3

I'd like to set up pam_ldap on some of our servers so that we can centrally manage who has access to which server, and easily revoke access if e.g. someone leaves the company.

I've done some research and got this working. Hooray!

However I'd also like to be able to use public-private key logins - i.e. allow users to store their public keys in the LDAP directory and have these work for logins too.

I can't find any documentation about being able to do this, but I also can't find any reasons that it shouldn't be possible. Is there a way to do it, or is there some fundamental reason that it won't work?

Gareth
  • 1,356
  • 2
  • 10
  • 12

1 Answers1

5

There is an unofficial patch to openssh for that. You can find it here.

You can also use a configuration manager (like puppet or cfengine) to manage and distribute the keys, possibly even pulling them from LDAP.

Otherwise, you can to up an ad-hoc CRON job to update the keys from LDAP.

Dan Andreatta
  • 5,384
  • 2
  • 23
  • 14
  • They look like good options to investigate, I'm not able to blindly copy keys over because I don't want to create home directories on all servers until people log in for the first time, but I can already see how I can manage that :) – Gareth May 05 '10 at 16:53