On Sun, 3 Aug 2014 01:28:11 -0700 Jan Pazdziora <[email protected]> wrote:
> On Sun, Aug 03, 2014 at 10:08:03AM +0200, Daniel Gollub wrote: > > > > This proposed patch is not changing the existing sssd/pam_sss > > behavior if a domain in login is required or not. If the sssd > > option "use_fully_qualified_names" is false (default) then both will > > work. If set to true, the domain needs to be specified. > > > > If the PAM service is using domains=emea.example,hq.example.com and > > someone tries to sneak in by authenticating with: > > [email protected] ... this will not work. The sssd pam responder > > code - with this patch applied - is intended to completely skip any > > other domain which is not set by the domains= argument. > > My concern is this -- if we are going to harden the list of domains > that will be used for authentication (or identity operations), > it would be good to find a way to also make it possible for the > application using the PAM stack to find out which domain (and thus > which identity) sssd actually used. So for "login", was it > "[email protected]" or "[email protected]" that was used? > > Do we have a way to return the information to the application? > Maybe via pam_putenv or even putenv? There seems to be already interfaces to put information from the responder side easily to the responder message information which later get then set by the pam_sss client either as pam_putenv or putenv or both. So we could set something like that: SSSD_DOMAIN=emea.example.com ... as pamenv or regular environment variable - or both. Would we want to have this configurable - if the environment would be set? If so, do we want to have this in sssd.conf or via pam_sss modules arguments? _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
