此内容没有您所选择的语言版本。

Chapter 26. Policy: Restricting Domains for PAM services


Some environments require that different PAM applications access a different set of SSSD domains. Legacy PAM modules, such as pam_ldap were able to use a separate configuration file as a parameter for a PAM module. This chapter describes a similar feature for SSSD.
One example use case may be an environment that allows external users to authenticate to an FTP server. The server runs as a separate non-privileged user which should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
The following options are available for PAM modules and SSSD to restrict access to selected domains in a secure way:
pam_trusted_users (for sssd.conf)
This option accepts a list of numerical UIDs or user names that are to be trusted by the SSSD daemon. The default value is the special keyword all, which means all users are trusted. This is in line with the current behavior where any user can access any domain.
pam_public_domains (for sssd.conf)
This option accepts a comma-separated list of SSSD domains accessible even for untrusted users. Two special keywords, all and none, are also available. The default value is none to make sure that when the administrator starts differentiating between trusted and untrusted domains, he or she is required to manually specify the domains that can be accessed by an untrusted client.
domains (for individual PAM module configuration)
This option accepts a list of domains to which a PAM service will be restricted to authenticate against. The setting interacts with the domains= option in the /etc/sssd/sssd.conf file, which specifies the list of domains in the order SSSD will query. The PAM module configuration cannot add to this list but can restrict it by specifying a shorter list.

Example 26.1. Sample PAM Module Configuration

A general configuration line of a /etc/pam.d/ configuration file has the following form:
module-type control-flag module-path arguments
In this example, sample configuration for a test module is shown. Arguments to restrict domain access are added at the end of each line. The test module is restricted to only the openldap domain and the pam_env module to set/unset environment variables is allowed for all users.
$ cat /etc/pam.d/sss_test 
auth     required   pam_sss.so domains=openldap 
account  required   pam_sss.so domains=openldap
session	 required   pam_sss.so domains=openldap
password required   pam_sss.so domains=openldap
In addition to PAM configuration, the relevant snippets /etc/sssd/sssd.conf can look like this:
[sssd]
domains = ipa, openldap # the list can be restricted by specific PAM module configuration

[pam]
pam_public_domains = ipa # all users are allowed to access the ipa domain
pam_trusted_users = root, sss_test # root and sss_test are allowed to run PAM
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.