Chapter 9. Restricting domains for PAM services using SSSD
Pluggable authentication modules (PAMs) are a common framework for authentication and authorization. Most system applications in Red Hat Enterprise Linux depend on underlying PAM configuration for authentication and authorization.
System Security Services Daemon (SSSD) enables you to restrict which domains PAM services can access. SSSD evaluates authentication requests from PAM services based on the user that runs the particular PAM service. This means, if the PAM service user can access an SSSD domain then the PAM service also can access that domain.
9.1. About PAM
Pluggable Authentication Modules (PAMs) provide a centralized authentication mechanism, which a system application can use to relay authentication to a centrally configured framework.
PAM is pluggable because a PAM module exists for different types of authentication sources, such as Kerberos, SSSD, NIS, or the local file system. You can prioritize different authentication sources.
This modular architecture offers administrators a great deal of flexibility in setting authentication policies for the system. PAM is a useful system for developers and administrators for several reasons:
- PAM provides a common authentication scheme, which can be used with a wide variety of applications.
- PAM provides significant flexibility and control over authentication for system administrators.
- PAM provides a single, fully-documented library, which allows developers to write programs without having to create their own authentication schemes.
9.2. Domain-access restriction options
The following options are available to restrict access to selected domains:
This option accepts a list of numerical UIDs or user names representing the PAM services that SSSD trusts. The default setting is
all, which means all service users are trusted and can access any domain.
This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
nonevalues. The default value is
none, which means no domains are public and untrusted service users cannot access any domain.
domainsfor PAM configuration files
This option specifies a list of domains against which a PAM service can authenticate. If you use
domainswithout specifying any domain, the PAM service will not be able to authenticate against any domain, for example:
auth required pam_sss.so domains=
If the PAM configuration file uses
domains, the PAM service is able to authenticate against all domains when that service is running under a trusted user.
domainsoption in the
/etc/sssd/sssd.confSSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that the
domainsoption in a PAM configuration file cannot extend the list of domains in
sssd.conf, it can only restrict the
sssd.conflist of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not in
sssd.conf, the PAM service cannot authenticate against the domain.
The default settings
pam_trusted_users = all and
pam_public_domains = none specify that all PAM service users are trusted and can access any domain. Using the
domains option for PAM configuration files restricts the access to the domains.
Specifying a domain using
domains in the PAM configuration file while
pam_public_domains also requires to specify the domain in
pam_public_domains option without including the required domain leads the PAM service to unsuccessful authentication against the domain in case this service is running under an untrusted user.
Domain restrictions defined in a PAM configuration file apply to authentication actions only, not to user lookups.
For more details on the
pam_public_domainsoptions, see the
For more details on the
domainsoption used in PAM configuration files, see the
9.3. Restricting domains for a PAM service
This procedure shows how to restrict a PAM service authentication against the domains.
- SSSD installed and running.
Configure SSSD to access the required domain or domains. Define the domains against which SSSD can authenticate in the
domainsoption in the
[sssd] domains = domain1, domain2, domain3
Specify the domain or domains to which a PAM service can authenticate by setting the
domainsoption in the PAM configuration file. For example:
auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok
In this example, you allow the PAM service to authenticate against
domain1. It must be successful.