10.4. Restricting Domains for PAM services
Important
This feature requires SSSD to be running on the system.
SSSD enables you to restrict which domains can be accessed by PAM services. SSSD evaluates authentication requests from PAM services based on the user the particular PAM service is running as. Whether the PAM service can access an SSSD domain depends on whether the PAM service user is able to access the domain.
An example use case is an environment where external users are allowed to authenticate to an FTP server. The FTP server is running as a separate non-privileged user that should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
Note
This functionality is similar to legacy PAM modules, such as
pam_ldap
, which were able to use a separate configuration file as a parameter for a PAM module.
Options to Restrict Access to Domains
The following options are available to restrict access to selected domains:
pam_trusted_users
in/etc/sssd/sssd.conf
- This option accepts a list of numerical UIDs or user names representing the PAM services that are to be trusted by SSSD. The default setting is
all
, which means all service users are trusted and can access any domain. pam_public_domains
in/etc/sssd/sssd.conf
- This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
all
andnone
values. The default value isnone
, which means no domains are public and untrusted service users therefore cannot access any domain. domains
for PAM configuration files- This option specifies a list of domains against which a PAM service can authenticate. If you use
domains
without specifying any domain, the PAM service will not be able to authenticate against any domain, for example:auth required pam_sss.so domains=
Ifdomains
is not used in the PAM configuration file, the PAM service is able to authenticate against all domains, on the condition that the service is running under a trusted user.Thedomains
option in the/etc/sssd/sssd.conf
SSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that thedomains
option in a PAM configuration file cannot extend the list of domains insssd.conf
, it can only restrict thesssd.conf
list of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not insssd.conf
, the PAM service will not be able to authenticate against the domain.
The default settings
pam_trusted_users = all
and pam_public_domains = none
specify that all PAM service users are trusted and can access any domain. The domains
option for PAM configuration files can be used in this situation to restrict the domains that can be accessed.
If you specify a domain using
domains
in the PAM configuration file while sssd.conf
contains pam_public_domains
, it might be required to specify the domain in pam_public_domains
as well. If pam_public_domains
is used but does not include the required domain, the PAM service will not be able to successfully authenticate against the domain if it is running under an untrusted user.
Note
Domain restrictions defined in a PAM configuration file only apply to authentication actions, not to user lookups.
For more information about the
pam_trusted_users
and pam_public_domains
options, see the sssd.conf(5) man page. For more information about the domains
option used in PAM configuration files, see the pam_sss(8) man page.
Example 10.2. Restricting Domains for a PAM Service
To restrict the domains against which a PAM service can authenticate:
- Make sure SSSD is configured to access the required domain or domains. The domains against which SSSD can authenticate are defined in the
domains
option in the/etc/sssd/sssd.conf
file.[sssd] domains = domain1, domain2, domain3
- Specify the domain or domains to which a PAM service will be able to authenticate. To do this, set the
domains
option in the PAM configuration file. For example:auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok
The PAM service is now only allowed to authenticate against
domain1
.