DrDaveD
commented
2 years ago Another option that was suggested was to update the vault ssh authentication plugin to be able to directly read ssh keys from LDAP.
Open DrDaveD opened 2 years ago
DrDaveD
commented
2 years ago Another option that was suggested was to update the vault ssh authentication plugin to be able to directly read ssh keys from LDAP.
There are very likely going to be cases where ssh public keys should be supplied through the VO instead of self-registration. I believe that could be done through id token claim mapped to metadata that htgettoken sees. It may be sufficient if htgettoken then disallows the --registerssh option if that metadata is seen, while htvault-config continues to allow self-registration which htgettoken just does in a different way (that is, by passing in the public key metadata from the id token).