SSSD publicity problem

Mon Apr 12 18:20:53 UTC 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2010 01:56 PM, Stephen John Smoogen wrote:
> On Mon, Apr 12, 2010 at 11:46 AM, Stephen Gallagher <sgallagh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/12/2010 01:35 PM, Stephen John Smoogen wrote:
>>> On Mon, Apr 12, 2010 at 11:13 AM, Stephen Gallagher <sgallagh at redhat.com> wrote:
>>> I'm trying to figure out how to do a little PR around the SSSD (the
>>> System Security Services Daemon). I've been tracking mentions of it
>>> around the web with Google Alerts and in the last few weeks, there have
>>> been several dozen hits... all in the Ubuntu context -_-
>>>
>>> So I'm looking for advice on how to draw attention to the fact that this
>>> is a Fedora project. And moreover, works better on Fedora, since we have
>>> authconfig making setup a breeze.
>>>
>>> The SSSD is an advertised Feature for Fedora 13:
>>> http://fedoraproject.org/wiki/Fedora_13_Talking_Points#System_Security_Services_Daemon_.28SSSD.29
>>>
>>> My main concern is that most of the chatter that Google Alerts has been
>>> picking up have been leading back to blogs written about the Ubuntu
>>> package of SSSD (which is an older version than what is available in
>>> Fedora and also has no UI for configuring it).
>>>
>>>> Ok lets look at the following:
>>
>>>> 1) What does it do?
>> We're targeting it as a replacement for nss_ldap, pam_ldap and pam_krb5.
>> The main idea is that it handles cached authentication. It's target is
>> mainly for larger Fedora deployments that use centralized
>> authentication. Within this group, there are two main use-cases we're
>> targeting:
>> 1) Laptop users. With the SSSD, there's no longer a need to maintain a
>> separate local user account. You will be able to sign in with your
>> centrally-managed account even when not connected to the LDAP/Kerberos
>> server. The SSSD caches credentials so that if the server is
>> unavailable, the user can still gain access to their local machine.
>> 2) Datacenter servers that rely on LDAP and/or Kerberos for
>> authentication will be able to survive authentication outages.
>>
>>>> 2) How does it work?
>> Quite well, thank you :)
>>
>>
>>>> 3) Why should I be excited about it?
>> In the case of a laptop user, no more managing two sets of passwords to
>> get into your system. Plus, with Kerberos, if you log in online, it will
>> automatically use your login credentials to acquire your Kerberos
>> ticket-granting ticket for access to network credentials. (And if you're
>> offline, integration with krb5-auth-dialog will make sure you can easily
>> acquire that ticket when you go online)
>>
>>>> 4) Can we make a video that shows this all to put up on the tubes somewhere.
>> I'm not sure what we can do for a video. I suppose we could record a
>> Fedora 13 install, setting up the SSSD with authconfig during firstboot
>> and then demonstrating how it works by simulating offline behavior with
>> 'service [network|Network Manager] stop'
>>
>>
> 
> A) Does it have a gui? Show off the gui
Starting in Fedora 13, th authconfig UI (aka
system-config-authentication) has been completely redesigned, and will
now configure the SSSD.

See:
https://fedoraproject.org/wiki/Test_Day:2010-03-30_SSSDByDefault
http://mairin.wordpress.com/2010/02/18/authconfig-gtk-ui-revamp/
http://mairin.wordpress.com/2010/03/29/mockups-in-your-hand-authconfig-test-day-tomorrow/


> B) Show two systems.. one with it and one without it. Take it off
> networking or (for the corporate IT person who needs to show their
> boss... take it off vpn..) log into both.. which one works.. which one
> doesn't. Do a 'time' elapsed cut to 2-3 days later when the ticket no
> longer is valid.. log into both... do you get locked out of both?
> Tada... extra security for the stolen laptop.
> 
We could do that pretty easily. Although the latter feature is one that
isn't configured in the UI. We CAN set it so that after N days it
disallows logins, but that requires manually editing the config file.
But yes, it would be added security (just not useful for the 90% case,
so we left it out of the UI)

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvDZIUACgkQeiVVYja6o6OhTACglpuxVXUiCjc/Ae/A16+ZE/Nx
FKEAoJYeSEpTLMwOWq47gia2n+wuR4uN
=c1u6
-----END PGP SIGNATURE-----