Chapter 26. Policy: Restricting Domains for PAM services

Some environments require that different PAM applications access a different set of SSSD domains. Legacy PAM modules, such as pam_ldap were able to use a separate configuration file as a parameter for a PAM module. This chapter describes a similar feature for SSSD.
One example use case may be an environment that allows external users to authenticate to an FTP server. The server runs as a separate non-privileged user which should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
The following options are available for PAM modules and SSSD to restrict access to selected domains in a secure way:
pam_trusted_users (for sssd.conf)
This option accepts a list of numerical UIDs or user names that are to be trusted by the SSSD daemon. The default value is the special keyword all, which means all users are trusted. This is in line with the current behavior where any user can access any domain.
pam_public_domains (for sssd.conf)
This option accepts a comma-separated list of SSSD domains accessible even for untrusted users. Two special keywords, all and none, are also available. The default value is none to make sure that when the administrator starts differentiating between trusted and untrusted domains, he or she is required to manually specify the domains that can be accessed by an untrusted client.
domains (for individual PAM module configuration)
This option accepts a list of domains to which a PAM service will be restricted to authenticate against. The setting interacts with the domains= option in the /etc/sssd/sssd.conf file, which specifies the list of domains in the order SSSD will query. The PAM module configuration cannot add to this list but can restrict it by specifying a shorter list.

Example 26.1. Sample PAM Module Configuration

A general configuration line of a /etc/pam.d/ configuration file has the following form:
module-type control-flag module-path arguments
In this example, sample configuration for a test module is shown. Arguments to restrict domain access are added at the end of each line. The test module is restricted to only the openldap domain and the pam_env module to set/unset environment variables is allowed for all users.
$ cat /etc/pam.d/sss_test 
auth     required   pam_sss.so domains=openldap 
account  required   pam_sss.so domains=openldap
session	 required   pam_sss.so domains=openldap
password required   pam_sss.so domains=openldap
In addition to PAM configuration, the relevant snippets /etc/sssd/sssd.conf can look like this:
[sssd]
domains = ipa, openldap # the list can be restricted by specific PAM module configuration

[pam]
pam_public_domains = ipa # all users are allowed to access the ipa domain
pam_trusted_users = root, sss_test # root and sss_test are allowed to run PAM