Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] Challenges with SSH public keys

Subject: COmanage Users List

List archive

Re: [comanage-users] Challenges with SSH public keys


Chronological Thread 
  • From: "Kevin M. Hildebrand" <>
  • To: Benn Oshrin <>
  • Cc:
  • Subject: Re: [comanage-users] Challenges with SSH public keys
  • Date: Mon, 10 Apr 2017 08:55:17 -0400
  • Ironport-phdr: 9a23:mFlgiBG+6/SZRact+FP51J1GYnF86YWxBRYc798ds5kLTJ7zpMWwAkXT6L1XgUPTWs2DsrQf2rSQ6vqrBDJIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbJ/IA+roQnPucUbgYpvIbstxxXUpXdFZ/5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnMVhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1kyoMKSI3/3/LhcxxlKJboQyupxpjw47PfYqZMONycr7Bcd8GQGZMWNtaWS5cDYOmd4YADeQBM+ZWoYf+ulUAswexCBK2C+/z0DJFnGP60bE43uknDArI3BYgH9ULsHnMotn7MbkdUf60zKnO0D7NaOla0ir/5ojJdhAuvO+DUqlqccXLz0kgCg3JhUiXpIzmITyVyOUNs26A4up9UOKglnQrpB9srTiy38ohjJTCiIwSylDB7yp5wYA1KMW5SE59fd6rDoFQtyeEOItqXM8uWX9ntzsnyrAApJW1fzAKxYwmyhPccfCLbYaF7gz5WOqMLjp0mmhpdKyhixuz6USs1PHwW82u3FtJridJiMfAum0N2hDJ68WKTv1w9Vq71zmVzQDc8ORELFg0laXFL54hxaY9mYQIsUvZAyP6glj2jKqLeUk+++io8+TnYrDpp5OGK4B0jQT+Prwvmsy5H+s4LhADUmmY9OimyrHu81P1TK9XgvA5jKXVqo7WKdoaq6KhBg9ayIcj6xKxDze819QYmGEKLFFbdxKZjojpPUrDIO39DfiimVijjipkx+3eMr37HprNNmTDkKvmfbtl90Fczw8zwspZ551OBbEOPuv/WlLqtNPGFB85KBe5w+LmCNVmyoMeQnyDDrWYMKPUrV+H+PgvI++Sa48JpjrxMeYq6OPzjSxxpVhIV6Sv29Mwc3CiH/Iud0+UZ3zrqtYHDWoQuAciFqrnhEDUAhBJYHPnFYEx+DA9QKfgRafCQoygiqaI2ivxVslVa35HDHiRFHuueomZDaRfIBmOK9Nsx2RXHYOqTJUsgFT37Ff3
Ok, thanks.  For the time being I modified the schema to make the SSH key an optional component.
One other observation of note that is likely related- when removing an SSH key (by clicking the 'Delete' button next to it on co_people/canvas/XX)
the key is not being correctly removed from LDAP.  The LDAP modify operation that's sent to the LDAP server updates all of the rest of the attributes, but doesn't include the sshPublicKey attribute.
I guess in this case one would also have to remove the ldapPublicKey object class, since it's dependent on sshPublicKey.  Yuck.

Kevin

On Sat, Apr 8, 2017 at 9:13 AM, Benn Oshrin <> wrote:
Hi Kevin,

This is a known issue:

 https://bugs.internet2.edu/jira/browse/CO-1397

We're hoping to get this fixed in the patch release (2.0.1) after the
new feature release (2.0.0) due out in the next couple of days.

There is also an RFE for handling SSH keys as part of enrollment, though
that wouldn't really solve the issue as you point out.

 https://bugs.internet2.edu/jira/browse/CO-1087

Thanks,

-Benn-

On 4/7/17 10:58 AM, Kevin M. Hildebrand wrote:
> I'm using self-signup, LDAP provisioning, and also trying to manage SSH
> public keys.  The problem that I'm having is that the ldapPublicKey
> object class lists sshPublicKey as a required attribute.  So if I enable
> the ldapPublicKey object class in my LDAP provisioner settings, the
> provisioning of new users will fail since there's no way for them to
> initially provide their public key during enrollment.
>
> Any thoughts on how to deal with this?
> 1) modify the LDAP schema to make sshPublicKey optional
> 2) modify the LDAP provisioner to not include the ldapPublicKey object
> class if there are no SSH keys defined
> 3) modify the enrollment process to allow upload of SSH keys during sign up
>
> It seems to me that even if (3) occurs, there may still be times where
> some users might not have SSH keys defined while others do.
>
> Thanks,
> Kevin
>
> --
> Kevin Hildebrand
> University of Maryland, College Park


Archive powered by MHonArc 2.6.19.

Top of Page