# SSSD 2.13.0

The SSSD team is announcing the release of version 2.13.0 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.13.0

See the full release notes at: https://sssd.io/release-notes/sssd-2.13.0.html

RPM packages will be made available for Fedora shortly.

## Feedback

Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users

# SSSD 2.13.0 Release Notes

## Highlights

### General information

- Security fix for CVE-2026-6245: out-of-bounds read in PAM passkey responder - During the processing of the `pam_sss_gss` request SSSD will read the SID from the PAC of the Kerberos ticket and might add authentication indicators based on the value of the new option `pam_gssapi_indicators_apply`. The primary use case is to handle SIDs added by Active Directory's Authentication Mechanism Assurance (AMA). - Active Directory's Foreign Security Principals (FSP) are now properly detected and ignored when reading nested group members. The `ldap_ignore_unreadable_references` option is only needed to ignore member objects which are really not accessible. - A number of cache performance optimizations for large deployments.

### New features

- Tokens acquired from the IdP are now stored in the domain cache, and are automatically refreshed if the new option `idp_auto_refresh` is enabled. - `idp_type` option allows `entra_idp` url to be specified if user is using a different Microsoft Entra endpoint. - KDE Plasma Login Manager support.

### Configuration changes

- New option `avoid_by_id_lookups` to tell the SSSD responders to use a lookup by name instead of by id where possible - New options to customize the OAuth2 prompting behavior: `interactive` and `interactive_prompt`.

### Packaging changes

- New `./configure` option `--enable-sensitive-logs` to enable logging of sensitive data (like, for example, IdP tokens). Recommended for debug builds only.