Hi, while working on the hardening wiki page, I realized the pam_trusted_users option can be improved. Please see the attached patch.
>From ac09c8dabb706ad1a870354a2879eb899d17c5fc Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 30 Sep 2015 09:33:17 +0200 Subject: [PATCH] MAN: Clarify pam_trusted_users option description
--- src/man/sssd.conf.5.xml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 0ab4381819fa2f47e9a4bfb4897cb94144b96ff8..21acb63805c3906859130222cf335ad53be5894a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -927,14 +927,18 @@ fallback_homedir = /home/%u <term>pam_trusted_users (string)</term> <listitem> <para> - Specifies the comma-separated list of UID values or - user names that are allowed to access the PAM - responder. User names are resolved to UIDs at + Specifies the comma-separated list of UID + values or user names that are allowed to run + PAM conversations against trusted domains. + Users not included in this list can only access + domains marked as public with + <quote>pam_public_domains</quote>. + User names are resolved to UIDs at startup. </para> <para> - Default: all (All users are allowed to access - the PAM responder) + Default: All users are considered trusted + by default </para> <para> Please note that UID 0 is always allowed to access -- 2.4.3
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel