Chapter 9. Restricting domains for PAM services using SSSD

Pluggable authentication modules (PAMs) are a common framework for authentication and authorization. Most system applications in Red Hat Enterprise Linux depend on underlying PAM configuration for authentication and authorization.

System Security Services Daemon (SSSD) enables you to restrict which domains PAM services can access. SSSD evaluates authentication requests from PAM services based on the user that runs the particular PAM service. This means, if the PAM service user can access an SSSD domain then the PAM service also can access that domain.

9.1. About PAM

Pluggable Authentication Modules (PAMs) provide a centralized authentication mechanism, which a system application can use to relay authentication to a centrally configured framework.

PAM is pluggable because a PAM module exists for different types of authentication sources, such as Kerberos, SSSD, NIS, or the local file system. You can prioritize different authentication sources.

This modular architecture offers administrators a great deal of flexibility in setting authentication policies for the system. PAM is a useful system for developers and administrators for several reasons:

  • PAM provides a common authentication scheme, which can be used with a wide variety of applications.
  • PAM provides significant flexibility and control over authentication for system administrators.
  • PAM provides a single, fully-documented library, which allows developers to write programs without having to create their own authentication schemes.

9.2. Domain-access restriction options

The following options are available to restrict access to selected domains:

pam_trusted_users in /etc/sssd/sssd.conf
This option accepts a list of numerical UIDs or user names representing the PAM services that SSSD trusts. The default setting is all, which means all service users are trusted and can access any domain.
pam_public_domains in /etc/sssd/sssd.conf
This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the all and none values. The default value is none, which means no domains are public and untrusted service users cannot access any domain.
domains for PAM configuration files

This option specifies a list of domains against which a PAM service can authenticate. If you use domains without specifying any domain, the PAM service will not be able to authenticate against any domain, for example: 

auth     required   pam_sss.so domains=

If the PAM configuration file uses domains, the PAM service is able to authenticate against all domains when that service is running under a trusted user.

The domains option in the /etc/sssd/sssd.conf SSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that the domains option in a PAM configuration file cannot extend the list of domains in sssd.conf, it can only restrict the sssd.conf list of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not in sssd.conf, the PAM service cannot authenticate against the domain.

The default settings pam_trusted_users = all and pam_public_domains = none specify that all PAM service users are trusted and can access any domain. Using the domains option for PAM configuration files restricts the access to the domains.

Specifying a domain using domains in the PAM configuration file while sssd.conf contains pam_public_domains also requires to specify the domain in pam_public_domains. The pam_public_domains option without including the required domain leads the PAM service to unsuccessful authentication against the domain in case this service is running under an untrusted user.

Note

Domain restrictions defined in a PAM configuration file apply to authentication actions only, not to user lookups.

Additional resources

  • For more details on the pam_trusted_users and pam_public_domains options, see the sssd.conf(5) man page.
  • For more details on the domains option used in PAM configuration files, see the pam_sss(8) man page.

9.3. Restricting domains for a PAM service

This procedure shows how to restrict a PAM service authentication against the domains.

Prerequisites

  • SSSD installed and running.

Procedure

  1. Configure SSSD to access the required domain or domains. Define the domains against which SSSD can authenticate in the domains option in the /etc/sssd/sssd.conf file: 

    [sssd]
domains = domain1, domain2, domain3

  2. Specify the domain or domains to which a PAM service can authenticate by setting the domains option in the PAM configuration file. For example: 

    auth        sufficient    pam_sss.so forward_pass domains=domain1
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_sss.so use_authtok

    In this example, you allow the PAM service to authenticate against domain1 only.

Verification steps

  • Authenticate against domain1. It must be successful.