LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSSD: System Security Services Daemon

September 27, 2011

This article was contributed by Marko Myllynen

Centralized identity and authentication management offers several benefits over the ancient "solution" of spreading password files across all the systems of an organization. User information can be added, modified, and deleted in one central location and the change is effective everywhere instantly. Most commonly in today's environments user identity and authentication functions are carried out with LDAP and Kerberos-based solutions. SSSD, the System Security Services Daemon, is a fairly recent client-side all-in-one component which aims to bring together all the features previously available only in several separate components while adding new ones and providing increased flexibility and robustness.

Linux client-side configuration for centralized identity and authentication stores with caching and offline support has traditionally required configuration of several independent components; the end result and operational efficiency has not always been optimal. Offline support means that previously logged-in users' password hashes and identity information are stored locally so that all operations requiring authentication or UID to username mapping can be processed locally.

Let us consider the components in a typical case where LDAP and Kerberos are used for identity and authentication and there are mobile users who roam around with their laptops between different networks. First, nss_ldap has to be configured to retrieve the user identity information from LDAP. Then pam_krb5 needs to be configured to allow for user authentication. Alas, neither of these components supports caching or offline mode. So nscd needs to be configured to cache user information. And then finally pam_ccreds is needed for caching authentication credentials while offline. Most readers would probably agree that this scheme isn't the most efficient and robust solution so there may be some room for improvement.

What SSSD does

SSSD provides several features but the most important is to provide access to identity and authentication resources through a common framework that can provide caching and offline support to the system. For offline support SSSD keeps the credentials in a local cache. When a user logs in to an organization's network with their centrally managed account on their laptop, the user information and credentials are automatically stored in the SSSD cache.

Secondly, it supports queries to multiple servers. Thus, one can query a number of different user databases. Third, the daemon has its own NSS and PAM interfaces for use by client systems. From a performance point of view, this offers advantages. Instead of needing to set up a connection for each and every application that queries the NSS LDAP database, only a single socket from SSSD to the LDAP server is required. And all these features can be configured in a single configuration file.

For users, authentication and Kerberos tickets will then work in a straightforward way: when logging in while online (i.e., a connection to the central user account service can be made), a user enters their username and password and, once verified, a Kerberos ticket for the user is automatically acquired. A successful online login also refreshes the user's cache entry without any manual steps.

When logging in while offline, authentication is done against the cached information. When SSSD observes that the system is online again (e.g., after the user has established a VPN connection), it can acquire a Kerberos ticket for the user in the background without any additional effort by the user. Kerberos tickets can be also be automatically renewed based on the SSSD configuration. If an organization has implemented single sign-on (SSO) using Kerberos then SSSD helps to provide very smooth but secure user experience.

In practical terms, SSSD has one central configuration file, /etc/sssd/sssd.conf, which contains all the configuration options needed for one or several domains, possibly with different retention policies for each domain. NSS and PAM are configured to use the SSSD modules, libnss_sss.so and pam_sss.so, respectively, and the sssd service needs to be enabled. Distributions like Fedora and RHEL have also integrated SSSD as part of their authconfig tool used to configure user information sources removing the need for manually editing NSS or PAM configuration files (also providing basic configuration for sssd.conf).

It should be noted that, in addition to sssd.conf, /etc/krb5.conf needs to be configured when using Kerberos for authentication. That is also required for applications and utilities using the Kerberos libraries directly. The manual page sssd.conf(5) provides a comprehensive overview of the available configuration options and Fedora SSSD Guide offers a complete walk-through for setting up SSSD.

In addition to identity and authentication methods like LDAP and Kerberos, SSSD also includes support for netgroups and proxied authentication (for example to be used with NIS, since a native NIS backend is not yet available, although it is in the roadmap). These might be helpful features for organizations during a transition when moving from NIS to LDAP/Kerberos. Another interesting feature is host-based access control (HBAC) using FreeIPA. HBAC rules can be used to control which users or groups can access a specific host.

Past and future

SSSD can trace its origins to the FreeIPA project. The SSSD project, originally codenamed "Bluebox" for reasons lost to history, was envisioned as the FreeIPA's primary client component. As SSSD began to take shape, it was realized that many of the enhancements that were being developed to support FreeIPA would also be valuable for users of other LDAP and Kerberos environments. Thus the long-term vision for SSSD was revised and it became a project in its own right, related to FreeIPA, but distinct. Since its introduction in Fedora 11, SSSD's user and developer community has grown rapidly. It is now available for all major distributions (Fedora, Ubuntu, RHEL, openSUSE, and others) and there are already some large enterprises which have already deployed it globally as part of their Linux installations.

