RE: Multiple authorized_keys2 files or how to achieve same effect.

• Previous message: Mark Senior: "RE: User name prompt with ssh"
• In reply to: Jeremy Eder: "RE: Multiple authorized_keys2 files or how to achieve same effect."
• Next in thread: Tay, Gary: "RE: Multiple authorized_keys2 files or how to achieve same effect."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: secureshell@securityfocus.com, Jeremy Eder <jeder@invision.net>
Date: Fri, 02 Sep 2005 09:54:51 -0700

Not at all, glad to provide assistance (and some of it is applicable now
and then ;)

I'm glad you asked; In fact there are a few things I'd like to mention
to you about freeradius setup.... a couple gotchas that are good to know
about and a recommendation to run it on top of mysql, ESPECIALLY with
your not-small host count in play.. I'll put together a short but sweet
jumpoff for you to have a look at.

I need to read back to verify but I also want to mention that if
"LDAP/MySQL" is inclusive notation, then I would recommend strongly,
GRAVELY against running LDAP on top of ANY sort of relational database
server software. The amount of flex in row width and table length, along
with massive deficiencies in sorting, searching and basically most every
LDAP operation is contrary in topology and dynamics vs. the
db/table/colum setup. If you work with LDAP, there is RARELY a case to
work with anything EXCEPT BDB. I'll point you towards a manifesto on
this topic as well. LDAP RDBMS functionality is NOT there to provide a
slick backend, not even close. It's there to provide the flow of
pre-existing sql data INTO LDAP as a workaround at BEST, or in case of
integration interim. LDAP with a MySQL backend works, but the
performance hit is gigantic, the limitations are abundant, and the
idiosyncracies are many. Go BDB.

This weekend I'll cull together everything I want to share that will
give you a good platform to consider radius and some notations on LDAP
as well. Sorry to have drifted so far off topic list-wise, the rest of
my communication with you regarding this setup will be off-list.

Best Regards,
Jayson

On Fri, 2005-09-02 at 09:52 -0400, Jeremy Eder wrote:
> Thank you Jayson and Johan for your suggestions, they are exactly what I
> was looking for.
>
> I will investigate both LDAp/MySQL with PAM and freeradius.
>
> Are there any docs on your technique, Jayson ?
>
> Other than man pages and freeradius.org... ?
>
>
> Sincerely,
>
> Jeremy Eder
>
> -----Original Message-----
> From: Jayson Anderson [mailto:sonick@sonick.com]
> Sent: Friday, September 02, 2005 12:10 AM
> To: secureshell@securityfocus.com; Jeremy Eder
> Subject: Re: Multiple authorized_keys2 files or how to achieve same
> effect.
>
> Good recommendations so far, but I can't help but think with hundreds of
> hosts, and granularity of control spanning one-off host, global host,
> /etc/sudoers and more than you've not listed and more that you've not
> yet encountered: It's time to think about Radius.
>
> I've scaled freeradius to levels that hurt a lot of vendor's feelings,
> on $500 worth of DIY server hardware to boot; I enthusiastically
> recommend it. Performance alone it is the champ, without even mentioning
> the obnoxious amount of functionality options beyond most if not all
> commercial offerings. I definetely think freeradius would make you
> keyboard-smashing mad during planning and integration, and once
> integrated will slash an unbelievable amount of minutia and trouble out
> of your yearly operations tasks in addition to adding incredible amounts
> of applied and available user control. Better yet, all user activity
> [licit and otherwise] will become centralized where you can more
> effectively manage it (let alone even NOTICE it vs. your current
> arrangement). Just make sure to become a stickler about putting AAA on
> everything that even LOOKS at your networks. The day I resigned from INS
> (version 1.0) was shortly after the day they placed me in a
> radius-enabled, deployment-lax environment and said 'cull it all and fix
> it'.
>
> Unless I misunderstood your obstacles which I sometimes do in grand
> fashion, I think it's time to bang out a couple freeradius servers once
> and for all; then enable AAA on everything with unwavering completeness.
> Massaging the groups and configs will evolve naturally over time; no
> need to perfect access to every single binary prior to rollout.
>
> Best Regards,
> Jayson
>
>
> On Thu, 2005-09-01 at 10:49 -0400, Jeremy Eder wrote:
> > My situation: multiple admins needing root on hundreds of boxes.
> >
> > Currently: using pubkeyauth on openssh (mostly bsd but linux and
> > solaris too)
> >
> > Goal: ease add/remove of credentials from machines (one-off or
> globally
> > in our network)
> >
> > Each server may have a completely different (and still valid) list of
> > users in the authkeys2 file.
> >
> > Instead of getting messy with sed/cat/grep...I began to research if it
> > was possible to have multiple authorized_keys2 files, or at least be
> > able to put directives to separate public key files in the global
> > authorized_keys2. This would make the management of my setup much
> > easier...
> >
> > Something like...
> >
> > AuthorizedKeysFile .ssh/authorized_keys2
> > AuthorizedKeysFile .ssh/user1
> > AuthorizedKeysFile /ssh/user2
> >
> > Etc etc...
> >
> > Then I can control access to the box simply by creating or deleting
> that
> > file and one line in the conf.
> >
> > Am I looking in the right direction ? I haven't yet discovered a way
> to
> > do this under openssh; however .ssh/authorization under ssh2 seems to
> > provide the exact feature I am thinking of. Not an option...
> >
> > Is this possible ? Is there some other practice that is more accepted
> > that I'm not aware of ?
> >
> > Thanks for your help.
>

• Previous message: Mark Senior: "RE: User name prompt with ssh"
• In reply to: Jeremy Eder: "RE: Multiple authorized_keys2 files or how to achieve same effect."
• Next in thread: Tay, Gary: "RE: Multiple authorized_keys2 files or how to achieve same effect."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]