Hi,
On 20 Apr 2022, at 09:44, Jonathan Vaughn via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
We have some systems which are FreeIPA connected, but (most) users don't log in as
themselves, there's a local system account they use instead (simplifies file ownership
for website changes and such, for example).
Is there a way to have their public keys automatically accepted for this local user, via
SSSD/FreeIPA, like it is if they log in as themselves? We could just use a cron job to
regenerate the authorized_keys from the keys in LDAP, but if we can do it magically
through an RBAC thing or something, that would be ideal.
The best solution is to let them log in with their personal accounts and then set up sudo
rules to let them impersonate the service accounts. That way you also keep proper audit
logs on who impersonated which account when.
Cheers,
Sander