.

quanta
  • 51,413
  • 19
  • 159
  • 217
Jannick
  • 131
  • 3
  • It sounds like you are trying to do Single Sign On. It would be simpler to implement Kerberos or some other sort of SSO solution. – Rilindo Oct 02 '11 at 12:50

2 Answers2

3

This is implemented in OpenSSH 6.2:

sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option.
Deer Hunter
  • 1,070
  • 7
  • 17
  • 25
2

Postgres: uncertain/doubtful (at this time)

LDAP: Openssh LDAP public key (there is currently nothing official for Ubuntu)

Puppet also allows for multi-system ssh key management. Not familiar with the details, but that's not it's sole function.

84104
  • 12,905
  • 6
  • 45
  • 76
  • I've used the LDAP public key integration. It turns out it's a pain having to repackage ssh for all your systems. Puppet, on the other hand, doesn't require you to repackage your ssh daemon, and still allows you to deliver and revoke any ssh keys you like. Puppet is a more general configuration management system, so it's a much bigger solution than you need, but it's the one I'd go for. – Daniel Lawson Oct 03 '11 at 00:50