Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 10. Restricting domains for PAM services using SSSD
The System Security Services Daemon (SSSD) restricts Pluggable Authentication Modules (PAMs) service access to specific identity domains based on the user running the service. With this evaluation mechanism, you can enforce granular control, ensuring services only interact with authorized identity providers.
10.1. Introduction to PAM
Pluggable Authentication Modules (PAM) provide a modular framework for system authentication. Applications offload identity verification to centrally configured PAM stacks, helping you to implement flexible policies involving Kerberos, SSSD, or local files.
PAM is pluggable because a PAM module exists for different types of authentication sources, such as Kerberos, SSSD, NIS, or the local file system. You can prioritize different authentication sources.
This modular architecture offers administrators a great deal of flexibility in setting authentication policies for the system. PAM is a useful system for developers and administrators for several reasons:
- PAM provides a common authentication scheme, which can be used with a wide variety of applications.
- PAM provides significant flexibility and control over authentication for system administrators.
- PAM provides a single, fully-documented library, which allows developers to write programs without having to create their own authentication schemes.
10.1.1. PAM configuration file format
Pluggable Authentication Module (PAM) configuration files consist of directives that control module behavior. Each line specifies the interface type, a control flag, the module library name, and optional arguments, instructing the system on how to process specific authentication tasks.
module_type control_flag <module_name> <module_arguments>For example:
auth required pam_unix.so10.1.1.1. PAM module types
PAM defines four interface types: account, authentication, password, and session. These categories determine the specific task a module performs, such as verifying credentials, setting up the user environment, or enforcing password complexity policies.
An individual module can provide any or all types of authentication tasks. For example, pam_unix.so provides all four authentication tasks.
The module name, such as pam_unix.so, provides PAM with the name of the library containing the specified module type. The directory name is omitted because the application is linked to the appropriate version of libpam, which can locate the correct version of the module.
Module type directives can be stacked, or placed upon one another, so that multiple modules are used together for one purpose. The order of the modules is important, along with the control flags, it determines how significant the success or failure of a particular module is to the overall goal of authenticating the user to the service.
You can stack PAM modules to enforce specific conditions that must be met before a user is allowed to authenticate.
10.1.1.2. PAM control flags
Control flags dictate how PAM handles module results. Keywords like required, requisite, and sufficient determine whether the authentication stack continues processing or immediately returns a success or failure status to the application.
Simple flags use a keyword, more complex syntax follows [<value1>=<action1> <value2>=<action2> …] format.
When a module’s control flag uses the sufficient or requisite value, the order in which the modules are listed is important to the authentication process.
For a detailed description of PAM control flags, including a list of options, see the pam.conf(5) man page.
10.2. Domain-access restriction options
Manage control domain access by using pam_trusted_users and pam_public_domains in sssd.conf. Additionally, the domains option in PAM configuration files limits specific services to a defined list of authentication providers.
To restrict access to selected domains, you can use the following options:
- pam_trusted_users in /etc/sssd/sssd.conf
-
Lists numerical UIDs or user names for PAM services that SSSD trusts. The default setting is
all, which means all service users are trusted and can access any domain. - pam_public_domains in /etc/sssd/sssd.conf
-
Specifies public SSSD domains that are accessible by untrusted PAM service users. The option accepts the
allandnonevalues. The default value isnone, which means no domains are public and untrusted service users cannot access any domain. - domains for PAM configuration files
Specifies a list of domains against which a PAM service can authenticate. If you use
domainswithout specifying any domain, the PAM service cannot authenticate against any domain, for example:auth required pam_sss.so domains=If the PAM configuration file uses
domains, the PAM service is able to authenticate against all domains when that service is running under a trusted user.The
domainsoption in the/etc/sssd/sssd.confSSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that thedomainsoption in a PAM configuration file cannot extend the list of domains insssd.conf, it can only restrict thesssd.conflist of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not insssd.conf, the PAM service cannot authenticate against the domain.
