I am trying to set up SSH on some client hosts such that all users can be a=
uthenticated from our common Radius server and single sign-on is provided.
SSH today provides the SSH-Agent. The SSH-Agent holds a user's private keys=
and these must be added manually for each session. There are two drawbacks=
that I would like to get around:
* The private keys must be added manually on each session to the ssh-agent=
using ssh-add=20
* The private keys must be made available locally on each client host a pa=
rticular user is potentially using.
I wonder if there is a solution where the user authenticates once to e.g. t=
he ssh-agent using the Radius server. The ssh-agent then maintains the user=
's credentials in memory for all subsequent SSH usage. At the end of the lo=
gin session the ssh-agent is terminated, and thus the user's credentials ar=
e deleted.
An even better solution would be to do authentication only once during logi=
n and to transmit the user credentials from login (also using Radius in our=
case) to an ssh-agent. I understand that pam_ssh already does this part bu=
t still relies on locally stored private keys. Is there a way to get rid of=
these and use e.g. the Radius server instead? This could be done either by=
obtaining the private keys from the Radius server or just use user id and =
password to authenticate to the sshd (without private/public keys).
Regards,=20
Andreas Lemke=20
Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT F=DCR ALLE NEUEINSTEIGER
Jetzt bei Arcor: g=FCnstig und schnell mit DSL - das All-Inclusive-Paket
f=FCr clevere Doppel-Sparer, nur 34,95 =80 inkl. DSL- und ISDN-Grundgeb=
=FChr!
http://www.arcor.de/rd/emf-dsl-2
|
