Hi All,
I'm currently designing our linux admin policy at a 90% windows shop with a small but growing linux presence.
what we currently have internally is a few linux boxes with local accounts and password auth. What I've successfully tested on my dev box.
Domain joining or centos boxes using sssd (super easy). Key only authentication to local accounts Domain password authentication over SSH for our admin accounts. Sudo auth for active directory groups.
The rough idea i've sketched out for where I want to get to is this.
- admins on the windows side have a seperate windows account with domain or server admin
- I will not use this account for linux admin, instead it will be regular accounts, with a restricted 'sudo' group that only the domain admins can administer. Linux admins will be added to this group for their regular account.
- Linux admins will log into the box with their regular account and ssh key. Sudo is granted via the sudo ad group.
All of this config will be handled via puppet but I've got a break in my understanding that I can't find the right google terms for.
I want AD integrated login so I don't need to create logins on every linux box. I ALSO want only users with an SSH key to be able to login.
I don't understand the connection between AD and linux boxes when using SSH keys at all (when using no password over ssh). I simply don't get it and it feels like I'm missing something obvious. if I'm not required to put a password (because ssh) then how is it ever going to authenticate to Active directory?
I hope this makes sense can clarify further.
[link] [comments]