5.3. Enabling offline authentication
SSSD does not cache user credentials by default. When processing authentication requests, SSSD always contacts the identity provider. If the provider is unavailable, user authentication fails.
To ensure that users can authenticate even when the identity provider is unavailable, you can enable credential caching by setting cache_credentials
to true
in the /etc/sssd/sssd.conf
file.
SSSD never caches passwords in plain text. It stores only a hash of the password.
While credentials are stored as a salted SHA-512 hash, this potentially poses a security risk in case an attacker manages to access the cache file and break a password using a brute force attack. Accessing a cache file requires privileged access, which is the default on RHEL.
Conditions préalables
-
root
access
Procédure
-
Open the
/etc/sssd/sssd.conf
file. In a domain section, add the
cache_credentials = true
setting:[domain/your-domain-name] cache_credentials = true
Optional, but recommended: Configure a time limit for how long SSSD allows offline authentication if the identity provider is unavailable:
Configure the PAM service to work with SSSD.
See Configuring user authentication using authselect for more details.
Use the
offline_credentials_expiration
option to specify the time limit.Note that the limit is set in days.
For example, to specify that users are able to authenticate offline for 3 days since the last successful login, use:
[pam] offline_credentials_expiration = 3
Ressources supplémentaires
-
The
sssd.conf(5)
man page