Chapter 26. Policy: Restricting Domains for PAM services
Some environments require that different PAM applications access a different set of SSSD domains. Legacy PAM modules, such as
pam_ldapwere able to use a separate configuration file as a parameter for a PAM module. This chapter describes a similar feature for SSSD.
One example use case may be an environment that allows external users to authenticate to an FTP server. The server runs as a separate non-privileged user which should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
The following options are available for PAM modules and SSSD to restrict access to selected domains in a secure way:
- pam_trusted_users (for
- This option accepts a list of numerical UIDs or user names that are to be trusted by the SSSD daemon. The default value is the special keyword
all, which means all users are trusted. This is in line with the current behavior where any user can access any domain.
- pam_public_domains (for
- This option accepts a comma-separated list of SSSD domains accessible even for untrusted users. Two special keywords,
none, are also available. The default value is
noneto make sure that when the administrator starts differentiating between trusted and untrusted domains, he or she is required to manually specify the domains that can be accessed by an untrusted client.
- domains (for individual PAM module configuration)
- This option accepts a list of domains to which a PAM service will be restricted to authenticate against. The setting interacts with the
domains=option in the
/etc/sssd/sssd.conffile, which specifies the list of domains in the order SSSD will query. The PAM module configuration cannot add to this list but can restrict it by specifying a shorter list.
Example 26.1. Sample PAM Module Configuration
A general configuration line of a
/etc/pam.d/configuration file has the following form:
module-type control-flag module-path arguments
In this example, sample configuration for a test module is shown. Arguments to restrict domain access are added at the end of each line. The test module is restricted to only the
openldapdomain and the
pam_envmodule to set/unset environment variables is allowed for all users.
$ cat /etc/pam.d/sss_test auth required pam_sss.so domains=openldap account required pam_sss.so domains=openldap session required pam_sss.so domains=openldap password required pam_sss.so domains=openldap
In addition to PAM configuration, the relevant snippets
/etc/sssd/sssd.confcan look like this:
[sssd] domains = ipa, openldap # the list can be restricted by specific PAM module configuration [pam] pam_public_domains = ipa # all users are allowed to access the ipa domain pam_trusted_users = root, sss_test # root and sss_test are allowed to run PAM