On Thu, May 09, 2019 at 07:55:31AM -0400, Nerigal wrote: > Hi, > > I could make sssd work fine with domain authentication with Radius > server + Azure MFA through SSH gateway using password > > So the user enter his creds and then get to prompt on his phone to > accept or reject the authentication > > Everything work as expected so far > > The problem comes with SSH keys ... > > i tried the alternate authentication in Active Directory adding users > SSH keys in altSecurityIdentities user object attribute > > and configuring > > ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities > ldap_user_ssh_public_key = altSecurityIdentities > ldap_use_tokengroups = True > > in sssd.conf file > > and its actually working too well... > > The "too well" is that it looks like as soon as the user has a working > ssh Key in Active Directory, SSSD ingore the configuration > > auth_provider = proxy > proxy_pam_target = sssdproxyradiusauth > > Note * > > sshd_config is configured with > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser root > > So is there a way to make SSSD always pass by the Radius regardless of > the auth mechanic ? > > May be the "proxy bypass" with SSH key come from > /usr/bin/sss_ssh_authorizedkeys i can't tell at this point
Yes, most probably. /usr/bin/sss_ssh_authorizedkeys will send the ssh key read by SSSD from the AD user object to sshd so that sshd can to public key authentication. This is the same as if you have out the ssh key into the .ssh/authorized_keys file in the user's homes directory only that it is centrally managed in AD. If you want to tell sshd to use both publickey and keyboard-interactive authentication together please see AuthenticationMethods in man sshd_config for details. HTH bye, Sumit > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
