0

I have followed this guide here : https://github.com/jirutka/ssh-ldap-pubkey In order to setup a LDAP server that allows authentication requesting both Password and Public Key in order to login.

Now while all this seems like a very good idea, ssh server runs this scripts (as described in the guide) everytime someone logs in

AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper

This will call to my LDAP server and attempt to retreive the public key for the current user. I would like to know how I could have a fallback system in the event the LDAP server is not reachable for any reasons. I have already considered a second LDAP server for redundancy, but would like to know how how to approach this locally

ps : Using CentOS 6.6

Stacknerd
  • 43
  • 5

1 Answers1

0

In the environments I'm working there are at least two LDAP servers operated, to prevent the problem(s) you're currently thinking about. So, if possible, set up a second LDAP server, preferably on a different physical host than the first one.

Additionally, you could check if it's worth to implement the name service cache daemon (nscd), which is

a daemon that provides a cache for the most common name service requests.

(Not sure if this works for SSH keys, but you'll find out.) In section 2.2.2.3. NSCD configuration of this tutorial you'll find a small how-to.

Also, you could have a look at the system security services daemon sssd, which is

a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system.

(In my opinion, this is the more modern way to go instead of nscd.)
Check out this for some general notes about configuration on CentOS, and that for information specifically about SSH keys.

gxx
  • 5,591
  • 2
  • 22
  • 42