Board to vote on the mantra requirement
Regina Obe
lr at pcorp.us
Mon Jun 15 10:57:00 PDT 2026
> I think the LDAP/ssh issue is that beyond the web authentication flow
(which
> can be turned into MFA by requiring that at login time), there is
authentication
> *not via web protocols* and in particular ssh pubkeys.
> So an osgeo user has
>
> web authentication
> a set of ssh keys
>
> whether the ssh keys are in in LDAP or some other mechanism matters for
> maintainability but I don't see it as fundamental. (I also don't see a
reason to
> change.).
>
> I think it's entirely reasonable, as a long term plan, to have all
services that do
> web auth to use some kind of oauth2 and not accept passwords, and thus not
> have to have passwords in LDAP.
>
Agree. Yes it wasn't so much the MFA of LDAP as much as just protecting our
id.osgeo.org website where they edit their profile and register their ssh
keys.
You can't do anything with an ssh key if you are not in the shell group
anyway. So it's mostly a concern with shell users having their accounts
compromised.
More information about the Sac
mailing list