Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4077
- Created at 2019-09-05 10:04:37 by abbra
- Assigned to sbose
- Associated bugzillas
Currently, SSSD does retrieve PAC information for any authentication that was initiated using GSSAPI. However, for the situation when another application did perform the authentication using non-GSSAPI method and SSSD does perform authorization in PAM stack, an information about this fact is not passed to the central authentication authority. This makes harder to account user logons for the policies like 'Remove stale accounts which did not login X days'.
If SSSD receives PAM stack request in session stage and it didn't perform actual authentication for this request, it could do S4U2Self request to acquire a ticket to itself (host/...) on behalf of the user authenticated by the application. This would allow cases like SSH public key authentication to be visible to KDC (FreeIPA KDC, for example) and appear in audit trail.
Comments
Comment from simo at 2019-09-05 22:21:35
Shouldn't s4u2self be done in access stage ?
Comment from abbra at 2019-09-05 22:59:20
I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.
Comment from sbose at 2019-09-06 08:07:46
I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.
pam_acct_mgmt is the stage where access control is happening and all PAM enabled services should call it because otherwise no access control will happen at all.
Btw, a cron job of a user will call pam_acct_mgmt() and pam_session(), so you just have to start a cron job and your account will never expire.
Comment from sbose at 2019-10-18 14:00:25
Metadata Update from @sbose:
Comment from thalman at 2019-10-18 14:22:18
Metadata Update from @thalman:
Comment from thalman at 2019-10-18 14:22:18
Issue linked to Bugzilla: Bug 1763180
Comment from thalman at 2020-03-13 15:48:15
Metadata Update from @thalman:
- Issue tagged with: bugzilla
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4077
Currently, SSSD does retrieve PAC information for any authentication that was initiated using GSSAPI. However, for the situation when another application did perform the authentication using non-GSSAPI method and SSSD does perform authorization in PAM stack, an information about this fact is not passed to the central authentication authority. This makes harder to account user logons for the policies like 'Remove stale accounts which did not login X days'.
If SSSD receives PAM stack request in session stage and it didn't perform actual authentication for this request, it could do S4U2Self request to acquire a ticket to itself (host/...) on behalf of the user authenticated by the application. This would allow cases like SSH public key authentication to be visible to KDC (FreeIPA KDC, for example) and appear in audit trail.
Comments
Comment from simo at 2019-09-05 22:21:35
Shouldn't s4u2self be done in access stage ?
Comment from abbra at 2019-09-05 22:59:20
I was thinking about session (in terms of PAM stages) because this is the stage where audit is done.
pam_acct_mgmtis at 'account' stage -- there is no access stage, per se.Comment from sbose at 2019-09-06 08:07:46
pam_acct_mgmtis the stage where access control is happening and all PAM enabled services should call it because otherwise no access control will happen at all.Btw, a cron job of a user will call
pam_acct_mgmt()andpam_session(), so you just have to start a cron job and your account will never expire.Comment from sbose at 2019-10-18 14:00:25
Metadata Update from @sbose:
Comment from thalman at 2019-10-18 14:22:18
Metadata Update from @thalman:
Comment from thalman at 2019-10-18 14:22:18
Issue linked to Bugzilla: Bug 1763180
Comment from thalman at 2020-03-13 15:48:15
Metadata Update from @thalman: