sssd-devel October 2017

sssd-devel@lists.fedorahosted.org

11 participants
66 discussions

[sssd PR#403][opened] Fix few sssctl debug-level related issues
by lslebodn 13 Oct '17

13 Oct '17

URL: https://github.com/SSSD/sssd/pull/403 Author: lslebodn Title: #403: Fix few sssctl debug-level related issues Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/403/head:pr403 git checkout pr403

2 10

Re: [SSSD-users] Re: A security bug in SSSD 1.12 and later (CVE-2017-12173)
by Lukas Slebodnik 12 Oct '17

12 Oct '17

On (12/10/17 08:41), Lachlan Musicman wrote: >Will the COPR repos will be republished? > I can update them. Which one do you use ? LS

1 0

A security bug in SSSD 1.12 and later (CVE-2017-12173)
by Sumit Bose 11 Oct '17

11 Oct '17

=============== A security bug in SSSD 1.12 and later ========================= = = Subject: Unsanitized input when searching in local cache database = = CVE ID#: CVE-2017-12173 = = Summary: SSSD stores its cached data in an LDAP like local database = file using libldb. To lookup cached data LDAP search = filters like '(objectClass=user)(name=user_name)' are used. = However, in sysdb_search_user_by_upn_res(), the input is = not sanitized and allows to manipulate the search filter = for cache lookups. = = This would allow a logged in user to discover the password = hash of a different user. = = Impact: Moderate = = Affects default = configuration: When configured with tools like realmd or = ipa-client-install = = Introduced with: 1.12.0 = ============================================================================== ==== DESCRIPTION ==== SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like '(objectClass=user)(name=user_name)' are used. However, in sysdb_search_user_by_upn_res(), the input is not sanitized and allows to manipulate the search filter for cache lookups. This would allow a logged in user to discover the password hash of a different user. While in the default configuration the sssd.conf parameter 'cache_credentials' is set to 'False' it is typically switched to 'True' by tools like realmd or ipa-client-install to support offline authentication. To remove the only password hashes from the cache 'cache_credentials' should be set to 'False' in all [domain/...] sections of sssd.conf. Additionally the already stored hashes must be remove e.g. by calling ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb for each configured domain and removing all 'cachedPassword' attributes. ==== PATCH AVAILABILITY ==== The patch is available at: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835?bran…

1 0

Call for Participation: Identity and Access Management devroom @ FOSDEM 2018
by Alexander Bokovoy 09 Oct '17

09 Oct '17

Welcome to Identity and Access Management developer room at FOSDEM 2018 (Brussels, Belgium, February 3rd). FOSDEM is a free software event that offers open source communities a place to meet, share ideas and collaborate. It is renown for being highly developer- oriented and brings together 8000+ participants from all over the world. It is held in the city of Brussels (Belgium). FOSDEM 2018 will take place during the weekend of February 3rd-4th 2018. More details about the event can be found at http://fosdem.org/ On Saturday, February 3rd, FOSDEM will see a first-time Identity and Access Management developer room. Devrooms are a place for development teams to meet, discuss, hack and publicly present their project's latest improvements and future directions. Identity and Access Management (IAM/IdM) is a concept that touches everyone's lives. We all have many identities and associated credentials to manage. At work, we need to access many kinds of services every day, sometimes with multiple identities and using different authentication methods. Those who deploy identity infrastructure need also to deal with audit and monitoring of user activities. Security is paramount but efficiency and ease of use matter too! ** Call For Participation The IAM/IdM developer room is devoted to all things Identity Management. Both server and client side free software projects in the area of identity management are welcomed to present their state and progress. Presentation topics could include: - Security: algorithms and protocols for IAM/IdM; passwords and password alternatives - Federated and social identity; leveraging external identities in applications - Audit, compliance, monitoring - User experience, desktop integration - Free software IAM/IdM offerings - IAM/IdM deployment reports and more. Don't be shy and show how your project helps to improve our lives. ** Important dates: - 26 Nov 2017: submission deadline for talk proposals - 15 Dec 2017: announcement of the final schedule - 3 Feb 2018: Identity and Access Management devroom (Saturday) Talk proposals will be reviewed by a steering committee: - Alexander Bokovoy (Samba Team, FreeIPA // Red Hat Inc.) - Marcus Rückert (OpenSUSE Infrastructure // SUSE LINUX GmbH) - Jakub Hrozek (SSSD // Red Hat Inc.) - Timo Aaltonen (Debian, Ubuntu // Canonical) Use the FOSDEM 'pentabarf' tool to submit your proposal: https://penta.fosdem.org/submission/FOSDEM18 - If necessary, create a Pentabarf account and activate it. Please reuse your account from previous years if you have already created it. - In the "Person" section, provide First name, Last name (in the "General" tab), Email (in the "Contact" tab) and Bio ("Abstract" field in the "Description" tab). - Submit a proposal by clicking on "Create event". - Important! Select the "Identity and Access Management devroom" track (on the "General" tab). - Provide the title of your talk ("Event title" in the "General" tab). - Provide a description of the subject of the talk and the intended audience (in the "Abstract" field of the "Description" tab) - Provide a rough outline of the talk or goals of the session (a short list of bullet points covering topics that will be discussed) in the "Full description" field in the "Description" tab - Provide an expected length of your talk in the "Duration" field. Please count at least 10 minutes of discussion into your proposal. Suggested talk length would be 15, 20+10, 30+10, and 40+10 minutes. ** Recording of talks The FOSDEM organizers plan to have live streaming and recording fully working, both for remote/later viewing of talks, and so that people can watch streams in the hallways when rooms are full. This requires speakers to consent to being recorded and streamed. If you plan to be a speaker, please understand that by doing so you implicitly give consent for your talk to be recorded and streamed. The recordings will be published under the same license as all FOSDEM content (CC-BY). -- / Alexander Bokovoy

