Hi,
I could make sssd work fine with domain authentication with Radius
server + Azure MFA through SSH gateway using password
So the user enter his creds and then get to prompt on his phone to
accept or reject the authentication
Everything work as expected so far
The problem comes with SSH keys ...
i tried the alternate authentication in Active Directory adding users
SSH keys in altSecurityIdentities user object attribute
and configuring
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
in sssd.conf file
and its actually working too well...
The "too well" is that it looks like as soon as the user has a working
ssh Key in Active Directory, SSSD ingore the configuration
auth_provider = proxy
proxy_pam_target = sssdproxyradiusauth
Note *
sshd_config is configured with
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
So is there a way to make SSSD always pass by the Radius regardless of
the auth mechanic ?
May be the "proxy bypass" with SSH key come from
/usr/bin/sss_ssh_authorizedkeys i can't tell at this point
Show replies by date