@Pete-S said in sssd and user ID mapping:
@Pete-S If it is an issue, its trival enough to prevent public key authentication for users or groups of users, even groups of AD users.
Sure, but the problem for developers and admins is that they usually need their keys. That's why I don't think ad/ldap integration with ssh users really works in that use case.
The other solution, which is what I think is more suitable for developers and admins, is to use your SSO/AD solution with MFA to pickup a short-lived ssh certificate. Then you use the ssh certificate to actually access things.
Many companies with huge infrastructures use this method because it's very scalable.
We forced kerberos for SSH auth after wen enabled AD integration. SSH works like keys then but you don't use the keys.
Never used it but it seems to be a good solution if you want AD integration.
I noticed that gitlab also supports kerberos for pushing and pulling. I assume github does too. That's very convenient.