aboutsummaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2023-03-11 14:44:08 +0100
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2023-03-11 14:44:08 +0100
commit18cdc71f9a55fa50fdb16cfeca5dfd8741375519 (patch)
tree467d7a3c1cf71d84fd5fc900f298ee85b6cc37c1 /roles
parent5d9ad9fcbdb1868a73642889abd5d47d8ec4a135 (diff)
downloadansible_collection-18cdc71f9a55fa50fdb16cfeca5dfd8741375519.tar.gz
sssd: allow ssh login via key
Diffstat (limited to 'roles')
-rw-r--r--roles/sssd/defaults/main.yml1
-rw-r--r--roles/sssd/files/sshd_sss_authorized_keys.conf5
-rw-r--r--roles/sssd/handlers/main.yml5
-rw-r--r--roles/sssd/tasks/main.yml9
4 files changed, 20 insertions, 0 deletions
diff --git a/roles/sssd/defaults/main.yml b/roles/sssd/defaults/main.yml
index 381bb74..4544fb3 100644
--- a/roles/sssd/defaults/main.yml
+++ b/roles/sssd/defaults/main.yml
@@ -8,3 +8,4 @@ sssd_ldap:
user_dn: 'ou=users,dc=example,dc=com'
group_dn: 'ou=groups,dc=example,dc=com'
access_filter: '&(objectClass=posixAccount)'
+ sshd_keys_from_sss: false
diff --git a/roles/sssd/files/sshd_sss_authorized_keys.conf b/roles/sssd/files/sshd_sss_authorized_keys.conf
new file mode 100644
index 0000000..e4f17bd
--- /dev/null
+++ b/roles/sssd/files/sshd_sss_authorized_keys.conf
@@ -0,0 +1,5 @@
+# vi: ft=sshdconfig
+# This file is managed by Ansible. Do NOT change.
+
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+AuthorizedKeysCommandUser nobody
diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml
index ac65088..add6945 100644
--- a/roles/sssd/handlers/main.yml
+++ b/roles/sssd/handlers/main.yml
@@ -4,3 +4,8 @@
name: sssd
state: restarted
become: yes
+- name: Restart sshd
+ systemd:
+ name: sshd
+ state: restarted
+ become: yes
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
index a7f2b5e..e24cdfd 100644
--- a/roles/sssd/tasks/main.yml
+++ b/roles/sssd/tasks/main.yml
@@ -35,3 +35,12 @@
line: 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022'
insertafter: '^session optional pam_sss\.so'
become: yes
+
+- name: Configure SSH Key login via LDAP
+ copy:
+ src: sshd_sss_authorized_keys.conf
+ dest: /etc/ssh/sshd_config.d/sss_authorized_keys.conf
+ become: yes
+ when: sssd_ldap.sshd_keys_from_sss | default(false)
+ notify:
+ - Restart sshd