URL: https://github.com/SSSD/sssd/pull/275 Title: #275: Implement access verification by rhost using ldap_access_order rhost option
akamensky commented: """ For the DNS/rDNS verification I am considering to implement following (bearing in mind [RFC 1912](https://tools.ietf.org/html/rfc1912)): 0. Documentation must **explicitly** state that use of DNS/rDNS is going to introduce delays and should be used with caution and recommend to set `UseDNS no` in `sshd_conf` to avoid problems with not matching rDNS. 1. If PAM provides IP address (IPv4 or IPv6) as rhost, then use it directly, if PAM provides hostname, resolve it to IP address (IPv4 and/or IPv6) using forward resolution (as per RFC 1912 recommendation for FCrDNS) and use this IP address directly. 2. Relevant LDAP records must be prepended with record type identifier in a manner `[!]identifier:record`. Allowed identifiers are `ip4|ip6|host`. For example record `host:host1.example.com` to allow access from host with DNS record host1.example.com and `!ipv4:192.0.0.1` to deny access from rhost with IPv4 address 192.0.0.1. This is to spare some time on figuring out wether record is valid IPv4/IPv6 or is it a hostname. 3. Additional configuration option `ldap_authorized_rhost_use_dns = <bool> (Default: False)`. This option would enable/disable use of DNS/rDNS in verification process. 1. If disabled whatever is received from LDAP record is matched as-is to whatever received from PAM as users rhost (without resolution mentioned in point 1 and ignoring identifier from point 2). 2. When enabled the following logic would be applied: 1. If LDAP record is IPv4 or IPv6 address, match against rhost (IPv4 or IPv6). 2. If LDAP record is a hostname, then perform forward resolution of that hostname to IP address (v4 and/or v6), then match resulting addresses against rhost. If both v4 and v6 IP addresses are available in rhost (after resolution in point 1), then each one must match (i.e. strict matching) Please let me know if that is good, or any adjustments to this (e.g. throw away point 2 and attempt to check type of record inside SSSD)? I will hold on with implementation until any feedback on these. """ See the full comment at https://github.com/SSSD/sssd/pull/275#issuecomment-315590636
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
