On (15/04/15 12:37), Olivier wrote:
Hi,
Addendum:
> My current policy is the following :
>
> - All my users must have a password in ldap (that is used by
> applications other than ssh)
>
> - not all my users may have an ssh key (some never use ssh)
>
> Everything works as I want.
I realize that with my tuning ssh behave as such:
* if the user has no key in ldap then ssh ask for a login password
* if the user has a correct key in ldap then ssh grant access and
don't ask for any login/password
* if the user has an incorrect key in ldap then ssh swithch to the
login/password authentication process.
That means that if a bad sshkey is returned by
"sss_ssh_authorizedkeys", then ppolicy will be checked and
updated if necessary through the "login / password" process.
May be that could help : with a given flag "sss_ssh_authorizedkeys"
could simply refuse to return the key in case of a "ppolicy issue".
Your requirements seems to be similar as in tickets:
https://fedorahosted.org/sssd/ticket/2364
https://fedorahosted.org/sssd/ticket/2534
The first feature is available in sssd-1.11
and the second one was recently added to sssd-1.12
Here is a sample config
[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP
[domain/LDAP]
debug_level = 0xfff0
ldap_search_base = $DS_BASE_DN
id_provider = ldap
ldap_uri = ldap://$SERVER
cache_credentials = True
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
access_provider = ldap
ldap_access_order = lockout
ldap_pwdlockout_dn = cn=pwdconfig,ou=policies,$DS_BASE_DN
You can read more details in manual page sssd-ldap -> ldap_access_order
LS