SSSD / sssd

Clone

fb10668 PAM: Check for trusted domain before sending the request to BE

Authored and Committed by jhrozek 9 years ago
raw patch tree parent
1 file changed. 26 lines added. 41 lines removed.
src/responder/pam/pamsrv_cmd.c
file modified
+26 -41 
    PAM: Check for trusted domain before sending the request to BE
    
    https://fedorahosted.org/sssd/ticket/2501
    
    Moving the checks to one place has the advantage of not duplicating
    security decisions. Previously, the checks were scattered all over the
    responder code, making testing hard.
    
    The disadvantage is that we actually check for the presence of the user,
    which might trigger some back end lookups. But I think the benefits
    overweight the disadvantage.
    
    Also only check the requested domains from a trusted client. An untrusted
    client should simply have no say in what domains he wants to talk to, it
    should ignore the 'domains' option.
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>
file modified
+26 -41
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.