On Fri, Apr 14, 2017 at 08:10:35PM -0000, zac...@temple.edu wrote: > Hi list, > > This is more of a feature request, and I don't know if this is the right > venue to ask. If not, kindly direct me to the proper place. > > The sssd configuration separates identity, authentication, and access > providers. It would be nice to specify that only the access provider be > enforced in a particular PAM stack. Generically, this is the authn vs authz > issue. I would like to be able to use sssd for authz exclusively in some > instances where other authentication is deemed satisfactory. > > Use cases: > ssh with public key + 2nd factor token authentication + sssd access filtering > su without password + sssd access filtering > custom service with external authentication + sssd access filtering > > I haven't delved too deeply into the sssd source to see how hard it would be > to implement something like a pam argument authz_only that skips the auth > provider, but it seems like it should be reasonable. > > Thoughts?
Since this option would be set in the PAM service file anyway, does it make sense to even include pam_sss.so in the PAM stack's auth session? _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
