Opened 4 years ago

Closed 18 months ago

Last modified 12 months ago

#2116 closed task (fixed)

Add support for registering public user SSH keys in LDAP

Reported by: strk Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2020-I
Component: Systems Admin Keywords: ldap
Cc:

Description

For better security, it would be useful to let OSGeo members register their public key within the LDAP database, then those keys could be accepted for logging into services.

Change History (11)

comment:1 Changed 2 years ago by robe

Milestone: Sysadmin Contract 2019-II

comment:2 Changed 21 months ago by robe

Milestone: Sysadmin Contract 2019-IISysadmin Contract 2020-I

comment:3 Changed 18 months ago by robe

Okay I've changed our ldap to support installing keys

and changed the edit page here:

https://id.osgeo.org/ldap/edit

So you can put in your public key.

Right now I only have hop.osgeo4.osgeo.org and hop.osgeo3.osgeo.org setup to read the keys from ldap for ssh.

Going to do that next on download.osgeo.org (aka hop.osgeo7.osgeo.org)

Once that is in place, the new steps for people to be able to ssh into download will be:

  1. Get added to ldap shell group - same
  2. Instead of having to bother a sac team member to install your keys, you'd go to

https://id.osgeo.org/ldap/edit

and paste your public key in there.

comment:4 Changed 18 months ago by robe

Resolution: fixed
Status: newclosed

Okay made the same change on download and deleted my .ssh folder to confirm it works.

I've updated the instructions here

https://wiki.osgeo.org/wiki/SAC_Service_Status#Download

comment:5 Changed 18 months ago by strk

Cool! Can users have multiple SSH keys ? As I know for sure I use multiple devices each with a different ssh key...

comment:6 Changed 18 months ago by robe

I read it's possible but not sure how it's done. Maybe it's as simple as pasting multiple keys in the SSH Public Key field.

comment:7 Changed 18 months ago by strk

It should be tested, and if it works, advertised in the form as a possiblity.

comment:8 Changed 18 months ago by strk

I've tested: you can store multiple ssh keys in that form. I've updated it accordingly. Great! Now on to use it from Gitea !

comment:9 Changed 18 months ago by robe

strk if you really want to use the port 22 we could allocate a separate IP for trac. We have two for osgeo7 at the moment. secure has an ip just for use for the ldap port. We could use the same ip for gitea I suppose and expose the port 22 on it like we have on download just for ssh key access.

Looking at gitea - aside from enabling the ssh, looks like we just need to specify the sshpubkey field (which it defaults anyway)

Last edited 18 months ago by robe (previous) (diff)

comment:10 Changed 18 months ago by strk

Let's discuss Gitea in #2457

comment:11 Changed 12 months ago by strk

Please see #2542 for a followup of this work (we might be doing it wrong)

Note: See TracTickets for help on using tickets.