RE: Multiple authorized_keys2 files or how to achieve same effect.

From: Tay, Gary (Gary_Tay_at_platts.com)
Date: 09/05/05

  • Next message: Miro Dietiker, MD Systems: "Logging Traffic by user @ OpenSSH 3.8.1"
    Date: Mon, 5 Sep 2005 10:18:12 +0800
    To: "Jeremy Eder" <jeder@invision.net>, <secureshell@securityfocus.com>
    
    

    If you are looking for docs on building Centralized LDAP Authentication
    with host access (netgroups) control, and user command execution
    (sudoers) control, you may find my HOWTOs useful, or not at all.

    http://web.singnet.com.sg/~garyttt/

    Gary

    -----Original Message-----
    From: Jeremy Eder [mailto:jeder@invision.net]
    Sent: Friday, September 02, 2005 9:53 PM
    To: secureshell@securityfocus.com
    Subject: RE: Multiple authorized_keys2 files or how to achieve same
    effect.

    Thank you Jayson and Johan for your suggestions, they are exactly what I
    was looking for.

    I will investigate both LDAp/MySQL with PAM and freeradius.

    Are there any docs on your technique, Jayson ?

    Other than man pages and freeradius.org... ?

    Sincerely,

    Jeremy Eder

    -----Original Message-----
    From: Jayson Anderson [mailto:sonick@sonick.com]
    Sent: Friday, September 02, 2005 12:10 AM
    To: secureshell@securityfocus.com; Jeremy Eder
    Subject: Re: Multiple authorized_keys2 files or how to achieve same
    effect.

    Good recommendations so far, but I can't help but think with hundreds of
    hosts, and granularity of control spanning one-off host, global host,
    /etc/sudoers and more than you've not listed and more that you've not
    yet encountered: It's time to think about Radius.

    I've scaled freeradius to levels that hurt a lot of vendor's feelings,
    on $500 worth of DIY server hardware to boot; I enthusiastically
    recommend it. Performance alone it is the champ, without even mentioning
    the obnoxious amount of functionality options beyond most if not all
    commercial offerings. I definetely think freeradius would make you
    keyboard-smashing mad during planning and integration, and once
    integrated will slash an unbelievable amount of minutia and trouble out
    of your yearly operations tasks in addition to adding incredible amounts
    of applied and available user control. Better yet, all user activity
    [licit and otherwise] will become centralized where you can more
    effectively manage it (let alone even NOTICE it vs. your current
    arrangement). Just make sure to become a stickler about putting AAA on
    everything that even LOOKS at your networks. The day I resigned from INS
    (version 1.0) was shortly after the day they placed me in a
    radius-enabled, deployment-lax environment and said 'cull it all and fix
    it'.

    Unless I misunderstood your obstacles which I sometimes do in grand
    fashion, I think it's time to bang out a couple freeradius servers once
    and for all; then enable AAA on everything with unwavering completeness.
    Massaging the groups and configs will evolve naturally over time; no
    need to perfect access to every single binary prior to rollout.

    Best Regards,
    Jayson

    On Thu, 2005-09-01 at 10:49 -0400, Jeremy Eder wrote:
    > My situation: multiple admins needing root on hundreds of boxes.
    >
    > Currently: using pubkeyauth on openssh (mostly bsd but linux and
    > solaris too)
    >
    > Goal: ease add/remove of credentials from machines (one-off or
    globally
    > in our network)
    >
    > Each server may have a completely different (and still valid) list of
    > users in the authkeys2 file.
    >
    > Instead of getting messy with sed/cat/grep...I began to research if it

    > was possible to have multiple authorized_keys2 files, or at least be
    > able to put directives to separate public key files in the global
    > authorized_keys2. This would make the management of my setup much
    > easier...
    >
    > Something like...
    >
    > AuthorizedKeysFile .ssh/authorized_keys2
    > AuthorizedKeysFile .ssh/user1
    > AuthorizedKeysFile /ssh/user2
    >
    > Etc etc...
    >
    > Then I can control access to the box simply by creating or deleting
    that
    > file and one line in the conf.
    >
    > Am I looking in the right direction ? I haven't yet discovered a way
    to
    > do this under openssh; however .ssh/authorization under ssh2 seems to
    > provide the exact feature I am thinking of. Not an option...
    >
    > Is this possible ? Is there some other practice that is more accepted

    > that I'm not aware of ?
    >
    > Thanks for your help.


  • Next message: Miro Dietiker, MD Systems: "Logging Traffic by user @ OpenSSH 3.8.1"

    Relevant Pages

    • Re: A marketing question
      ... RTC Host, Viewer and Control work through firewalls and proxy servers by using the HTTP protocol, acting like a Web Browser. ...
      (borland.public.delphi.thirdpartytools.general)
    • Re: Because Re: Why?
      ... not something Peter can control; he does not own that IP address. ... But I don't own that IP address, and can't control the host ... name assigned to it (the IP address is under the control of AT&T Internet ... As far as companies which pay for static IP address assignment, ...
      (microsoft.public.security)
    • Re: Multiple authorized_keys2 files or how to achieve same effect.
      ... Good recommendations so far, but I can't help but think with hundreds of ... host, /etc/sudoers and more than you've not listed and more that you've ... integrated will slash an unbelievable amount of minutia and trouble out ... of applied and available user control. ...
      (SSH)
    • Re: Windows Forms app in Win32
      ... could you host internet explorer inside your Win32 app and then use that in turn to host your winforms code? ... Other applications and dvelopment tools that are capable of hosting ActiveX controls, including the ActiveX test containers from versions of Visual Studio that are earlier than Visual Stueio .NET 2003, are not supported hosts for Windows Forms control. ... I now need to get my dll, the basis of which is a Windows Forms Control, to display in the Delphi app, but I'm having no luck, and have been hitting my head against brick walls for weeks and weeks. ...
      (microsoft.public.dotnet.framework.windowsforms)