Opened 2 years ago

Closed 4 weeks ago

Last modified 4 weeks ago

#2116 closed task (fixed)

Add support for registering public user SSH keys in LDAP

Reported by: strk Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2020-I
Component: Systems Admin Keywords: ldap
Cc:

Description

For better security, it would be useful to let OSGeo members register their public key within the LDAP database, then those keys could be accepted for logging into services.

Change History (10)

comment:1 Changed 9 months ago by robe

Milestone: Sysadmin Contract 2019-II

comment:2 Changed 4 months ago by robe

Milestone: Sysadmin Contract 2019-IISysadmin Contract 2020-I

comment:3 Changed 4 weeks ago by robe

Okay I've changed our ldap to support installing keys

and changed the edit page here:

https://id.osgeo.org/ldap/edit

So you can put in your public key.

Right now I only have hop.osgeo4.osgeo.org and hop.osgeo3.osgeo.org setup to read the keys from ldap for ssh.

Going to do that next on download.osgeo.org (aka hop.osgeo7.osgeo.org)

Once that is in place, the new steps for people to be able to ssh into download will be:

  1. Get added to ldap shell group - same
  2. Instead of having to bother a sac team member to install your keys, you'd go to

https://id.osgeo.org/ldap/edit

and paste your public key in there.

comment:4 Changed 4 weeks ago by robe

Resolution: fixed
Status: newclosed

Okay made the same change on download and deleted my .ssh folder to confirm it works.

I've updated the instructions here

https://wiki.osgeo.org/wiki/SAC_Service_Status#Download

comment:5 Changed 4 weeks ago by strk

Cool! Can users have multiple SSH keys ? As I know for sure I use multiple devices each with a different ssh key...

comment:6 Changed 4 weeks ago by robe

I read it's possible but not sure how it's done. Maybe it's as simple as pasting multiple keys in the SSH Public Key field.

comment:7 Changed 4 weeks ago by strk

It should be tested, and if it works, advertised in the form as a possiblity.

comment:8 Changed 4 weeks ago by strk

I've tested: you can store multiple ssh keys in that form. I've updated it accordingly. Great! Now on to use it from Gitea !

comment:9 Changed 4 weeks ago by robe

strk if you really want to use the port 22 we could allocate a separate IP for trac. We have two for osgeo7 at the moment. secure has an ip just for use for the ldap port. We could use the same ip for gitea I suppose and expose the port 22 on it like we have on download just for ssh key access.

Looking at gitea - aside from enabling the ssh, looks like we just need to specify the sshpubkey field (which it defaults anyway)

Last edited 4 weeks ago by robe (previous) (diff)

comment:10 Changed 4 weeks ago by strk

Let's discuss Gitea in #2457

Note: See TracTickets for help on using tickets.