Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
10.4. Restricting Domains for PAM services
Important
This feature requires SSSD to be running on the system.
SSSD enables you to restrict which domains can be accessed by PAM services. SSSD evaluates authentication requests from PAM services based on the user the particular PAM service is running as. Whether the PAM service can access an SSSD domain depends on whether the PAM service user is able to access the domain.
An example use case is an environment where external users are allowed to authenticate to an FTP server. The FTP server is running as a separate non-privileged user that should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
Note
This functionality is similar to legacy PAM modules, such as
pam_ldap, which were able to use a separate configuration file as a parameter for a PAM module.
Options to Restrict Access to Domains
The following options are available to restrict access to selected domains:
pam_trusted_usersin/etc/sssd/sssd.conf- This option accepts a list of numerical UIDs or user names representing the PAM services that are to be trusted by SSSD. The default setting is
all, which means all service users are trusted and can access any domain. pam_public_domainsin/etc/sssd/sssd.conf- This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
allandnonevalues. The default value isnone, which means no domains are public and untrusted service users therefore cannot access any domain. domainsfor PAM configuration files- This option specifies a list of domains against which a PAM service can authenticate. If you use
domainswithout specifying any domain, the PAM service will not be able to authenticate against any domain, for example:auth required pam_sss.so domains=
auth required pam_sss.so domains=Copy to Clipboard Copied! Toggle word wrap Toggle overflow Ifdomainsis not used in the PAM configuration file, the PAM service is able to authenticate against all domains, on the condition that the service is running under a trusted user.Thedomainsoption in the/etc/sssd/sssd.confSSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that thedomainsoption in a PAM configuration file cannot extend the list of domains insssd.conf, it can only restrict thesssd.conflist of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not insssd.conf, the PAM service will not be able to authenticate against the domain.
The default settings
pam_trusted_users = all and pam_public_domains = none specify that all PAM service users are trusted and can access any domain. The domains option for PAM configuration files can be used in this situation to restrict the domains that can be accessed.
If you specify a domain using
domains in the PAM configuration file while sssd.conf contains pam_public_domains, it might be required to specify the domain in pam_public_domains as well. If pam_public_domains is used but does not include the required domain, the PAM service will not be able to successfully authenticate against the domain if it is running under an untrusted user.
Note
Domain restrictions defined in a PAM configuration file only apply to authentication actions, not to user lookups.
For more information about the
pam_trusted_users and pam_public_domains options, see the sssd.conf(5) man page. For more information about the domains option used in PAM configuration files, see the pam_sss(8) man page.
Example 10.2. Restricting Domains for a PAM Service
To restrict the domains against which a PAM service can authenticate:
- Make sure SSSD is configured to access the required domain or domains. The domains against which SSSD can authenticate are defined in the
domainsoption in the/etc/sssd/sssd.conffile.[sssd] domains = domain1, domain2, domain3
[sssd] domains = domain1, domain2, domain3Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Specify the domain or domains to which a PAM service will be able to authenticate. To do this, set the
domainsoption in the PAM configuration file. For example:auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok
auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtokCopy to Clipboard Copied! Toggle word wrap Toggle overflow
The PAM service is now only allowed to authenticate against
domain1.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}