I have a question. We have some servers (both UCS based and NON-UCS based “*inux” servers.) Currently users have to log into each of these servers with a username/password combo, both are stored in UCS via LDAP for UCS based servers, it is stored locally for NON-UCS based servers. Management has mandated a single sign-on for all users, for the most part this is already in place for our GUI Based and Web Portal based applications via UCS. However we have a few applications that are SSH based, Management has mandated that SSH does not use username/password combo, and must use SSH keys instead. (Except for console access which is username/password based). Currently users have to generate their keys locally at their workstation then log into each server and import their keys, then setup their client of choice to use the keys.
I would like to be able to have the user generate their keys at the UCS DC, then have the SSH keys dropped into their home directory for pick up by the user for implementation at the SSH client of their choice. The end goal is to have all the keys stored in a central location, which is regularly backed up, and replicated to other DCs in case of a DC failure.
We are not talking about Certificates, we already have the UCS generating user certificates for any application that needs them, and they are stored with the user’s home directory. We are specifically dealing with JUST SSH keys for SSH based application access.
Our end goal will be to remove the use of local usernames/passwords/certificates and SSH keys on each different server , and move to a centrally managed framework for these authentication methods, either through AD, LDAP or Central Key repositories.
We also will need a method similar to this SSH key repository for generating IPSEC pre-shared keys as well. But that has not yet come down to a mandate so not going to worry about that now.