| > but I find it hard to argue that they're 'secure' based on their long and sordid history of vulns The big difference here is that vs. a third party setup, my LDAP setup is running entirely behind our firewalls and not reachable from outside a suitably encrypted VPN. It's certainly possible to do stupid stuff with it. > 0a. and, well, I wouldn't want to connect boxes to LDAP because I prefer to log into my boxes, even when LDAP is unavailable, the VPN is down, etc. This is only an issue if you don't ensure you have at least one account that is present locally on the box that you can authenticate against. With what I suggested - LDAP for user info, OpenSSH certificates for authentication and authorisation, any user that can be looked up locally on the box can be logged into (with the caveat that you then need to explicitly revoke keys for those users) even when LDAP is down, giving you an easy out. But making LDAP quite resilient to outages is easy, by replicating it and specifying more than one server to connect to. For that matter, slapd is lightweight enough that you could run replicas on most servers if this is actually a problem (it's never been for me). > nor would I want to expose my enterprise directory infrastructure to my VPC. Why would you need to? Filtering what you replicate is easy enough. > 1. (btw, We don't do server authentication. That is a key difference between a directory and Userify. We only distribute keys. The servers themselves authenticate their own users with Userify just like with the traditional model, whereas with a directory the LDAP/AD server itself performs every authentication.) This is only true if you want it to be. It is not true if you use OpenSSH certificates for the authentication. > A particularly cool demo: remove or disable an account in Windows AD and seconds later watch all of the SSH sessions on all of the servers in all of the projects terminate. It's very slick.. and that's another thing that LDAP/AD directory authenticated solutions can't do. That's got nothing to do with LDAP, and everything to do whether a specific application supports periodically checking whether or not a user or key is still authorised, or not. LDAP is just a replicated data store. Some applications do, some don't. For my part it's not generally an issue because their VPN key will get revoked and will immediately stop working, at which point all other connections will fail and time out whether or not individual applications pick up that the keys have been revoked and the user removed. If you insist on doing this at the level of individual ssh connections, it's not particularly hard to force connections through a command that will periodically check that the key is still authorised. I don't doubt that you have a slick solution, and I'm sure it'll be great for some. I don't particularly like LDAP. But for me at least, trusting this to a third party - even though it sounds like you're doing a lot of things the right way - is something I'd be extremely reluctant to, while LDAP is proven and despite various warts and problems, it's well understood and well supported by most applications we use. |