John Hodrien <[email protected]> wrote on 2014/09/25 15:06:16:
> 
> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
> 
> > John Hodrien <[email protected]> wrote on 2014/09/25 11:22:52:
> 
> > How is local root pw any different than domain pw? In your view remote 
root
> > access is a big nono so sssd should also enforce no remote root login 
in
> > that case.  I have no problem using local root pw when I known what it 
is
> > but I don't care to memorize them all, besides users can change local 
root
> > pw.
> 
> It isn't, but sssd isn't in a position to enforce it for local accounts. 
 ssh

But you argue strongly for never allowing remote root login to the degree
that you have forcefully disabled root login in sssd. Then it is 
reasonably
you should also do your best to disallow local root pw login. You could
scan sshd, PAM, securetty etc. and simply refuse to start if sssd finds
that local root pw is allowed over the network.

> is, which is why ssh provides the option:
> 
> AllowRoot without-password

Why would I want to enable that?

> 
> If users change local root passwords they can equally well break sssd.
> They're unlikely to remove an authorized_keys file, and if they do, 
discipline
> them.  I can't see what advantage you have using a network root 
credential
> over an ssh key, or a kerberos ticket.
> 
> > You just said it: "best practice", not a law. In this context, sssd 
dictates
> > policy and that is not sssd's call to make IMHO. You should encourage 
best
> > practice though.  One day we will get there but not today :)
> 
> SSSD dictates what it does to be safe.  I've no problem with that 
default.

It is not a default, there is no choice

> 
> > Finally, why are you not up front with this policy? Nowhere I can find 
is
> > this documented and since this is a unusual enforcement you should 
document
> > this limitation with "big letters" so everyone is aware beforehand, it 
sure
> > would have saved me a lot of time.
> 
> It might be worth forgiving sssd a little here.
> 
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> 
> You've almost certainly got something like this in pam.  Don't accept 
network
> auth for local system accounts is a normal PAM policy.

That is a choice I got in PAM, sssd offers no choice.

Still, I don't see how the above somehow documents sssd's
"no root login whatsoever" policy. The docs actually hints the
opposite:
filter_users, filter_groups (string) 
Exclude certain users from being fetched from the sss NSS database. This 
is particularly useful for system accounts. This option can also be set 
per-domain or include fully-qualified names to filter only users from the 
particular domain. 
Default: root 

This make me think I only have to add an empty filter_users to allow root 

    Jocke
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to