10.4. Restricting Domains for PAM services
This feature requires SSSD to be running on the system.
SSSD enables you to restrict which domains can be accessed by PAM services. SSSD evaluates authentication requests from PAM services based on the user the particular PAM service is running as. Whether the PAM service can access an SSSD domain depends on whether the PAM service user is able to access the domain.
An example use case is an environment where external users are allowed to authenticate to an FTP server. The FTP server is running as a separate non-privileged user that should only be able to authenticate to a selected SSSD domain, separate from internal company accounts. With this feature, the administrator can allow the FTP user to only authenticate to selected domains specified in the FTP PAM configuration file.
This functionality is similar to legacy PAM modules, such as
pam_ldap, which were able to use a separate configuration file as a parameter for a PAM module.
Options to Restrict Access to Domains
The following options are available to restrict access to selected domains:
- This option accepts a list of numerical UIDs or user names representing the PAM services that are to be trusted by SSSD. The default setting is
all, which means all service users are trusted and can access any domain.
- This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
nonevalues. The default value is
none, which means no domains are public and untrusted service users therefore cannot access any domain.
domainsfor PAM configuration files
- This option specifies a list of domains against which a PAM service can authenticate. If you use
domainswithout specifying any domain, the PAM service will not be able to authenticate against any domain, for example:
auth required pam_sss.so domains=If
domainsis not used in the PAM configuration file, the PAM service is able to authenticate against all domains, on the condition that the service is running under a trusted user.The
domainsoption in the
/etc/sssd/sssd.confSSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that the
domainsoption in a PAM configuration file cannot extend the list of domains in
sssd.conf, it can only restrict the
sssd.conflist of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not in
sssd.conf, the PAM service will not be able to authenticate against the domain.
The default settings
pam_trusted_users = alland
pam_public_domains = nonespecify that all PAM service users are trusted and can access any domain. The
domainsoption for PAM configuration files can be used in this situation to restrict the domains that can be accessed.
If you specify a domain using
domainsin the PAM configuration file while
pam_public_domains, it might be required to specify the domain in
pam_public_domainsas well. If
pam_public_domainsis used but does not include the required domain, the PAM service will not be able to successfully authenticate against the domain if it is running under an untrusted user.
Domain restrictions defined in a PAM configuration file only apply to authentication actions, not to user lookups.
For more information about the
pam_public_domainsoptions, see the sssd.conf(5) man page. For more information about the
domainsoption used in PAM configuration files, see the pam_sss(8) man page.
Example 10.2. Restricting Domains for a PAM Service
To restrict the domains against which a PAM service can authenticate:
- Make sure SSSD is configured to access the required domain or domains. The domains against which SSSD can authenticate are defined in the
domainsoption in the
[sssd] domains = domain1, domain2, domain3
- Specify the domain or domains to which a PAM service will be able to authenticate. To do this, set the
domainsoption in the PAM configuration file. For example:
auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok
The PAM service is now only allowed to authenticate against