/docker-authfromhost

Use the authentication of the host in the docker containers, using sss-proxy

Primary LanguageDockerfileGNU General Public License v3.0GPL-3.0

This allow you to authenticate in your containers services using your host account (from this blog post)

Current test status

Status
Travis-CI

Versions

This docker image is available with the following base systems.

Debian

Release Size
debian-stretch
debian-stretch-slim
debian-buster
debian-buster-slim
debian-bullseye
debian-bullseye-slim
debian-sid
debian-sid-slim

Usage

Quick test container :

The pipe from sssd daemon must be exported from the host to the container

$ docker run -ti --rm \
  -v /var/lib/sss/pipes/:/var/lib/sss/pipes/ \
  francois75/docker-authfromhost:debian-buster \
  /bin/bash -l

For your docker images

Use it like any other images, using the tag to specify the system and release.

FROM fancois75/docker-authfromhost:debian

Configure the host

Here is the step to have your host ready.

Debian host :

  • Install sssd
# apt install sssd
  • Configure pam

/etc/pam.d/sss_proxy :

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
  • Configure sssd (file must be owned by root and permission set to 0600)

/etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = proxy

[nss]

[pam]

[domain/proxy]
id_provider = proxy
# The proxy provider will look into /etc/passwd for user info
proxy_lib_name = files
# The proxy provider will authenticate against /etc/pam.d/sss_proxy
proxy_pam_target = sss_proxy
  • Restart sssd and verify a user can be retrieved with sssd
# chown root.root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# systemctl restart sssd
$ getent passwd -s sss localuser

Archlinux host :

  • Install sssd
# pacman -S sssd
  • Configure pam

/etc/pam.d/sss_proxy :

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
  • Configure sssd (file must be owned by root and permission set to 0600)

/etc/sssd/sssd.conf :

[sssd]
services = nss, pam
config_file_version = 2
domains = proxy

[nss]

[pam]

[domain/proxy]
id_provider = proxy
# The proxy provider will look into /etc/passwd for user info
proxy_lib_name = files
# The proxy provider will authenticate against /etc/pam.d/sss_proxy
proxy_pam_target = sss_proxy
  • Restart sssd and verify a user can be retrieved with sssd
# chown root.root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# systemctl enable sssd
Created symlink /etc/systemd/system/multi-user.target.wants/sssd.service → /usr/lib/systemd/system/sssd.service.
# systemctl restart sssd
$ getent passwd -s sss localuser

CentOS host :

TODO