On Wed, Feb 26, 2020 at 09:38:21AM -0000, Hristina Marosevic wrote: > Hello, > > I am using SSSD with LDAP directory which provides public keys for each user > entry to SSSD. > I am not sure if it is possible to configure SSSD not just to accept the > private key (provided by the user during the login) and authenticate the user > from LDAP (where his public ke is stored), but also to check the: > - trust (validation of the CA used for signing the user's certificate i.e. > public key) > - validity of a user certificate with its public key (its "from" - "to" dates) > - revocation status (configuration of SSSD with CRL lists or OCSP) > or should I manage this on the LDAP side or on application level or somewhere > else? > I would be grateful if you share your ideas about the possible solutions of > this situation!
Hi, if you are thinking of using ssh to log in then SSSD can already handle this. SSSD can read the certificate for the user form the LDAP entry, validate it and if valid make the derived ssh-key available to sshd with the help of the sss_ssh_authorizedkeys utility. Please check the option 'certificate_verification' and it's sub-options in the sssd.conf man page for details. Also check the 'SSH configuration options' section about how to configure SSSD's ssh responder. The sss_ssh_authorizedkeys man page explains how to make sshd use the utility. HTH bye, Sumit > > > BR, > Hristina > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
