On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
John Hodrien J.H.Hodrien@leeds.ac.uk wrote on 2014/09/25 11:22:52:
How is local root pw any different than domain pw? In your view remote root access is a big nono so sssd should also enforce no remote root login in that case. I have no problem using local root pw when I known what it is but I don't care to memorize them all, besides users can change local root pw.
It isn't, but sssd isn't in a position to enforce it for local accounts. ssh is, which is why ssh provides the option:
AllowRoot without-password
If users change local root passwords they can equally well break sssd. They're unlikely to remove an authorized_keys file, and if they do, discipline them. I can't see what advantage you have using a network root credential over an ssh key, or a kerberos ticket.
You just said it: "best practice", not a law. In this context, sssd dictates policy and that is not sssd's call to make IMHO. You should encourage best practice though. One day we will get there but not today :)
SSSD dictates what it does to be safe. I've no problem with that default.
Finally, why are you not up front with this policy? Nowhere I can find is this documented and since this is a unusual enforcement you should document this limitation with "big letters" so everyone is aware beforehand, it sure would have saved me a lot of time.
It might be worth forgiving sssd a little here.
auth requisite pam_succeed_if.so uid >= 500 quiet
You've almost certainly got something like this in pam. Don't accept network auth for local system accounts is a normal PAM policy.
jh