Rechercher

5.3. Enabling offline authentication

download PDF

SSSD does not cache user credentials by default. When processing authentication requests, SSSD always contacts the identity provider. If the provider is unavailable, user authentication fails.

To ensure that users can authenticate even when the identity provider is unavailable, you can enable credential caching by setting cache_credentials to true in the /etc/sssd/sssd.conf file.

Important

SSSD never caches passwords in plain text. It stores only a hash of the password.

While credentials are stored as a salted SHA-512 hash, this potentially poses a security risk in case an attacker manages to access the cache file and break a password using a brute force attack. Accessing a cache file requires privileged access, which is the default on RHEL.

Conditions préalables

  • root access

Procédure

  1. Open the /etc/sssd/sssd.conf file.
  2. In a domain section, add the cache_credentials = true setting:

    [domain/your-domain-name]
    cache_credentials = true
  3. Optional, but recommended: Configure a time limit for how long SSSD allows offline authentication if the identity provider is unavailable:

    1. Configure the PAM service to work with SSSD.

      See Configuring user authentication using authselect for more details.

    2. Use the offline_credentials_expiration option to specify the time limit.

      Note that the limit is set in days.

      For example, to specify that users are able to authenticate offline for 3 days since the last successful login, use:

      [pam]
      offline_credentials_expiration = 3

Ressources supplémentaires

  • The sssd.conf(5) man page
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.