Chapter 9. Restricting domains for PAM services using SSSD
Pluggable authentication modules (PAMs) are a common framework for authentication and authorization. Most system applications in Red Hat Enterprise Linux depend on underlying PAM configuration for authentication and authorization.
System Security Services Daemon (SSSD) enables you to restrict which domains PAM services can access. SSSD evaluates authentication requests from PAM services based on the user that runs the particular PAM service. This means, if the PAM service user can access an SSSD domain then the PAM service also can access that domain.
9.1. About PAM
Pluggable Authentication Modules (PAMs) provide a centralized authentication mechanism, which a system application can use to relay authentication to a centrally configured framework.
PAM is pluggable because a PAM module exists for different types of authentication sources, such as Kerberos, SSSD, NIS, or the local file system. You can prioritize different authentication sources.
This modular architecture offers administrators a great deal of flexibility in setting authentication policies for the system. PAM is a useful system for developers and administrators for several reasons:
- PAM provides a common authentication scheme, which can be used with a wide variety of applications.
- PAM provides significant flexibility and control over authentication for system administrators.
- PAM provides a single, fully-documented library, which allows developers to write programs without having to create their own authentication schemes.
9.2. Domain-access restriction options
The following options are available to restrict access to selected domains:
pam_trusted_users
in/etc/sssd/sssd.conf
-
This option accepts a list of numerical UIDs or user names representing the PAM services that SSSD trusts. The default setting is
all
, which means all service users are trusted and can access any domain. pam_public_domains
in/etc/sssd/sssd.conf
-
This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
all
andnone
values. The default value isnone
, which means no domains are public and untrusted service users cannot access any domain. domains
for PAM configuration filesThis option specifies a list of domains against which a PAM service can authenticate. If you use
domains
without specifying any domain, the PAM service will not be able to authenticate against any domain, for example:auth required pam_sss.so domains=
If the PAM configuration file uses
domains
, the PAM service is able to authenticate against all domains when that service is running under a trusted user.The
domains
option in the/etc/sssd/sssd.conf
SSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that thedomains
option in a PAM configuration file cannot extend the list of domains insssd.conf
, it can only restrict thesssd.conf
list of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not insssd.conf
, the PAM service cannot authenticate against the domain.
The default settings pam_trusted_users = all
and pam_public_domains = none
specify that all PAM service users are trusted and can access any domain. Using the domains
option for PAM configuration files restricts the access to the domains.
Specifying a domain using domains
in the PAM configuration file while sssd.conf
contains pam_public_domains
also requires to specify the domain in pam_public_domains
. The pam_public_domains
option without including the required domain leads the PAM service to unsuccessful authentication against the domain in case this service is running under an untrusted user.
Domain restrictions defined in a PAM configuration file apply to authentication actions only, not to user lookups.
Additional resources
-
For more details on the
pam_trusted_users
andpam_public_domains
options, see thesssd.conf(5)
man page. -
For more details on the
domains
option used in PAM configuration files, see thepam_sss(8)
man page.
9.3. Restricting domains for a PAM service
This procedure shows how to restrict a PAM service authentication against the domains.
Prerequisites
- SSSD installed and running.
Procedure
Configure SSSD to access the required domain or domains. Define the domains against which SSSD can authenticate in the
domains
option in the/etc/sssd/sssd.conf
file:[sssd] domains = domain1, domain2, domain3
Specify the domain or domains to which a PAM service can authenticate by setting the
domains
option in the PAM configuration file. For example:auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok
In this example, you allow the PAM service to authenticate against
domain1
only.
Verification steps
-
Authenticate against
domain1
. It must be successful.