On Tue, Nov 29, 2016 at 11:45:27AM +0100, Michael Ströder wrote: > Jakub Hrozek wrote: > > On Tue, Nov 29, 2016 at 03:40:26AM -0000, [email protected] wrote: > >> I don't want to > >> cache credentials and I can't guarantee that the account will have been > >> used to login before LDAP is offline. > > > > Please note that the credential caching does not actually cache > > plaintext passwords, but only password hashes. Moreover, the cache is > > only accessible to the root user. > > Very good for the security. But this password caching requires that the user > has > done a successful login at least once before. That's not true in practice > because in the DevOps world admins spin up and configure VMs and containers > without even accessing them. Even if one admin used his password during > initial > setup the admin trying to solve a problem during the night shift likely did > not > enter his password before. > > Pick your poison: > > 1. securely organize temporary(!) emergency access > > 2. LDAP deployment has to be available all times > > 3. sync user account and password hashes to /etc/passwd and /etc/shadow
Would "sss_seed" help here to add a temporary password for some 'operator' account even if this operator never logged in? e.g. https://linux.die.net/man/8/sss_seed I admit I haven't tested sss_seed in quite some time, though. The user should also exist in the LDAP directory, because the directory is always considered authoritative and if SSSD was online and the user wasn't found with LDAP search, then we would consider the account as removed and remove its entry from the cache as well. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
