login about faq

Our admins need the ability to be granular when it comes to selecting user keys for public-key authentication in the Tectia client. Is there a way to customize the broker profiles for this?

asked Jan 13 '11 at 15:09

SSH%20KB's gravatar image

SSH KB ♦
509249246237


In many cases, SSH administrators need the ability to be granular when it comes to selecting user keys for public-key authentication. SSH Tectia provides several mechanisms to assign keys to specific profiles within the ssh-broker-config.xml configuration file.

The usage of the <key-stores> element provides a mechanism to maintain a global database of user keys within the system, as demonstrated in this example:

<key-stores>
  <key-store type="software" 
             init="key_files(/u/exa/keys/enigma.pub,/u/exa/keys/enigma)" />
  <key-store type="software" 
             init="key_files(/etc/my_key.pub,/etc/my_key)" />
</key-stores>

The <user-identities> element allows administrators with the ability to assign user keys to specific user profiles. These user profiles might be automated system accounts that perform scheduled file transfers, for example.

An example of using the <user-identities> element:

<user-identities>
  <identity identity-file="C:\\ mykey" />
  <identity file="$HOME/user/.ssh2/id_dsa_2048_a" />
  <identity file="C:\\private_keys\id_dsa_2048_a" />
  <identity hash="#a8edd3845005931aaa658b5573609e7d31e23afd" />
</user-identities>

Here is an erall example showing how the <user-identities> element is used in context of the <profile> element:

<profile name="rock"
         id="id1"
         host="rock.example.com"
         port="22"
         connect-on-startup="no"
         user="doct">

  <hostkey file="key_22_rock.pub">
  </hostkey>

  <authentication-methods>
    <authentication-method name="publickey" />
    <authentication-method name="password" />
  </authentication-methods>

  <user-identities>
    <identity file="$HOME/user/.ssh2/id_dsa_2048_a" />
  </user-identities>

  <server-banners visible="yes" />

  <forwards>
    <forward type="agent" state="on" />
    <forward type="x11" state="on" />
  </forwards>

  <tunnels>
    <local-tunnel type="tcp"
                  listen-port="143"
                  dst-host="imap.example.com"
                  dst-port="143"
                  allow-relay="no" />
  </tunnels>

  <remote-environment>
    <environment name="FOO" value="bar" />
    <environment name="QUX" value="%Ubaz" format="yes" />
  </remote-environment>

</profile>

You can specify global key stores in the global ssh-broker-config.xml file for them to be available for all users - however, users have the ability to customize key store access points based on the individual user configurations and the profiles they define also.

link

answered Jan 13 '11 at 15:13

SSH%20KB's gravatar image

SSH KB ♦
509249246237

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×27
×9
×1

Asked: Jan 13 '11 at 15:09

Seen: 3,085 times

Last updated: Mar 10 '11 at 17:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.