Is Centralized SSH Public Key Authentication Possible?
Hi All, I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable? Best, JLS John L. Singleton jsinglet@gmail.com
John L. Singleton wrote:
I am trying to set up a centralized SSH authentication server that allows authentication via public keys.
RADIUS doesn't do that.
I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file.
Er... no. When the local SSHD reads the authorized_keys file, it does a LOT of work using it. You will need *transport* of all of that SSH magic crypto stuff for it to work.
So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable?
It's impossible. Alan DeKok.
We are using tunneling via SSH (with authorized keys only) to connect radius servers across the Internet. We do this to keep from sending user names and passwords between the sites and the central radius server as clear text. Each radius server running on remote site connects via the SSH tunnel to the central radius server that contains the actual user database. If that is what you are looking to do I'd be happy provide the details. Emmett On 02/17/2010 12:24 PM, John L. Singleton wrote:
Hi All,
I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable?
Best, JLS
John L. Singleton jsinglet@gmail.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Feb 17, 2010 at 3:24 PM, John L. Singleton <jsinglet@gmail.com>wrote:
Hi All,
I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable?--
You are probably barking up the wrong tree with freeradius. Check out this tutorial I wrote on setting up a centralized SSH server: http://www.howtoforge.net/secure_ssh_with_wikid_two_factor_authentication. The difference is that I suggest using two-factor authentication with OTPs to get into the key server (because public key SSH does not meet certain regulatory requirements). You may want to use Freeradius to route the OTPs to the auth server. HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
On Thu, Feb 18, 2010 at 11:47 AM, Nick Owen <owen.nick@gmail.com> wrote:
On Wed, Feb 17, 2010 at 3:24 PM, John L. Singleton <jsinglet@gmail.com>wrote:
Hi All,
I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable?--
You are probably barking up the wrong tree with freeradius. Check out this tutorial I wrote on setting up a centralized SSH server: http://www.howtoforge.net/secure_ssh_with_wikid_two_factor_authentication. The difference is that I suggest using two-factor authentication with OTPs to get into the key server (because public key SSH does not meet certain regulatory requirements). You may want to use Freeradius to route the OTPs to the auth server.
If it were me I would put it into LDAP rather than Radius. Since that's what LDAP does well. If you google for "OpenSSH LDAP LPK " you will find this site: code.google.com/p/*openssh*-*lpk *which is the LPK patches for OpenSSH which work (albiet not the most pretty) with a centralised OpenSSH LDAP store for your authorized keys. I personally use this and it works well. Thanks Peter
On 2/17/10 9:24 PM, John L. Singleton wrote:
Hi All,
I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable?
Hello, I'm using OpenSSH-LPK patch. This patch allows to keep public keys in an LDAP tree. But it has nothing to do with RADIUS. http://code.google.com/p/openssh-lpk/ Hope it helps, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
participants (6)
-
Alan DeKok -
Emmett Culley -
John L. Singleton -
Lech Karol Pawłaszek -
Nick Owen -
Peter Lambrechtsen