.. _machines:

Client machines
===============

.. index:: machines, client machines

privacyIDEA lets you define Machine Resolvers to connect to existing machine
stores. The idea is for users to be able to authenticate
on those client machines.
Not in all cases an online authentication request is possible,
so that authentication items
can be passed to those client machines.

In addition you need to define, which application on the client machine
the user should authenticate
to. Different application require different authentication items.

Therefore privacyIDEA can define application types.
At the moment privacyIDEA knows the application
``luks` and ``ssh``. You can write your own application class,
which is defined in
:ref:``code_application_class``.

You need to assign an application and a token to a client machine. Each application type 
can work with certain token types and each application type can use additional parameters.

.. note:: Not all tokens work well with all applications!

SSH
---

Currently working token types: SSH

Parameters:

``user`` (optional, default=root)

When the SSH token type is assigned to a client, the user specified in the
user parameter
can login with the private key of the SSH token.

In the ``sshd_config`` file you need to configure the ``AuthorizedKeysCommand``.
Set it to::

   privacyidea-authorizedkeys

This will fetch the SSH public keys for the requesting machine.

The command expects a configuration file
*/etc/privacyidea/authorizedkeyscommand* which looks like this::

   [Default]
   url=https://localhost
   admin=admin
   password=test

.. note:: To disable a SSH key for all servers, you simple can disable the
SSH token in privacyIDEA.


LUKS
----

Currently working token types: Yubikey Challenge Response

Parameters:

``slot`` The slot to which the authentication information should be written

``partition`` The encrypted partition (usually /dev/sda3 or /dev/sda5)

These authentication items need to be pulled on the client machine from
the privacyIDEA server.

Thus, the following script need to be executed with root rights (able to
write to LUKS) on the client machine::

   privacyidea-luks-assign @secrets.txt --cleanslot --name salt-minion

For more information please see the man page of this tool.



.. [#saltstack] http://www.saltstack.com/