SSSD does not manage other applications sessions, it is up to the admin (or the software) to deal with "mid-stream" removal of authorization.
If the Admins deed this change in group membership as a security measure (user got fired, or account compromised) then it is the admin job to jump on all machines that he cares for and terminate the user's sessions. HTH, Simo. On Wed, 2020-02-19 at 08:25 +0000, Hristina Marosevic wrote: > Hello, > > I installed and configured SSSD with LDAP server OUD (Oracle Unified > Directory). Everything works fine so far, except for one thing which I > consider as a vulnerability. > I just found out that there is a potential security hole which is the old > session of a user who lost his authorization. > Generic example: > User1 has to belong to the LDAP group sshUsers which is configured as an > access filter on the SSSD client in order to be authorized (after the > successfull authentication) for access to the remote linux machine, where the > SSSD client is installed. > User1 is a member of the LDAP group sshUsers and logs in to the remote linux > machine. > After the successfull login of the User1 to the remote linux machine, its > membership in the LDAP group sshUsers is removed i.e. User1 looses it > authorization to access the remote linux machine. > What happens as a result is: > 1. The active ssh connection od User1 to the remote linux machine which was > established before he lost his authorization is still active!! > 2. User1 (after he lost his authorization) can not login to the remote linux > machine anymore - this is okay. > > Security hole - explained in 1. > > Can you please explain to me if there is a possiblity for SSSD to manage the > sessions, how to do that? If this is not possible (whn using OUD) should it > be proposed as a bug? > Other than that, how is session managed on the OS layer? > > Thank you! > BR, > Hristina > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
