이 콘텐츠는 선택한 언어로 제공되지 않습니다.

9.3. Managing Public SSH Keys for Users


OpenSSH uses public-private key pairs to authenticate users. A user attempts to access some network resource and presents its key pair. The first time the user authenticates, the administrator on the target machine has to approve the request manually. The machine then stores the user's public key in an authorized_keys file. Any time that the user attempts to access the resource again, the machine simply checks its authorized_keys file and then grants access automatically to approved users.
There are a couple of problems with this system:
  • SSH keys have to be distributed manually and separately to all machines in an environment.
  • Administrators have to approve user keys to add them to the configuration, but it is difficult to verify either the user or key issuer properly, which can create security problems.
On Red Hat Enterprise Linux, the System Security Services Daemon (SSSD) can be configured to cache and retrieve user SSH keys so that applications and services only have to look in one location for user keys. Because SSSD can use Identity Management as one of its identity information providers, Identity Management provides a universal and centralized repository of keys. Administrators do not need to worry about distributing, updating, or verifying user SSH keys.

9.3.1. About the SSH Key Format

When keys are uploaded to the IdM entry, the key format can be either an OpenSSH-style key or a raw RFC 4253-style blob. Any RFC 4253-style key is automatically converted into an OpenSSH-style key before it is imported and saved into the IdM LDAP server.
The IdM server can identify the type of key, such as an RSA or DSA key, from the uploaded key blob. However, in a key file such as id_rsa.pub, a key entry is identified by its type, then the key itself, and then an additional comment or identifier. For example, for an RSA key associated with a specific hostname:
"ssh-rsa ABCD1234...== ipaclient.example.com"
All three parts from the key file can be uploaded to and viewed for the user entry, or only the key itself can be uploaded.

9.3.2. Uploading User SSH Keys Through the Web UI

  1. Generate a user key. For example, using the OpenSSH tools:
    [jsmith@server ~]$ ssh-keygen -t rsa -C jsmith@example.com
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):
    Created directory '/home/jsmith/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/jsmith/.ssh/id_rsa.
    Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
    The key fingerprint is:
    a5:fd:ac:d3:9b:39:29:d0:ab:0e:9a:44:d1:78:9c:f2 jsmith@example.com
    The key's randomart image is:
    +--[ RSA 2048]----+
    |                 |
    |     + .         |
    |    + =   .      |
    |     =   +       |
    |    . E S..      |
    |   .    . .o     |
    |    . .  . oo.   |
    |   . o .  +.+o   |
    |    o  .o..o+o   |
    +-----------------+
  2. Copy the public key from the key file. The full key entry has the form type key== comment. Only the key== is required, but the entire entry can be stored.
    [jsmith@server ~]$ cat  /home/jsmith/.ssh/id_rsa.pub
    						
    ssh-rsa AAAAB3NzaC1yc2E...tJG1PK2Mq++wQ== jsmith@example.com
  3. Open the Identity tab, and select the Users subtab.
  4. Click the name of the user to edit.
  5. In the Account Settings area of the Settings tab, click the SSH public keys: Add link.
  6. Click the Add link by the SSH public keys field.
  7. Paste in the public key for the user, and click the Set button.
    The SSH public keys field now shows New: key set. Clicking the Show/Set key link opens the submitted key.
  8. To upload multiple keys, click the Add link below the list of public keys, and upload the other keys.
  9. When all the keys have been submitted, click the Update link at the top of the user's page to save the changes.
When the public key is saved, the entry is displayed as the key fingerprint, the comment (if one was included), and the key type[2].
Saved Public Key

Figure 9.1. Saved Public Key

After uploading the user keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use SSSD for managing user keys. This is covered in the Deployment Guide.

9.3.3. Uploading User SSH Keys Through the Command Line

The --sshpubkey option uploads the 64 bit-encoded public key to the user entry. For example:
[jsmith@server ~]$ ipa user-mod jsmith --sshpubkey="ssh-rsa 12345abcde= ipaclient.example.com"
With a real key, the key is longer and usually ends with an equals sign (=).
To upload multiple keys, pass a comma-separated list of keys with a single --sshpubkey option:
--sshpubkey="12345abcde==,key2==,key3=="
After uploading the user keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use SSSD for managing user keys. This is covered in the Red Hat Enterprise Linux Deployment Guide.

9.3.4. Deleting User Keys

  1. Open the Identity tab, and select the Users subtab.
  2. Click the name of the user to edit.
  3. Open the Account Settings area of the Settings tab.
  4. Click the Delete link by the fingerprint of the key to remove.
  5. Click the Update link at the top of the user's page to save the changes.
The command-line tools can be used to remove all keys. This is done by running ipa user-mod with the --sshpubkey= set to a blank value; this removes all public keys for the user. For example:
[jsmith@server ~]$ kinit admin
[jsmith@server ~]$ ipa user-mod --sshpubkey= jsmith


[2] The key type is determined automatically from the key itself, if it is not included in the uploaded key.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.