Yeah... coming at this from the standpoint of a heavily invested Saltstack user, I really don't see the reason for this to exist. It removes all the other cool things SSH does besides just giving you a shell, with a much, much worse user experience.
Can you elaborate on the CA signing with OpenSSH? You have a CA verify keys with metadata and then use LDAP to verify that metadata? It sounds very interesting.
Openssh supports certificates and signing of keys, with expiry. Couple that with LDAP for account management, and you shouldn't need to manually add keys to any servers.
LDAP management on non-Windows systems is like stepping back 30 years.. last I checked, there wasn't even a supported UI for directory operations (typing DN's by hand is for the birds!)
Windows AD in all its subtle brokenness is a great deal easier to use.
> LDAP management on non-Windows systems is like stepping back 30 years.
How so? And managing which components -- the directory server or the clients?
> there wasn't even a supported UI for directory operations
What directory operations? add/mod/del? There are quite a few packages that handle that. Or are you talking about operations on the server side?
> typing DN's by hand is for the birds!
I concur. Though, it's pretty rare to type in a DN anywhere. I can't think of many places where a simple RDN or search filter on a unique value (uid, mail, etc.) doesn't suffice.
Both. Again, I may be coming from a standpoint of ignorance here, but setting up a Linux client requires manual mucking about with PAM and its associated config files, with different steps required for every major distro.
Same with the server side - there's no good equivalent to the Windows' "Active Directory Users & Computers". Plenty of good command line tools, but I don't think those are that useful when reasoning about a "tree" structure used in LDAP.
We never standardized a viable schema that covered the majority of real-world enterprise use-cases. Active Directory did. We got stuck with the broken rfc2307 (essentially NIS-in-LDAP), and the slightly better but abandoned rfc2307bis.
Without a standardized schema, every management tool out there had to either expose LDAP directly, or provide a limited subset of operations supportable across random schema.
We could solve this issue with a new RFC defining a modern standard server schema, including things like sshPublicKey, but I don't know if there's any UNIX/Linux vendor still alive that would invest in doing so.
I've never managed an LDAP server from the command line on Linux.
As for PAM, I did a PAM LDAP config once about 8 years ago, and have never needed to make a change since. Since then it's been a matter of a few config files that are part of the standard config we deploy automatically to new systems. It's not exactly particularly much effort.
We actually offer a pretty robust LDAP/AD integration on Userify, but I still recommend against it, especially since it's not just painful but adding LDAP/AD decreases overall security. I used to like LDAP in the early 00's, but now I just think it's anything but lightweight.. as well as insecure and obsolete.
Using a 3rd-party cloud-based service to manage server authentication, SSH keys, et al, seems insanely insecure however -- especially when your alternative is simply running LDAP locally.
0. I believe that both LDAP and AD have complex models (well, arguably less complex than Vines/NDS/x.500/etc if you go back that far) and they're certainly more secure than NIS/NIS+ based on historical vulns, but I find it hard to argue that they're 'secure' based on their long and sordid history of vulns ( https://www.cvedetails.com/vulnerability-list/vendor_id-439/... )
0a. and, well, I wouldn't want to connect boxes to LDAP because I prefer to log into my boxes, even when LDAP is unavailable, the VPN is down, etc. but, nscd et al.. caching doesn't work either on an autoscaled box in the cloud, nor would I want to expose my enterprise directory infrastructure to my VPC. I also don't want to introduce a new PAM and NSS configuration on every single box (with separate layering for different boxes into different projects etc) and introduce yet another avenue for mistakes and compromise... was that required, requisite, or optional? Ergo, obsolete. :) (imo)
1. (btw, We don't do server authentication. That is a key difference between a directory and Userify. We only distribute keys. The servers themselves authenticate their own users with Userify just like with the traditional model, whereas with a directory the LDAP/AD server itself performs every authentication.)
2. We also recommend purchasing and running Userify Enterprise locked down locally to your VPC/LAN, and our larger customers tend to prefer that as well (especially when connected to LDAP w/ the same disconnected model we designed into our core product). We also offer a free cloud-based edition for unlimited use because we're nice like that.
But, seriously, people who are happy with their current solution should probably stick with it. I don't expect to convince you to take another look, and I do agree that there are good arguments to be made that LDAP/AD is neither insecure nor obsolete. I just disagree with (most of) those arguments. ;)
note:
AD/LDAP connectivity in Userify: you can still authenticate natively via LDAP/AD, while Userify provides a user-friendly dashboard for key management for your teams. A particularly cool demo: remove or disable an account in Windows AD and seconds later watch all of the SSH sessions on all of the servers in all of the projects terminate. It's very slick.. and that's another thing that LDAP/AD directory authenticated solutions can't do.
0) it's enormous: both as an implemented application and as a protocol and specification. Complexity is the enemy of security.
1) it widens your network footprint and isn't hardened against modern attacks (all LDAP directories that I'm aware of also have a regrettable history a la bugtraq/cert). (even without bringing krb5 into the picture)
2) it is complex and allows schema/ACL changes to expose attributes in non-obvious ways
3) no commercially available LDAP implementation natively encrypts all data
5) A centrally managed directory represents a very rich target for the secrets it contains
6) particularly when used as an authentication backend, it also presents a nice DoS target. (I have personal experience from a previous life..) :(
7) An LDAP server exposed to a LAN is rapidly (today) approaching being exposed to the Internet as VPN connections join multiple clouds and formerly internal datacenters, for anything but the tiniest of network footprints.
Obviously many of these concerns can be somewhat mitigated but my strong personal opinion is that the size and complexity of LDAP makes it its own worst enemy. With that said, there's no real replacement for it, right?
With regards to things like SSO and SAML2, oauth (which also has its own share of problems due to the same problems of size and complexity) is beginning to make the need for an enterprise-wide directory moot, but this will obviously take time.
Not to mention - implementation to integrate with something like FreeIPA or similar is just unmitigated pain, both up front (i.e., if you want to run it somewhere like AWS without control over reverse DNS) or on each node (I've written PAM modules before and I still think making PAM changes is a big pain and not without significant risk.)
Additionally OpenSSH supports CA signing of public keys with user metadata, which I've found to pair nicely with LDAP.