Opened 6 years ago

Closed 4 years ago

Last modified 3 years ago

#2116 closed task (fixed)

Add support for registering public user SSH keys in LDAP

Reported by: strk Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2020-I
Component: SysAdmin Keywords: ldap
Cc:

Description

For better security, it would be useful to let OSGeo members register their public key within the LDAP database, then those keys could be accepted for logging into services.

Change History (11)

comment:1 by robe, 4 years ago

Milestone: Sysadmin Contract 2019-II

comment:2 by robe, 4 years ago

Milestone: Sysadmin Contract 2019-IISysadmin Contract 2020-I

comment:3 by robe, 4 years ago

Okay I've changed our ldap to support installing keys

and changed the edit page here:

https://id.osgeo.org/ldap/edit

So you can put in your public key.

Right now I only have hop.osgeo4.osgeo.org and hop.osgeo3.osgeo.org setup to read the keys from ldap for ssh.

Going to do that next on download.osgeo.org (aka hop.osgeo7.osgeo.org)

Once that is in place, the new steps for people to be able to ssh into download will be:

  1. Get added to ldap shell group - same
  2. Instead of having to bother a sac team member to install your keys, you'd go to

https://id.osgeo.org/ldap/edit

and paste your public key in there.

comment:4 by robe, 4 years ago

Resolution: fixed
Status: newclosed

Okay made the same change on download and deleted my .ssh folder to confirm it works.

I've updated the instructions here

https://wiki.osgeo.org/wiki/SAC_Service_Status#Download

comment:5 by strk, 4 years ago

Cool! Can users have multiple SSH keys ? As I know for sure I use multiple devices each with a different ssh key...

comment:6 by robe, 4 years ago

I read it's possible but not sure how it's done. Maybe it's as simple as pasting multiple keys in the SSH Public Key field.

comment:7 by strk, 4 years ago

It should be tested, and if it works, advertised in the form as a possiblity.

comment:8 by strk, 4 years ago

I've tested: you can store multiple ssh keys in that form. I've updated it accordingly. Great! Now on to use it from Gitea !

comment:9 by robe, 4 years ago

strk if you really want to use the port 22 we could allocate a separate IP for trac. We have two for osgeo7 at the moment. secure has an ip just for use for the ldap port. We could use the same ip for gitea I suppose and expose the port 22 on it like we have on download just for ssh key access.

Looking at gitea - aside from enabling the ssh, looks like we just need to specify the sshpubkey field (which it defaults anyway)

Last edited 4 years ago by robe (previous) (diff)

comment:10 by strk, 4 years ago

Let's discuss Gitea in #2457

comment:11 by strk, 3 years ago

Please see #2542 for a followup of this work (we might be doing it wrong)

Note: See TracTickets for help on using tickets.