I have setup freeIPA/Kerberos authentication for my domain and it works well. I have a service that does not support server-based auth, only local auth via /etc/passwd. Is there a method to cache passwords from freeIPA to local disk, which I can then automate via a cron job or systemctl service?
Asked
Active
Viewed 548 times
0
-
ps. I know BeyondTrust offers similar functionality as I was using this before for said service. – Vince Nov 30 '15 at 00:18
-
There are other centralized login systems which provision password hashes to Unixoid target systems. – Michael Ströder Mar 29 '19 at 21:11
1 Answers
4
Kerberos never allows the client to get its hand on the password or a hash of the password (like many of the good authentication systems do). This basically means that you cannot do this.
Th behavior that you describe for that application means that it doesn't use PAM but instead it directly manipulates /etc/passwd and /etc/shadow. Otherwise it would go through nsswitch and work as expected no matter where the login info is stored. You should avoid such things.
Florin Asăvoaie
- 6,932
- 22
- 35
-
Thanks. So basically, if a service only supports local auth (no PAM support), then there is no way I can authorize users via freeIPA, or any centralized auth for that matter? – Vince Nov 30 '15 at 00:41
-
1