On Tue, 2016-11-29 at 12:49 +0100, Lukas Slebodnik wrote: > On (29/11/16 12:09), Jakub Hrozek wrote: > >On Tue, Nov 29, 2016 at 11:45:27AM +0100, Michael Ströder wrote: > >> Jakub Hrozek wrote: > >> > On Tue, Nov 29, 2016 at 03:40:26AM -0000, [email protected] wrote: > >> >> I don't want to > >> >> cache credentials and I can't guarantee that the account will have been > >> >> used to login before LDAP is offline. > >> > > >> > Please note that the credential caching does not actually cache > >> > plaintext passwords, but only password hashes. Moreover, the cache is > >> > only accessible to the root user. > >> > >> Very good for the security. But this password caching requires that the > >> user has > >> done a successful login at least once before. That's not true in practice > >> because in the DevOps world admins spin up and configure VMs and containers > >> without even accessing them. Even if one admin used his password during > >> initial > >> setup the admin trying to solve a problem during the night shift likely > >> did not > >> enter his password before. > >> > >> Pick your poison: > >> > >> 1. securely organize temporary(!) emergency access > >> > >> 2. LDAP deployment has to be available all times > >> > >> 3. sync user account and password hashes to /etc/passwd and /etc/shadow > > > >Would "sss_seed" help here to add a temporary password for > >some 'operator' account even if this operator never logged > >in? e.g. https://linux.die.net/man/8/sss_seed > > > sssd_seed works well with master. @see man 8 sss_seed > > But it would not solve the requirement to authenticate only in offline mode.
It would if you remove the password in LDAP and make sure a bind always fail. Then it would work only in offline mode, with the seeded password. But this "only offline" thing seem a red herring, it is easy to cause a machine to go offline (therefore "unlocking" this account) so it is not clear to me why this is an actual requirement. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
