검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 3. Authentication and Interoperability

download PDF

SSSD now enables the administrator to select which domains from the AD forest can be contacted

In some environments, only a subset of domains in a joined Active Directory (AD) forest can be reached. Attempting to contact an unreachable domain might cause unwanted timeouts or switch the System Security Services Daemon (SSSD) to offline mode.
To prevent this, the administrator can now configure a list of domains to which SSSD connects by setting the ad_enabled_domains option in the /etc/sssd/sssd.conf/ file. For details, see the sssd-ad(5) man page. (BZ#1324428)

SSSD now enables selecting a list of PAM services that will not receive any environmental variables from pam_sss

In some cases, it is not desirable to propagate environment variables set by the pam_sss Pluggable Authentication Module (PAM). For example, when using the sudo -i command, users might want to transfer the KRB5CCNAME variable of the original user to the target environment.
Previously, when a non-privileged user executed the sudo -i command to become another non-privileged user, the new non-privileged user did not have the permissions to read the Kerberos credentials cache that KRB5CCNAME pointed to.
For this use case, this update adds a new option named pam_response_filter. Using pam_response_filter, the administrator can list PAM services (such as sudo-i) that do not receive any environmental variables (such as KRB5CCNAME) during login. Now, if pam_response_filter lists sudo-i, a user can switch from one non-privileged user to another without KRB5CCNAME being set in the target environment. (BZ#1329378)

IdM servers can now be configured to require TLS 1.2 or better

Version 1.2 of the Transport Layer Security (TLS) protocol is considered significantly more secure than previous versions. This update enables you to configure your Identity Management (IdM) server to forbid communication using protocols that are less secure than TLS 1.2.
For details, see the following Red Hat Knowledgebase article: https://access.redhat.com/articles/2801181. (BZ#1367026)

pam_faillock can be now configured with unlock_time=never

The pam_faillock module now allows specifying using the unlock_time=never option that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1404832)

The libkadm5* libraries have been moved to the libkadm5 package

In Red Hat Enterprise Linux 6.9, the libkadm5* libraries have been moved from the krb5-libs to the new libkadm5 package. As a consequence, yum is not able to downgrade the krb5-libs package automatically. Before downgrading, remove the libkadm5 package manually:
# rpm -e --nodeps libkadm5
After you have manually removed the package, use the yum downgrade command to downgrade the krb5-libs package to a previous version. (BZ#1351284)
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.