이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 26. Policy: Restricting Domains for PAM services


Some environments require that different PAM applications access a different set of SSSD domains. Legacy PAM modules, such as pam_ldap were able to use a separate configuration file as a parameter for a PAM module. This chapter describes a similar feature for SSSD.
One example use case may be an environment that allows external users to authenticate to an FTP server. The server runs as a separate non-privileged user which should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
The following options are available for PAM modules and SSSD to restrict access to selected domains in a secure way:
pam_trusted_users (for sssd.conf)
This option accepts a list of numerical UIDs or user names that are to be trusted by the SSSD daemon. The default value is the special keyword all, which means all users are trusted. This is in line with the current behavior where any user can access any domain.
pam_public_domains (for sssd.conf)
This option accepts a comma-separated list of SSSD domains accessible even for untrusted users. Two special keywords, all and none, are also available. The default value is none to make sure that when the administrator starts differentiating between trusted and untrusted domains, he or she is required to manually specify the domains that can be accessed by an untrusted client.
domains (for individual PAM module configuration)
This option accepts a list of domains to which a PAM service will be restricted to authenticate against. The setting interacts with the domains= option in the /etc/sssd/sssd.conf file, which specifies the list of domains in the order SSSD will query. The PAM module configuration cannot add to this list but can restrict it by specifying a shorter list.

Example 26.1. Sample PAM Module Configuration

A general configuration line of a /etc/pam.d/ configuration file has the following form:
module-type control-flag module-path arguments
In this example, sample configuration for a test module is shown. Arguments to restrict domain access are added at the end of each line. The test module is restricted to only the openldap domain and the pam_env module to set/unset environment variables is allowed for all users.
$ cat /etc/pam.d/sss_test 
auth     required   pam_sss.so domains=openldap 
account  required   pam_sss.so domains=openldap
session	 required   pam_sss.so domains=openldap
password required   pam_sss.so domains=openldap
In addition to PAM configuration, the relevant snippets /etc/sssd/sssd.conf can look like this:
[sssd]
domains = ipa, openldap # the list can be restricted by specific PAM module configuration

[pam]
pam_public_domains = ipa # all users are allowed to access the ipa domain
pam_trusted_users = root, sss_test # root and sss_test are allowed to run PAM
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.