1 0

[sssd PR#401][opened] BUILD: Accept krb5 1.16 for building the PAC plugin
by sumit-bose 09 Oct '17

09 Oct '17

URL: https://github.com/SSSD/sssd/pull/401 Author: sumit-bose Title: #401: BUILD: Accept krb5 1.16 for building the PAC plugin Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/401/head:pr401 git checkout pr401

3 5

[sssd PR#392][opened] GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
by jhrozek 05 Oct '17

05 Oct '17

URL: https://github.com/SSSD/sssd/pull/392 Author: jhrozek Title: #392: GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found Action: opened PR body: """ If a referral returned during AD GPO processing cannot be assigned to a known domain, at the moment SSSD accesses memory that was freed previously with ldap_free_urldesc(). This patch moves the ldap_free_urldesc() call to both the error handler and the success branch after we are done working with the LDAPURLDesc instance. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/392/head:pr392 git checkout pr392

3 20

[sssd PR#260][opened] Update sss_override.c
by amitkumar50 05 Oct '17

05 Oct '17

URL: https://github.com/SSSD/sssd/pull/260 Author: amitkumar50 Title: #260: Update sss_override.c Action: opened PR body: """ This is Fix for https://pagure.io/SSSD/sssd/issue/2834 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/260/head:pr260 git checkout pr260

5 19

[sssd PR#231][closed] changing all talloc_get_type() with talloc_get_type_abort()
by jhrozek 05 Oct '17

05 Oct '17

URL: https://github.com/SSSD/sssd/pull/231 Author: amitkumar50 Title: #231: changing all talloc_get_type() with talloc_get_type_abort() Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/231/head:pr231 git checkout pr231

1 0

[sssd PR#231][comment] changing all talloc_get_type() with talloc_get_type_abort()
by jhrozek 05 Oct '17

05 Oct '17

URL: https://github.com/SSSD/sssd/pull/231 Title: #231: changing all talloc_get_type() with talloc_get_type_abort() jhrozek commented: """ @amitkumar50 I'm going to close this PR for now because it hasn't received any update for a long time. But please feel free to either reopen it or open a new one with a patch update. """ See the full comment at https://github.com/SSSD/sssd/pull/231#issuecomment-334488476

1 0

[sssd PR#218][opened] TEST: Adding paython-requests to dependencies
by celestian 05 Oct '17

05 Oct '17

URL: https://github.com/SSSD/sssd/pull/218 Author: celestian Title: #218: TEST: Adding paython-requests to dependencies Action: opened PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3353 Note: I am not sure if this is the correct dependency which we were looking for. But it is needed anyway. If we need more don't hesitate to write me. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/218/head:pr218 git checkout pr218

4 25

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2017