Issue #4077: Use S4U2Self transition for non-GSSAPI sessions - sssd

SSSD / sssd

#4077 Use S4U2Self transition for non-GSSAPI sessions

Closed: cloned-to-github 3 years ago by pbrezina. Opened 4 years ago by abbra.

Currently, SSSD does retrieve PAC information for any authentication that was initiated using GSSAPI. However, for the situation when another application did perform the authentication using non-GSSAPI method and SSSD does perform authorization in PAM stack, an information about this fact is not passed to the central authentication authority. This makes harder to account user logons for the policies like 'Remove stale accounts which did not login X days'.

If SSSD receives PAM stack request in session stage and it didn't perform actual authentication for this request, it could do S4U2Self request to acquire a ticket to itself (host/...) on behalf of the user authenticated by the application. This would allow cases like SSH public key authentication to be visible to KDC (FreeIPA KDC, for example) and appear in audit trail.

simo commented 4 years ago

Shouldn't s4u2self be done in access stage ?

abbra commented 4 years ago

I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.

sbose commented 4 years ago

I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.

pam_acct_mgmt is the stage where access control is happening and all PAM enabled services should call it because otherwise no access control will happen at all.

Btw, a cron job of a user will call pam_acct_mgmt() and pam_session(), so you just have to start a cron job and your account will never expire.

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago

Metadata Update from @thalman:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1763180

4 years ago

thalman commented 4 years ago

Issue linked to Bugzilla: Bug 1763180

Metadata Update from @thalman:
- Issue tagged with: bugzilla

4 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5043

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

sbose

Tags

Blocking

None

Depending on

None

Priority

minor

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1763180

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#4077 Use S4U2Self transition for non-GSSAPI sessions Closed: cloned-to-github 3 years ago by pbrezina. Opened 4 years ago by abbra.

Metadata

bugzilla

#4077 Use S4U2Self transition for non-GSSAPI sessions

Closed: cloned-to-github 3 years ago by pbrezina. Opened 4 years ago by abbra.