On 26/03/2023 22:31, Spike White wrote:
We use GSSAPI instead of GSS-SPNEGO for ssh SSO, but it should work the
same. This does not really involve sssd at all (for the
authentication). What happens is that your ssh daemon is
Kerberos-aware. So when it is presented with a Kerberos ticket, the ssh
daemon contacts the Kerberos server (AD DC in our case) to verify the
ticket. If authenticated, it allows login. That is, it bypasses PAM
for the 'authentication' phase. It still consults PAM stack for the
'account' and 'session' phases however,
Because the sshd service in this situation does not call PAM stack for
the authentication phase, it does not consult pam_sss during the
authentication phase. For your account phase and session phase, it
will consult pam_sss, but that doesn't involve kerberos.
Have you enabled Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI
credential delegation?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