The default settings pam_trusted_users = all and pam_public_domains = none specify that all PAM service users are trusted and can access any domain. Use the domains option in PAM configuration files to restrict domain access.
Specifying a domain using domains in the PAM configuration file while sssd.conf contains pam_public_domains also requires to specify the domain in pam_public_domains. The pam_public_domains option without including the required domain leads the PAM service to unsuccessful authentication against the domain in case this service is running under an untrusted user.
Domain restrictions defined in a PAM configuration file apply to authentication actions only, not to user lookups.
10.3. Restricting domains for a PAM service
You can lock specific PAM services to a subset of available SSSD domains. This configuration forces the service to authenticate only against the specified providers, isolating critical applications from other identity sources.
Prerequisites
- SSSD installed and running.
Procedure
Configure SSSD to access the required domain or domains. Define the domains against which SSSD can authenticate in the
domainsoption in the/etc/sssd/sssd.conffile:[sssd] domains = <idm.example.com>, <ad.example.com>, <ldap.example.com>Specify the domain or domains to which a PAM service can authenticate by setting the`domains` option in the PAM configuration file. For example:
auth sufficient pam_sss.so forward_pass domains=<idm.example.com> account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtokThis configuration restricts the PAM service to authenticate against
<idm.example.com>only.
Verification
-
Authenticate against
<idm.example.com>. It must be successful.
10.4. About PAM configuration files
PAM configuration files in /etc/pam.d/ define policies for individual applications. Each file stacks specific modules to enforce security requirements, such as password quality checks or root access limits, for the service it controls.
For example, the login program has a corresponding PAM configuration file named /etc/pam.d/login.
Manual editing of PAM configuration files might lead to authentication and access issues. Configure PAMs using the authselect tool.
See an example of PAM configuration file with the detailed description.
Annotated PAM configuration example
#%PAM-1.0
auth required pam_securetty.so
auth required pam_unix.so nullok
auth required pam_nologin.so
account required pam_unix.so
password required pam_pwquality.so retry=3
password required pam_unix.so shadow nullok use_authtok
session required pam_unix.sowhere:
auth required pam_securetty.so-
Ensures that the root login is allowed only from a terminal which is listed in the
/etc/securettyfile, if this file exists. If the terminal is not listed in the file, the login as root fails with aLogin incorrectmessage. auth required pam_unix.so nullok-
Prompts the user for a password and checks it against the information stored in
/etc/passwdand, if it exists,/etc/shadow. Thenullokargument allows a blank password. auth required pam_nologin.soChecks if
/etc/nologinfile exists. If it exists, and the user is not root, authentication fails.NoteIn this example, all three
authmodules are checked, even if the firstauthmodule fails. This is a good security approach that prevents potential attacker from knowing at what stage their authentication failed.account required pam_unix.so-
Verifies the user’s account. For example, if shadow passwords have been enabled, the account type of the
pam_unix.somodule checks for expired accounts or if the user needs to change the password. password required pam_pwquality.so retry=3-
Prompts for a new password if the current one has expired or when the user manually requests a password change. Then it checks the strength of the newly created password to ensure it meets quality requirements and is not easily determined by a dictionary-based password cracking program. The argument
retry=3specifies that user has three attempts to create a strong password. password required pam_unix.so shadow nullok use_authtok-
The
pam_unix.somodule manages password changes. Theshadowargument instructs the module to create shadow passwords when updating a user’s password. Thenullokargument allows the user to change their password from a blank password, otherwise a null password is treated as an account lock. Theuse_authtokargument accepts any password that was entered previously without prompting the user again. In this way, all new passwords must pass thepam_pwquality.socheck for secure passwords before being accepted. session required pam_unix.so-
The
pam_unix.somodule manages the session and logs the user name and service type at the beginning and end of each session. Logs are collected by thesystemd-journaldservice and can be viewed by using thejournalctlcommand. Logs are also stored in/var/log/secure. This module can be supplemented by stacking it with other session modules for additional functionality.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}