That is entirely correct. I though the access checks were done in auth,
not in account. My mistake!
Sincerely,
Zach
On Mon, Apr 17, 2017 at 4:46 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Fri, Apr 14, 2017 at 08:10:35PM -0000, zachhh(a)temple.edu wrote:
> Hi list,
>
> This is more of a feature request, and I don't know if this is the right
venue to ask. If not, kindly direct me to the proper place.
>
> The sssd configuration separates identity, authentication, and access
providers. It would be nice to specify that only the access provider be
enforced in a particular PAM stack. Generically, this is the authn vs
authz issue. I would like to be able to use sssd for authz exclusively in
some instances where other authentication is deemed satisfactory.
>
> Use cases:
> ssh with public key + 2nd factor token authentication + sssd access
filtering
> su without password + sssd access filtering
> custom service with external authentication + sssd access filtering
>
> I haven't delved too deeply into the sssd source to see how hard it
would be to implement something like a pam argument authz_only that skips
the auth provider, but it seems like it should be reasonable.
>
> Thoughts?
Since this option would be set in the PAM service file anyway, does it
make sense to even include pam_sss.so in the PAM stack's auth session?
_______________________________________________
sssd-devel mailing list -- sssd-devel(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-leave(a)lists.fedorahosted.org