We are running the latest RHEL 8.7 which includes sss version
2.7.3-4.el8_7.3 and noticed some odd behavior. sss seems to ignore
leading @ characters when looking up a username. For example:
# getent passwd '@cpp.a'
cpp.a:x:1000:1000:CPP admin service account:/home/cpp.a:/bin/bash
The username is 'cpp.a', not '@cpp.a'. It doesn't seem to matter how
many @ signs there are:
# getent passwd '@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@cpp.a'
cpp.a:x:1000:1000:CPP admin service account:/home/cpp.a:/bin/bash
This is a local account on the system, with the default sssd
configuration, there is nothing explicitly set:
# find /etc/sssd
/etc/sssd
/etc/sssd/conf.d
/etc/sssd/pki
If I update nsswitch.conf to remove sss from the passwd line this
behavior goes away.
The same behavior occurs on other systems that are integrated with our
LDAP and kerberos systems. When logging in, not only is this invalid
username successfully authenticated, it is passed to other pam modules:
Mar 16 12:35:46 login-dev-01 sshd[3782209]: Skipped Duo login for
'@@@@@@@henson' from 10.104.223.249: Allowing unknown user
This is allowing a bypass of our security policies, in this case, a user
who should have been forced to do MFA was able to login without it
because the name passed to the other modules by the login stack was not
the real username which ended up being logged in.
Is this a bug? A configuration issue? I opened a support ticket with Red
Hat but as have not as yet received a resolution. I wouldn't think this
would be intended behavior out-of-the-box.
Thanks…
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
