第 48 章 Managing public SSH keys for users and hosts

IdM accepts the following two SSH key formats:

Note that IdM automatically converts RFC 4253-style keys into OpenSSH-style keys before saving them into the IdM LDAP server.

The IdM server can identify the type of key, such as an RSA or DSA key, from the uploaded key blob. In a key file such as ~/.ssh/known_hosts, a key entry is identified by the hostname and IP address of the server, its type, and the key. For example:

host.example.com,1.2.3.4 ssh-rsa AAA...ZZZ==

This is different from a user public key entry, which has the elements in the order type key== comment:

"ssh-rsa ABCD1234...== ipaclient.example.com"

A key file, such as id_rsa.pub, consists of three parts: the key type, the key, and an additional comment or identifier. When uploading a key to IdM, you can upload all three key parts or only the key. If you only upload the key, IdM automatically identifies the key type, such as RSA or DSA, from the uploaded key.

If you use the host public key entry from the ~/.ssh/known_hosts file, you must reorder it to match the format of a user key, type key== comment:

ssh-rsa AAA...ZZZ== host.example.com,1.2.3.4

IdM can determine the key type automatically from the content of the public key. The comment is optional, to make identifying individual keys easier. The only required element is the public key blob.

IdM uses public keys stored in the following OpenSSH-style files: