#4077 Use S4U2Self transition for non-GSSAPI sessions
Opened 5 months ago by abbra. Modified 4 months ago

Currently, SSSD does retrieve PAC information for any authentication that was initiated using GSSAPI. However, for the situation when another application did perform the authentication using non-GSSAPI method and SSSD does perform authorization in PAM stack, an information about this fact is not passed to the central authentication authority. This makes harder to account user logons for the policies like 'Remove stale accounts which did not login X days'.

If SSSD receives PAM stack request in session stage and it didn't perform actual authentication for this request, it could do S4U2Self request to acquire a ticket to itself (host/...) on behalf of the user authenticated by the application. This would allow cases like SSH public key authentication to be visible to KDC (FreeIPA KDC, for example) and appear in audit trail.


Shouldn't s4u2self be done in access stage ?

I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.

I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.

pam_acct_mgmt is the stage where access control is happening and all PAM enabled services should call it because otherwise no access control will happen at all.

Btw, a cron job of a user will call pam_acct_mgmt() and pam_session(), so you just have to start a cron job and your account will never expire.

Metadata Update from @sbose:
- Issue assigned to sbose

4 months ago

Metadata Update from @thalman:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1763180

4 months ago

Login to comment on this ticket.

Metadata