tickets #160227
openSolution for SSH key management without FreeIPA
0%
Description
Currently users manage their SSH keys through the FreeIPA web GUI.
With Kanidm this is not possible, one needs to use the kanidm CLI. This is fine by itself, however we currently enforce public key authentication to all machines, making it impossible for someone to add their first SSH key once the FreeIPA GUI is shut down.
We need to find a process to solve this. One idea is some special VM allowing passphrase authentication (however I think in some remote sense having a VM allowing changing of the SSH keys using the users passphrase is theoretically backdooring all the key-only VMs). Another idea is to make adding the initial SSH key the job of the person equipping a user with their VPN access.
Either way, both should be documented - how users can manage their SSH keys (where to connect to, which commands to run, ..), and if anything changes for onboarding a user.
This task is a blocker for decommissioning FreeIPA.
Updated by firstyear about 1 month ago
For now I have documented the CLI steps in the wiki https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/Kanidm_SSH_Key_Management