Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.

Published byNathan Fields Modified over 7 years ago

Similar presentations

Presentation on theme: "SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching."— Presentation transcript:

1 SSSD System Security Services Daemon

2 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching for network accounts Can cache authentication credentials locally to allow local updates Can handle multiple domains of user data and authentication

3 3 SSSD Use Cases Corporate Laptop ● Traditional problem: users maintain a separate local account on the laptop to log into when out of the office ● With SSSD providing cached credentials, the user can keep the same account (UID and all) when logging in remotely Datacenter ● Datacenters that require highly-available authentication can take advantage of SSSDs caching to ride out temporary internal service outages (such as an LDAP or Kerberos server outage)

4 4 Identity lookups without SSSD Network Boundary Identity Server Authentication Server Client

5 5 Identity lookups with SSSD Network Boundary Identity Server Authentication Server Client SSSD NSS Responde r PAM Responde r Domain Provider Auth Provider Identity Provider Cache

6 6 SSSD Data Providers Network Boundary Ident ity Serv er Auth Serv er Client SSSD NSS Responde r PAM Responde r Auth Provider Cache Dom ain Provi der 2 Identity Provider Dom ain Provi der 1 Auth Provider Identity Provider Dom ain Provi der N Auth Provider Identity Provider Dom ain Provi der... Auth Provider Identity Provider Ident ity Serv er Auth Serv er Ident ity Serv er Auth Serv er Ident ity Serv er Auth Serv er

7 7 Traditional Authentication Client Request Directory 2 Directory 1... Directory N PAM Auth N... Auth 2 Auth 1 NSS

8 8 Copyright Dbarefoot, used under Attribution-NonCommercial License

9 9 SSSD Authentication Client Request Directory 2 Directory 1... Directory N PAM Auth N... Auth 2 Auth 1 NSS

10 10 Improvements over nscd and pam_ccreds nscd ● SSSD user and group cache expiration is more predictable ● When cached in the SSSD, user identity entries will not expire while offline ● SSSD operates closer to the backends, so it can be aware of backend- specific temporary failures that nscd would report as missing entries pam_ccreds ● SSSD can be configured to perform offline expiration of cached credentials (requiring clients to 'check in' with the central server regularly) ● SSSD will inform the user when authenticating with cached credentials, and will warn of approaching offline expiration

11 11 Differences from traditional authentication SSSD requires the use of transport layer encryption when performing simple bind authentication against LDAP ● LDAPS, TLS or GSSAPI SSSD enforces a one-to-one relationship between user identities and authentication services Offline authentication against a Kerberos server can be configured to automatically perform a kinit when the server becomes available

12 12 To Infinity and Beyond Developer environment ● Build custom identity and authentication backends Better ActiveDirectory Support ● Integrate with ActiveDirectory using winbind InfoPipe ● Advanced authentication interface over D-BUS system bus ● Provide access to extended directory information such as keyboard and language preferences

13 13 A Final Word On Security Copyright Randall Munroe, used under Attribution-NonCommercial License

14 14 Configuration Basic configuration can be most easily managed with authconfig ● Version 6.1.4 or later of authconfig ● Properly configures the following standard configuration files for use with SSSD: ● /etc/nsswitch.conf ● /etc/pam.d/system-auth ● /etc/pam.d/password-auth ● /etc/sssd/sssd.conf ● /etc/krb5/krb5.conf (when using Kerberos for auth) SSSD 1.2.x supports LDAP for identities and either LDAP or Kerberos for authentication

15 15 Advanced Configuration Many more complicated configuration settings are available Advanced options be set manually in /etc/sssd/sssd.conf For a complete listing of these options, see: ● sssd.conf(5) ● sssd-ldap(5) ● sssd-krb5(5) Options that may be of interest: ● enumerate – Whether to allow a complete listing of all users in a domain. Default: False ● ldap_tls_reqcert – How strict SSSD should be when validating the certificate for an LDAP server ● krb5_store_password_if_offline – Whether to store a user's password (securely) until the SSSD becomes online. When this occurs, the SSSD will perform a kinit on behalf of the user with this password to acquire a TGT

16 16 Identity Providers LDAP ● Supports LDAP servers using RFC2307 or RFC2307bis schema ● SSSD 1.2 supports users and groups ● Upcoming versions will also support netgroups IPA ● Support for the upcoming FreeIPA v2 identity store ● Uses (and requires) GSSAPI/KRB5 encrypted communication with the FreeIPA LDAP server Proxy ● Can support identity data from an existing nameservice library ● E.g. nss_nis.so.2 ● Requires additional configuration of the nameservice library

17 17 Authentication Providers LDAP ● Password authentication through LDAP simple bind KRB5 ● Password authentication through the Kerberos protocol ● Authentication through this backend will perform a kinit and acquire a Kerberos ticket-granting ticket for network single-sign-on IPA ● Password authentication to FreeIPA through the Kerberos protocol or LDAP simple bind (during password migration only) ● Can handle password migrations from LDAP -> FreeIPA migrations Proxy ● Invokes a custom PAM stack to perform authentication against a tradition PAM module (or series of modules)

18 18 Access Providers Permit ● Always allows access to any user that succeeded at authentication ● Default if no access_provider is specified Deny ● Always denies access, regardless of authentication success Simple ● Grants access to users in a list LDAP ● Grants access to users whose user entry matches a particular LDAP search query IPA ● Grants access based on complex host-based access control (HBAC) rules configured on a FreeIPA server

19 19 Chpass Providers LDAP ● Change password using the password change extended operation of the LDAP protocol KRB5 ● Change password through the Kerberos protocol to a kadmin server Proxy

Download ppt "SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.

Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Understanding Active Directory

Understanding Active Directory
NETWORK FILE SYSTEM (NFS) By Ameeta.Jakate. NFS NFS was introduced in 1985 as a means of providing transparent access to remote file systems. NFS Architecture.

NETWORK FILE SYSTEM (NFS) By Ameeta.Jakate. NFS NFS was introduced in 1985 as a means of providing transparent access to remote file systems. NFS Architecture.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu 10.04 LTS comes with MIT Kerberos 1.8.1 Admin through CLI, but from.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Similar presentations

Ads by Google