Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] Challenges with SSH public keys

Subject: COmanage Users List

List archive

Re: [comanage-users] Challenges with SSH public keys


Chronological Thread 
  • From: Benn Oshrin <>
  • To: "Kevin M. Hildebrand" <>
  • Cc:
  • Subject: Re: [comanage-users] Challenges with SSH public keys
  • Date: Thu, 13 Apr 2017 19:24:56 -0500
  • Ironport-phdr: 9a23:wOqgux/r+H6tuP9uRHKM819IXTAuvvDOBiVQ1KB31e8cTK2v8tzYMVDF4r011RmSDNudsqMP0bSempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwRFiCCgbb52Ixm6swTcvdQKjIV/Lao81gHHqWZSdeRMwmNoK1OTnxLi6cq14ZVu7Sdete8/+sBZSan1cLg2QrJeDDQ9LmA6/9brugXZTQuO/XQTTGMbmQdVDgff7RH6WpDxsjbmtud4xSKXM9H6QawyVD+/9KpgVgPmhzkbOD446GHXi9J/jKRHoBK6uhdzx5fYbJyJOPZie6/Qe84RS2hcUcZLTyFPH4OyYZUBD+QCM+hXoYbyqFkSohWxHgSsGOHixyVUinPq06A30eIsGhzG0gw6GNIOtWzZocjrO6cUV+C+0bDGzS7Db/NM2Df97pXDfxc6rv6SW7Jwd83RxFIuFwPDklWft5blPzWL2eQRrWSX9fRvWv+yi2M+rQx6vzahxsApiobTh4IVzEjJ9SR/wIYpO9K4Ukh7bsC4EJdOrS2VKZZ5Qt4kTmp1uyg60qULtYCncCUJ0pgqwxzSZ+aaf4WG/B7vTvidLSt7iX59Zb6zmQy+/Ea+xuHmVcS50ExGojdKn9TKq3sDzQbc6tKdRft45kqh2SiA1wTU6uxcIUA0kq/bK58/zb41jJUTsEDDEjbsl0j4lqOWeV8o9fWy6+v5eLrmo5+cN4hvigHiKKghhsu/AeEgPggPWWiU5/i82aX98UHlQ7hGlPk7n6vDvJzHK8kXuLS1DxFJ3osg8xq/Ci2p0NUcnXkJNlJFfxeHgpDyNF7QJvD4C/C/jk+tkDdt2/DJIKfhApPTIXjfjrvtZ6hy5FNByAYr19BQ+4pUCq0dIPL0QkL+qNvYDhojPAyy2ennB8ty2poDWWKUHKCZKrjSvESM5uIuOOmMeJQVtCjnJ/gk4f7ukWE2mUUbfaa3wZsbdmq0Eep7LEWEMjLQhYJLMmoUvwx2aaqiqFyGXTNZfX+0U+h0sjI2FoOgJZrGSsagjKHXjwmhGZgDTG1ADBirCnfydoPMD/0BbiSVCs5njjEeU7W9Ecks2Qz451yy8KZuMueBon5QjpnkztUgorSLzRw=

I've pushed commit 67b60623f5 to the branch "hotfix-2.0.x" if you'd like
to test it out. (It'll probably be a few weeks before we see a 2.0.1
release.)

Thanks,

-Benn-

On 4/10/17 5:16 PM, Benn Oshrin wrote:
> I've got a patch ready but can't get it committed until we're done with
> some source tree management as part of the 2.0.0 release. I'll update
> the ticket (which you can watch if you want to) once it's posted in case
> you want to try that out when it's available.
>
> Thanks,
>
> -Benn-
>
> On 4/10/17 7:55 AM, Kevin M. Hildebrand wrote:
>> Ok, thanks. For the time being I modified the schema to make the SSH
>> key an optional component.
>> One other observation of note that is likely related- when removing an
>> SSH key (by clicking the 'Delete' button next to it on co_people/canvas/XX)
>> the key is not being correctly removed from LDAP. The LDAP modify
>> operation that's sent to the LDAP server updates all of the rest of the
>> attributes, but doesn't include the sshPublicKey attribute.
>> I guess in this case one would also have to remove the ldapPublicKey
>> object class, since it's dependent on sshPublicKey. Yuck.
>>
>> Kevin
>>
>> On Sat, Apr 8, 2017 at 9:13 AM, Benn Oshrin
>> <
>> <mailto:>>
>> wrote:
>>
>> Hi Kevin,
>>
>> This is a known issue:
>>
>> https://bugs.internet2.edu/jira/browse/CO-1397
>> <https://bugs.internet2.edu/jira/browse/CO-1397>
>>
>> We're hoping to get this fixed in the patch release (2.0.1) after the
>> new feature release (2.0.0) due out in the next couple of days.
>>
>> There is also an RFE for handling SSH keys as part of enrollment,
>> though
>> that wouldn't really solve the issue as you point out.
>>
>> https://bugs.internet2.edu/jira/browse/CO-1087
>> <https://bugs.internet2.edu/jira/browse/CO-1087>
>>
>> Thanks,
>>
>> -Benn-
>>
>> On 4/7/17 10:58 AM, Kevin M. Hildebrand wrote:
>> > I'm using self-signup, LDAP provisioning, and also trying to
>> manage SSH
>> > public keys. The problem that I'm having is that the ldapPublicKey
>> > object class lists sshPublicKey as a required attribute. So if I
>> enable
>> > the ldapPublicKey object class in my LDAP provisioner settings, the
>> > provisioning of new users will fail since there's no way for them to
>> > initially provide their public key during enrollment.
>> >
>> > Any thoughts on how to deal with this?
>> > 1) modify the LDAP schema to make sshPublicKey optional
>> > 2) modify the LDAP provisioner to not include the ldapPublicKey
>> object
>> > class if there are no SSH keys defined
>> > 3) modify the enrollment process to allow upload of SSH keys
>> during sign up
>> >
>> > It seems to me that even if (3) occurs, there may still be times
>> where
>> > some users might not have SSH keys defined while others do.
>> >
>> > Thanks,
>> > Kevin
>> >
>> > --
>> > Kevin Hildebrand
>> > University of Maryland, College Park
>>
>>



Archive powered by MHonArc 2.6.19.

Top of Page