On Fri, 6 Dec 2019, Jasper Siepkes wrote:
Hi,
Thanks for the reply and sorry I missed the other question (my Google-foo is
apparently a bit weak today ;-).
To cut it short, this is not possible because many login programs need to
information about the user before the password or other credentials
are available.
Would you folks be open to a patch which adds a flag to use the users own
Kerberos credentials for environments where hosts are less trusted (ie. desktop
deployments)? The documentation could add a warning that this won't work for
all deployment scenario's.
I understand this might be a problem for applications like ssh however those
kind of applications are not part of a normal office desktop deployment I
think. Those type of applications are usually part of server deployment
scenarios where the host itself is also more trusted then some desktop sitting
in an office.
I'd be interested to know how you'd make this work. A default pam stack would
keel over if it didn't already know the user information, as it'd typically block
access to pam_sss if the UID was < 1000.
jh
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
