John Hodrien <J.H.Hodrien(a)leeds.ac.uk> wrote on 2014/09/25 15:06:16:
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
> John Hodrien <J.H.Hodrien(a)leeds.ac.uk> wrote on 2014/09/25 11:22:52:
> How is local root pw any different than domain pw? In your view remote
> access is a big nono so sssd should also enforce no remote root
> that case. I have no problem using local root pw when I known
> but I don't care to memorize them all, besides users can
It isn't, but sssd isn't in a position to enforce it for local accounts.
But you argue strongly for never allowing remote root login to the degree
that you have forcefully disabled root login in sssd. Then it is
you should also do your best to disallow local root pw login. You could
scan sshd, PAM, securetty etc. and simply refuse to start if sssd finds
that local root pw is allowed over the network.
is, which is why ssh provides the option:
Why would I want to enable that?
If users change local root passwords they can equally well break sssd.
They're unlikely to remove an authorized_keys file, and if they do,
them. I can't see what advantage you have using a network root
over an ssh key, or a kerberos ticket.
> You just said it: "best practice", not a law. In this context, sssd
> policy and that is not sssd's call to make IMHO. You should
> practice though. One day we will get there but not today :)
SSSD dictates what it does to be safe. I've no problem with that
It is not a default, there is no choice
> Finally, why are you not up front with this policy? Nowhere I can find
> this documented and since this is a unusual enforcement you
> this limitation with "big letters" so everyone is
aware beforehand, it
> would have saved me a lot of time.
It might be worth forgiving sssd a little here.
auth requisite pam_succeed_if.so uid >= 500 quiet
You've almost certainly got something like this in pam. Don't accept
auth for local system accounts is a normal PAM policy.
That is a choice I got in PAM, sssd offers no choice.
Still, I don't see how the above somehow documents sssd's
"no root login whatsoever" policy. The docs actually hints the
filter_users, filter_groups (string)
Exclude certain users from being fetched from the sss NSS database. This
is particularly useful for system accounts. This option can also be set
per-domain or include fully-qualified names to filter only users from the
This make me think I only have to add an empty filter_users to allow root