Add support for ssh authentication via public ssh keys stored in freeipa
- install packages openssh-helpers and openldap2-client
- install sssd.conf on all machines and improve it:
- add ssh as service
- rename the domain to infra.o.o
- add the search base for users and for groups so that both get
populated properly after an ssh login
- demand tls and valid cert
- install the appropriate /etc/pam.d files
- install /etc/openldap/ldap.conf
- install a script that fetches the ssh public keys stored in ldap/freeipa for
a given username. We are using a custom script instead of the sss or the
openssh-helpers script because they hardcode the attribute name that contains
the public SSH keys on LDAP, which is different on freeipa. We can get rid of
it and replace it with the sss script as soon as we introduce the sssd-ipa
package in opensuse
- use the above script on /etc/ssh/sshd_config as user nobody
- add the profile.ldap-client on the base role to be applied on all machines