On 16/07/2022 04:08, Jacob M Cutright via FreeIPA-users wrote:
Hello,
Apologies if I am misunderstanding and this is incorrect, but users who
log in via SSH keys do not get Kerberos tickets by default, which is why
your pam_sss_sudo isn't working. You can reference this issue here:
https://pagure.io/freeipa/issue/4000/
Yeah, if you're using PubkeyAuthentication then you can't do any of this.
If you're wedded to PubkeyAuthentication then there's not much else you
can do other than configure sudo rules to allow the Ansible user to use
sudo without authentication.
Arguably this is more secure anyway, because with
GSSAPIDelegateCredentials, you're handing the Ansible controller's TGT
over to the managed host; if that host has been compromised then the
attacker than now use the controller's TGT to authenticate to other
services on your network...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
