12.3. Data flow when authenticating as a user with SSSD in IdM
Authenticating as a user on an IdM server or client involves the following components:
- The service that initiates the authentication request, such as the sshd service.
- The Pluggable Authentication Module (PAM) library and its modules.
- The SSSD service, its responders, and back-ends.
- A smart card reader, if smart card authentication is configured.
The authentication server:
- IdM users are authenticated against an IdM Kerberos Key Distribution Center (KDC).
- Active Directory (AD) users are authenticated against an AD Domain Controller (DC).
The following diagram is a simplification of the information flow when a user needs to authenticate during an attempt to log in locally to a host via the SSH service on the command line.
-
The authentication attempt with the
ssh
command triggers thelibpam
library. The
libpam
library references the PAM file in the/etc/pam.d/
directory that corresponds to the service requesting the authentication attempt. In this example involving authenticating via the SSH service on the local host, thelibpam
library checks the/etc/pam.d/system-auth
configuration file and discovers thepam_sss.so
entry for the SSSD PAM:auth sufficient pam_sss.so
-
To determine which authentication methods are available, the
libpam
library opens thepam_sss
module and sends anSSS_PAM_PREAUTH
request to thesssd_pam
PAM responder of the SSSD service. -
If smart card authentication is configured, the SSSD service spawns a temporary
p11_child
process to check for a smart card and retrieve certificates from it. -
If smart card authentication is configured for the user, the
sssd_pam
responder attempts to match the certificate from the smart card with the user. Thesssd_pam
responder also performs a search for the groups that the user belongs to, since group membership might affect access control. -
The
sssd_pam
responder sends anSSS_PAM_PREAUTH
request to thesssd_be
back-end responder to see which authentication methods the server supports, such as passwords or 2-factor authentication. In an IdM environment, where the SSSD service uses the IPA responder, the default authentication method is Kerberos. For this example, the user authenticates with a simple Kerberos password. -
The
sssd_be
responder spawns a temporarykrb5_child
process. -
The
krb5_child
process contacts the KDC on the IdM server and checks for available authentication methods. The KDC responds to the request:
-
The
krb5_child
process evaluates the reply and sends the results back to thesssd_be
backend process. -
The
sssd_be
backend process receives the result. -
The
sssd_pam
responder receives the result. -
The
pam_sss
module receives the result.
-
The
-
If password authentication is configured for the user, the
pam_sss
module prompts the user for their password. If smart card authentication is configured, thepam_sss
module prompts the user for their smart card PIN. The module sends an
SSS_PAM_AUTHENTICATE
request with the user name and password, which travels to:-
The
sssd_pam
responder. -
The
sssd_be
back-end process.
-
The
-
The
sssd_be
process spawns a temporarykrb5_child
process to contact the KDC. -
The
krb5_child
process attempts to retrieve a Kerberos Ticket Granting Ticket (TGT) from the KDC with the user name and password the user provided. -
The
krb5_child
process receives the result of the authentication attempt. The
krb5_child
process:- Stores the TGT in a credential cache.
-
Returns the authentication result to the
sssd_be
back-end process.
The authentication result travels from the
sssd_be
process to:-
The
sssd_pam
responder. -
The
pam_sss
module.
-
The
-
The
pam_sss
module sets an environment variable with the location of the user’s TGT so other applications can reference it.