SSSD Didn't Get the Memo: Disabled Accounts and Stale Keys with Active Directory
This post covers setting up SSH public key authentication on AD-joined Linux hosts using SSSD and sss_ssh_authorizedkeys, and two security issues I found in a common SSSD configuration while testing the setup in a lab environment. The pattern stores SSH public keys in Active Directory. SSSD fetches them at login time via the ldap_user_ssh_public_key attribute mapping and hands them to sshd. The relevant snippet in /etc/ssh/sshd_config: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u AuthorizedKeysCommandUser nobody During testing two issues surfaced that are worth documenting: disabled AD accounts could authenticate via SSH key, and revoked keys remained valid for up to 90 minutes after removal from AD. ...