2:44 a.m.
We have some systems which are FreeIPA connected, but (most) users don't
log in as themselves, there's a local system account they use instead
(simplifies file ownership for website changes and such, for example).
Is there a way to have their public keys automatically accepted for this
local user, via SSSD/FreeIPA, like it is if they log in as themselves? We
could just use a cron job to regenerate the authorized_keys from the keys
in LDAP, but if we can do it magically through an RBAC thing or something,
that would be ideal.
4:41 a.m.
New subject: Use SSH keys in FreeIPA to access local account on server?
Hi,
On 20 Apr 2022, at 09:44, Jonathan Vaughn via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
We have some systems which are FreeIPA connected, but (most) users don't log in as
themselves, there's a local system account they use instead (simplifies file ownership
for website changes and such, for example).
Is there a way to have their public keys automatically accepted for this local user, via
SSSD/FreeIPA, like it is if they log in as themselves? We could just use a cron job to
regenerate the authorized_keys from the keys in LDAP, but if we can do it magically
through an RBAC thing or something, that would be ideal.
The best solution is to let them log in with their personal accounts and then set up sudo
rules to let them impersonate the service accounts. That way you also keep proper audit
logs on who impersonated which account when.
Cheers,
Sander
742
days inactive
742
days old
freeipa-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Jonathan Vaughn -
Sander Steffann