On (29/11/16 12:09), Jakub Hrozek wrote: >On Tue, Nov 29, 2016 at 11:45:27AM +0100, Michael Ströder wrote: >> Jakub Hrozek wrote: >> > On Tue, Nov 29, 2016 at 03:40:26AM -0000, [email protected] wrote: >> >> I don't want to >> >> cache credentials and I can't guarantee that the account will have been >> >> used to login before LDAP is offline. >> > >> > Please note that the credential caching does not actually cache >> > plaintext passwords, but only password hashes. Moreover, the cache is >> > only accessible to the root user. >> >> Very good for the security. But this password caching requires that the user >> has >> done a successful login at least once before. That's not true in practice >> because in the DevOps world admins spin up and configure VMs and containers >> without even accessing them. Even if one admin used his password during >> initial >> setup the admin trying to solve a problem during the night shift likely did >> not >> enter his password before. >> >> Pick your poison: >> >> 1. securely organize temporary(!) emergency access >> >> 2. LDAP deployment has to be available all times >> >> 3. sync user account and password hashes to /etc/passwd and /etc/shadow > >Would "sss_seed" help here to add a temporary password for >some 'operator' account even if this operator never logged >in? e.g. https://linux.die.net/man/8/sss_seed > sssd_seed works well with master. @see man 8 sss_seed
But it would not solve the requirement to authenticate only in offline mode. LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
