Hi,
in our environment all NFS shares are mounted with 'sec=krb5' and user homedirs are on NFS. So when users logs in via SSH they need a kerberos ticket to read their homedir. SSH with GSSAPIAuthentication would solve this, and of course user/password works as well. But for different reasons we want to restrict login to ssh keys only, with the key stored non-exportable on a hard token (smartcard/yubikey) and the public part stored in AD (accessed by using sshd config option 'AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'). The problem is that the user does not get a kerberos ticket on login with this scheme, forcing them to use 'kinit' which requires password which we dont want to use. I've read https://bugzilla.redhat.com/show_bug.cgi?id=1017651 and https://fedorahosted.org/freeipa/ticket/4000 The bugzilla is old but contains new, relevant input from users but no new comments from any devs - are there any new thoughts of making SSSD/sshd capable of retrieving a kerberos TGT for a user logged in with ssh keys? I understand the security concerns, but having the keys non-exportable on a hard token and storing the public part in AD/IdM should solve those issues, dont you think? Right now we are stuck between two security principles (requiring krb auth for NFS access and using a secure ssh key setup for access) that dont play nice with each other. Regards Adam
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
