[j-nsp] protect ssh and telnet
Phil Shafer
phil at juniper.net
Tue Apr 5 11:58:14 EDT 2016
Vincent Bernat writes:
>On which attribute can SSH keys be served?
Apologies. I shot my mouth off. JUNOS does not currently support
this. And RADIUS, being cleartext, is not suitable.
LDAP (w/ SSL) would be a better solution, using something like:
https://github.com/AndriiGrytsenko/openssh-ldap-publickey
which plugs into openssh using the "AuthorizedKeysCommand" sshd_config
statement. But JUNOS doesn't ship openldap, so the only way to
make this work would be an external web server can proxies requests
into LDAP. The AuthorizedKeysCommand would be a script that makes
the HTTP request and formats the results. The above LPK script
could be put inside a perl web framework like Mojolicious.
It's a bit of rough plumbing, but until we can ship openldap (or
you run the non-veriexec JUNOS), that's likely the best answer.
Thanks,
Phil
More information about the juniper-nsp
mailing list