[sssd PR#5494][opened] pam_sss_gss: support authentication indicators
by abbra
URL: https://github.com/SSSD/sssd/pull/5494
Author: abbra
Title: #5494: pam_sss_gss: support authentication indicators
Action: opened
PR body:
"""
MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:
- when KDC issues a service ticket, a policy at KDC side can reject the
ticket issuance based on a lack of certain indicator
- when a server application presented with a service ticket from a
client, it can verify that this ticket contains intended
authentication indicators before authorizing access from the client.
Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.
This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.
Resolves: https://github.com/SSSD/sssd/issues/5482
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5494/head:pr5494
git checkout pr5494
3 years, 2 months
[sssd PR#5485][opened] sudo: do not search by low usn value to improve performance
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5485
Author: pbrezina
Title: #5485: sudo: do not search by low usn value to improve performance
Action: opened
PR body:
"""
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
Now we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 32c0144b9..c853e4dc1 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (last_usn_name) {
+ if (false) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (!last_usn_name) {
+ if (true) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
```
3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp
4. Add new sudo rule, check that the filter does contain it after the rules is cached
Resolves: https://github.com/SSSD/sssd/issues/5483
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5485/head:pr5485
git checkout pr5485
3 years, 2 months
Announcing SSSD 2.4.1
by Pavel Březina
# SSSD 2.4.1
The SSSD team is proud to announce the release of version 2.4.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.4.1
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_4_1
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald output,
to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
### New features
* New PAM module `pam_sss_gss` for authentication using GSSAPI
* `case_sensitive=Preserving` can now be set for trusted domains with AD
provider
* `case_sensitive=Preserving` can now be set for trusted domains with
IPA provider. However, the option needs to be set to `Preserving` on
both client and the server for it to take effect.
* `case_sensitive` option can be now inherited by subdomains
* `case_sensitive` can be now set separately for each subdomain in
`[domain/parent/subdomain]` section
* `krb5_use_subdomain_realm=True` can now be used when sub-domain user
principal names have upnSuffixes which are not known in the parent
domain. SSSD will try to send the Kerberos request directly to a KDC of
the sub-domain.
### Important fixes
* krb5_child uses proper umask for DIR type ccaches
* Memory leak in the simple access provider
* KCM performance has improved dramatically for cases where large amount
of credentials are stored in the ccache.
### Packaging changes
* Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page
### Configuration changes
* New default value of `debug_level` is 0x0070
* Added `pam_gssapi_check_upn` to enforce authentication only with
principal that can be associated with target user.
* Added `pam_gssapi_services` to list PAM services that can authenticate
using GSSAPI
3 years, 2 months
[sssd PR#5477][opened] DEBUG: Use () in program identifier instead of []
by sigv
URL: https://github.com/SSSD/sssd/pull/5477
Author: sigv
Title: #5477: DEBUG: Use () in program identifier instead of []
Action: opened
PR body:
"""
SYSLOG_IDENTIFIER should not use square brackets "[]" as a separator. As per the informational RFC 3164, square brackets in the TAG portion represent the process ID (PID).
If Journald is forwarded to Syslog and written in line with RFC 3164, the resulting lines would have contained TAG as:
- `sssd[sudo][1234]: `
- `sssd[be[EXAMPLE.COM]][1235]: `
This change replaces those respectively with
- `sssd(sudo)[1234]: `
- `sssd(be(EXAMPLE.COM))[1235]: `
This still allows parsing the SYSLOG_IDENTIFIER, if so preferred, while complying with RFC 3164 at the same time.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5477/head:pr5477
git checkout pr5477
3 years, 2 months