#2116 closed task (fixed)
Add support for registering public user SSH keys in LDAP
Reported by: | strk | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | Sysadmin Contract 2020-I |
Component: | SysAdmin | Keywords: | ldap |
Cc: |
Description
For better security, it would be useful to let OSGeo members register their public key within the LDAP database, then those keys could be accepted for logging into services.
Change History (11)
comment:1 by , 5 years ago
Milestone: | → Sysadmin Contract 2019-II |
---|
comment:2 by , 5 years ago
Milestone: | Sysadmin Contract 2019-II → Sysadmin Contract 2020-I |
---|
comment:3 by , 4 years ago
comment:4 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Okay made the same change on download and deleted my .ssh folder to confirm it works.
I've updated the instructions here
comment:5 by , 4 years ago
Cool! Can users have multiple SSH keys ? As I know for sure I use multiple devices each with a different ssh key...
comment:6 by , 4 years ago
I read it's possible but not sure how it's done. Maybe it's as simple as pasting multiple keys in the SSH Public Key field.
comment:7 by , 4 years ago
It should be tested, and if it works, advertised in the form as a possiblity.
comment:8 by , 4 years ago
I've tested: you can store multiple ssh keys in that form. I've updated it accordingly. Great! Now on to use it from Gitea !
comment:9 by , 4 years ago
strk if you really want to use the port 22 we could allocate a separate IP for trac. We have two for osgeo at the moment. secure has an ip just for use for the ldap port. We could use the same ip for gitea I suppose and expose the port 22 on it like we have on download just for ssh key access.
Looking at gitea - aside from enabling the ssh, looks like we just need to specify the sshpubkey field (which it defaults anyway)
comment:11 by , 4 years ago
Please see #2542 for a followup of this work (we might be doing it wrong)
Okay I've changed our ldap to support installing keys
and changed the edit page here:
https://id.osgeo.org/ldap/edit
So you can put in your public key.
Right now I only have hop.osgeo4.osgeo.org and hop.osgeo3.osgeo.org setup to read the keys from ldap for ssh.
Going to do that next on download.osgeo.org (aka hop.osgeo7.osgeo.org)
Once that is in place, the new steps for people to be able to ssh into download will be:
https://id.osgeo.org/ldap/edit
and paste your public key in there.