Irgendwann am Thu, Sep 29, 2016 um 10:24:57AM -0700, schrieb Stefan Lasiewski: > Hmm, rats. > > We definitely don't want to SSH into servers as root with an unencrypted > key. I'll look into the PolicyKit to allow SSH as another user. > > I'll also note that problems with unencrypted keys can be mitigated a bit > by hardcoding a whitelist of allowed commands and IPs in authorized_keys. > > > If you've set up qemu+ssh so that a password is needed > > Well, that's not quite the right way to phrase it. I'm simply using > qemu+ssh in it's default configuration, and SSH best practices recommend a > passphrase. I was hoping that Foreman would work with this, or would > somehow encrypt a passphrase. I'll look into filing an enhancement request.
I have not specifically tried this in foreman's context, but it should also be possible to configure sshd to use Kerberos principal based authentication. For this sshd must be configured to use GSSAPI auth mechanism and rest is transparent to the applications. Anurag -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
