; LIAM - Linux Account Manager - config file [web] enabled = 1 baseurl = https://liam.example.com logo = /logo-header.png ; footer may contain HTML. Literal & " < and > should be escaped as & ; " < $gt; footer = 'Linux Account Manager - LIAM.' [general] ; Use timeout --version to find out the current version ; used on e.g. debian timeout_util = GNU coreutils ; used on e.g. alpine ; timeout_util = BusyBox [security] ; It is important that LIAM is able to verify that it has connected to the ; server that it expected to connect to (otherwise it could be tricked into ; syncing the wrong keys to a server). The simplest way to accomplish this is ; through SSH host key verification. Setting either of the 2 options below to ; '0' can weaken the protection that SSH host key verification provides. ; Determine who can reset a server's SSH host key in LIAM: ; 0: Allow server admins to reset the SSH host key for servers that they ; administer ; 1: Full LIAM admin access is required to reset a server's host key host_key_reset_restriction = 1 ; Determine what happens if multiple servers have the same SSH host key: ; 0: Allow sync to proceed ; 1: Abort sync of affected servers and report an error ; It is not recommended to leave this set to '0' indefinitely host_key_collision_protection = 1 ; Hostname verification is a supplement to SSH host key verification for ; making sure that the sync process has connected to the server that it ; expected to. ; Determine how hostname verification is performed: ; 0: Do not perform hostname verification ; 1: Compare with the result of `hostname -f` ; 2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f` ; if the file does not exist ; 3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file ; does not exist ; The last option provides the most solid verification, as a server will only ; be synced to if it has been explicitly allowed on the server itself. hostname_verification = 0 [defaults] ; This setting will cause new servers to always have a managed account called ; "root" and for that account to be automatically added into the ; "root-accounts" group: ; ; account_groups[root] = "root-accounts" ; ; Any number of these can be specified account_groups[root] = "root-accounts" [email] enabled = 1 ; The mail address that outgoing mails will be sent from from_address = liam@example.com from_name = "SSH Key Authority system" ; Where to mail security notifications to report_address = reports@example.com report_name = "SSH Key Authority reports" ; Where users should contact for help admin_address = admin@example.com admin_name = "SSH Key Authority administrators" ; You can use the reroute directive to redirect all outgoing mail to a single ; mail address - typically for temporary testing purposes ;reroute = test@example.com [database] ; Connection details to the MySQL database hostname = localhost port = 3306 username = liam-user password = password database = liam-db [ldap] ; Address to connect to LDAP server host = ldaps://ldap.example.com:636 ; Use StartTLS for connection security (recommended if using ldap:// instead ; of ldaps:// above) starttls = 0 ; LDAP subtree containing USER entries dn_user = "ou=users,dc=example,dc=com" ; LDAP subtree containing GROUP entries dn_group = "ou=groups,dc=example,dc=com" ; (Optional) filter for matching user objects ;user_filter = "(objectClass=inetOrgPerson)" ; (Optional) filter for matching group objects ;group_filter = "(objectClass=posixGroup)" ; Set to 1 if the LDAP library should process referrals. In most cases this ; is not needed, and for AD servers it can cause errors when querying the ; whole tree. follow_referrals = 0 ; Leave bind_dn empty if binding is not required bind_dn = bind_password = ; User attributes user_id = uid user_name = cn user_email = mail ;user_superior = superioremployee ; If inactive users exist in your LDAP directory, filter with the following ; settings: ; Field to filter on: ;user_active = organizationalstatus ; Use *one* of user_active_true or user_active_false ; user_active_true means user is active if the user_active field equals its ; value ;user_active_true = 'current' ; user_active_false means user is active if the user_active field does not ; equal its value ;user_active_false = 'former' ; Group membership attributes. Examples below are for typical setups: ; ; POSIX groups ; group_member = memberUid ; group_member_value = uid ; ; Group-of-names groups ; group_member = member ; group_member_value = dn ; ; Attribute of group where members are stored group_member = memberUid ; User attribute to compare with group_member_value = uid ; Members of admin_group are given full admin access to SSH Key Authority web ; interface admin_group_cn = liam-administrators ; Other LDAP groups that should have their memberships synced ;sync_groups[] = ldap_group_name [inventory] ; SSH Key Authority will read the contents of the file /etc/uuid (if it ; exists) when syncing with a server. If a value is found, it can be used as a ; link to an inventory system. ; %s in the url directive will be replaced with the value found in /etc/uuid ;url = "https://inventory.example.com/device/%s" [gpg] ; SSH Key Authority can GPG sign outgoing emails sent from the ; email.from_address. To do this it needs to know an appropriate key ID to use ;key_id = 0123456789ABCDEF0123456789ABCDEF01234567