URL:
https://github.com/SSSD/sssd/pull/275
Title: #275: Implement access verification by rhost using ldap_access_order rhost option
akamensky commented:
"""
For the DNS/rDNS verification I am considering to implement following (bearing in mind
[RFC
1912](https://tools.ietf.org/html/rfc1912)):
0. Documentation must **explicitly** state that use of DNS/rDNS is going to introduce
delays and should be used with caution and recommend to set `UseDNS no` in `sshd_conf` to
avoid problems with not matching rDNS.
1. If PAM provides IP address (IPv4 or IPv6) as rhost, then use it directly, if PAM
provides hostname, resolve it to IP address (IPv4 and/or IPv6) using forward resolution
(as per RFC 1912 recommendation for FCrDNS) and use this IP address directly.
2. Relevant LDAP records must be prepended with record type identifier in a manner
`[!]identifier:record`. Allowed identifiers are `ip4|ip6|host`. For example record
`host:host1.example.com` to allow access from host with DNS record
host1.example.com and
`!ipv4:192.0.0.1` to deny access from rhost with IPv4 address 192.0.0.1. This is to spare
some time on figuring out wether record is valid IPv4/IPv6 or is it a hostname.
3. Additional configuration option `ldap_authorized_rhost_use_dns = <bool> (Default:
False)`. This option would enable/disable use of DNS/rDNS in verification process.
1. If disabled whatever is received from LDAP record is matched as-is to whatever
received from PAM as users rhost (without resolution mentioned in point 1 and ignoring
identifier from point 2).
2. When enabled the following logic would be applied:
1. If LDAP record is IPv4 or IPv6 address, match against rhost (IPv4 or IPv6).
2. If LDAP record is a hostname, then perform forward resolution of that hostname to
IP address (v4 and/or v6), then match resulting addresses against rhost. If both v4 and v6
IP addresses are available in rhost (after resolution in point 1), then each one must
match (i.e. strict matching)
Please let me know if that is good, or any adjustments to this (e.g. throw away point 2
and attempt to check type of record inside SSSD)?
I will hold on with implementation until any feedback on these.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/275#issuecomment-315590636