On (29/11/16 12:09), Jakub Hrozek wrote:
On Tue, Nov 29, 2016 at 11:45:27AM +0100, Michael Ströder wrote:
> Jakub Hrozek wrote:
> > On Tue, Nov 29, 2016 at 03:40:26AM -0000, kevin4sullivan(a)gmail.com wrote:
> >> I don't want to
> >> cache credentials and I can't guarantee that the account will have been
> >> used to login before LDAP is offline.
> > Please note that the credential caching does not actually cache
> > plaintext passwords, but only password hashes. Moreover, the cache is
> > only accessible to the root user.
> Very good for the security. But this password caching requires that the user has
> done a successful login at least once before. That's not true in practice
> because in the DevOps world admins spin up and configure VMs and containers
> without even accessing them. Even if one admin used his password during initial
> setup the admin trying to solve a problem during the night shift likely did not
> enter his password before.
> Pick your poison:
> 1. securely organize temporary(!) emergency access
> 2. LDAP deployment has to be available all times
> 3. sync user account and password hashes to /etc/passwd and /etc/shadow
Would "sss_seed" help here to add a temporary password for
some 'operator' account even if this operator never logged
in? e.g. https://linux.die.net/man/8/sss_seed
sssd_seed works well with master. @see man 8 sss_seed
But it would not solve the requirement to authenticate only in offline mode.