Remote user use-case
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One of SSSD's intended primary use-cases is that of the laptop user. We
support cached, offline authentications to the local machine so that
when a laptop user picks their machine up from their desk and goes home
with it, they can still log in.
So what about the use-case of a user that never goes into the office?
How can SSSD solve the problem of mailing a laptop to a new employee
working out of a home-office? Specifically, how do we provide this user
(probably a non-technical user) access to their account for the first
time, if they don't have direct physical access to the network to
perform that first authentication?
One approach would be for GDM to provide an interface for a user who was
not authenticated on the local machine to connect to a
NetworkManager-controlled VPN like IPSEC or vpnc. This would require a
lot of coordinating work done in the desktop environment (not to mention
the security concerns of allowing an unauthenticated user access to VPN
settings).
Another approach might be setting up SSSD with a utility to allow us to
set a temporary offline cached password. Essentially, an administrator
could provision the machine ahead of time with one remote user
(pre-caching their identity data, but not their real password). The
machine could then be shipped to the user, and the temporary offline
password would be overridden the first time that the user provides a
valid online password.
Is this something we should consider exploring in SSSD 1.5.0? I think
the implementation of this would be fairly straightforward. All we'd
need to do is write a new tool similar to sss_useradd that would
pre-cache a user from the default domain. If the machine is online, it
should be capable of pulling the standard user identity data from the
identity provider, but if the machine is offline it should be possible
to manually provide this information as well. Then the utility would
hash the temporary password in the sysdb and the machine would be ready
to ship off.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzUZooACgkQeiVVYja6o6PXJgCePruZSFyxyqNQiDdeiS0Im6gs
QhYAoJZz/2BpAaVi/wxzDgt2sskK6GDc
=8N0l
-----END PGP SIGNATURE-----
13 years, 5 months
[PATCH] Properly check the return value from semanage_commit
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
semanage_commit() returns -1 on error, and can return a positive
value on success.
https://bugzilla.redhat.com/show_bug.cgi?id=649037
We were sort of accidentally succeeding on modern versions of
libsemanage, because a change was introduced in recent versions that
broke the return value, so it was actually returning zero on success
(despite this being a violation of the API).
On older libsemanage (e.g that of Red Hat Enterprise Linux 5), we would
actually get the correct return value, which is a positive integer.
This patch will fix the problem on both systems, and I have reported the
return code regression as https://bugzilla.redhat.com/show_bug.cgi?id=649482
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzUAFsACgkQeiVVYja6o6OKXACeLI7kIJkE94tnswGGZgg/wSeL
JVsAn01+2Pu7GmQ+t3u1udG3syIWs0Ma
=eBbo
-----END PGP SIGNATURE-----
13 years, 5 months
[PATCHES] Create krb5 access provider
by Sumit Bose
Hi,
this series of patches implements an access target for the Kerberos
provider based on the krb5_kuserok() call which checks $HOME/.k5login.
This patch should fix ticket #618.
bye,
Sumit
13 years, 5 months
[PATCH] Handle errors during log reopening better
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch makes two changes:
1) If we receive an error from rotating the logs, add it to the syslog
message
2) Check for EINTR when closing the debug file and retry.
This will either resolve https://fedorahosted.org/sssd/ticket/668 or at
minimum help identify it.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzSr2UACgkQeiVVYja6o6PvXQCfbRQThAgySoRpLtuvYLYDoTK4
A2AAn1VKOnnFDu8mlXk9lLl8o5l8NJrt
=UxAX
-----END PGP SIGNATURE-----
13 years, 5 months
[PATCH] Store krb5 auth context for other targets
by Sumit Bose
Hi,
this patch should fix ticket #628. It was reported the in the case of a
timeout the KDC was contacted two times. This happened, because the KDC
was added two times (one for the auth target the other for the chpass
target). There is already some code which should detect multiple
initialisation from different targets, but it didn't worked correctly.
This patch should fix it.
bye,
Sumit
13 years, 5 months