Several notable new features are in the roadmap. Work is going on to use sudo's plugin interface in SSSD to make it easier to maintain centralized sudo rules that also function while offline. Another planned addition is automounter integration which would allow SSSD to retrieve LDAP served automount maps for autofs. Enhanced Active Directory integration and D-Bus based interfaces for extended user information and data are also coming. There are other interesting features planned for SSSD — additional suggestions and participation from the community is warmly welcomed.

The use of the SSSD offers many benefits, especially for administrators and mobile users. Instead of having multiple accounts, users can simply use a single account. Kerberos tickets can be automatically acquired and renewed, which makes the use of "kerberized" services seamless but secure. Offline mode can also be useful in data centers to help bridge the gap caused by a temporary failure of the LDAP or Kerberos servers. Compared with older solutions, SSSD offers far more flexible management and simplified administration for client-side identity and authentication needs.

(Log in to post comments)

SSSD: System Security Services Daemon

Posted Sep 29, 2011 0:44 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Whoa.

And I've just started to write MY OWN caching LDAP/Kerberos layer for offline use.

SSSD: System Security Services Daemon

Posted Sep 29, 2011 12:00 UTC (Thu) by sgallagh (guest, #80524) [Link]

@Cyberax

The SSSD team is always looking for new talent. If you're interested in collaborating with us to make SSSD better (or supporting some specific use-case of your own), please join the mailing list at https://fedorahosted.org/mailman/listinfo/sssd-devel and/or come see us in #sssd on irc.freenode.net.

SSSD: System Security Services Daemon

Posted Sep 29, 2011 12:51 UTC (Thu) by nix (subscriber, #2304) [Link]

Ah. I was wondering if this new daemon was actually doing anything useful on any system I owned. It turns out, no, it isn't, nor will it ever, but it still has to run because things now depend on it. Just like NetworkManager, it's complexity that's only useful for mobile users, because all the world now is mobile and desktop users are an ignorable and dwindling minority or something...

(Sure, unlike NetworkManager, SSSD has never gone wrong and failed to do its job for me, but I certainly recall at least one security hole in it, and a security hole in an authentication system is a big deal.)

SSSD: System Security Services Daemon

Posted Sep 29, 2011 14:01 UTC (Thu) by sgallagh (guest, #80524) [Link]

SSSD does not currently run automatically on any system, nor is it presently required for your system to operate. We are an optional component, usable when you want network identity and authentication. Otherwise (and by default) we do not run on the system.

At this time, SSSD doesn't interact with local users at all. However, in the future we're planning on adding additional features for the desktop. At that time, we may start handling local user accounts as well.

(Such features include central or local storage of additional user data such as language preference, face browser image, etc.)

SSSD: System Security Services Daemon

Posted Sep 29, 2011 20:28 UTC (Thu) by nix (subscriber, #2304) [Link]

Hm. Interesting. If it's not required to operate, why is it running on all my Fedora boxes? I guess it was installed by default, or pulled in by something else: I certainly didn't ask for it.

SSSD: System Security Services Daemon

Posted Sep 30, 2011 11:08 UTC (Fri) by sgallagh (guest, #80524) [Link]

The Fedora installation disks install the SSSD package by default so that it's possible to configure network identities during installation and firstboot.

Just because the package is present on the system doesn't mean it's running. Check 'service sssd status'. The design of the SSSD package in Fedora is such that in its default configuration it will fail to start (since it requires configuration specific to your network environment to do anything useful)

SSSD: System Security Services Daemon

Posted Sep 30, 2011 11:55 UTC (Fri) by nix (subscriber, #2304) [Link]

OK, I've proved I can't read ps output as well. I think I've done enough of making myself look like a fool in front of thousands of people for now :)

SSSD doesn't handle id cards directly - anyone working on this?

Posted Sep 29, 2011 13:23 UTC (Thu) by david.a.wheeler (guest, #72896) [Link]

Millions of people now use electronic cards (along with a PIN) to authenticate themselves to computers, and it's becoming even more common quickly. Yet SSSD doesn't directly support this common case. There's sortof a way to do this in SSSD with proxying, but it's clunky. Are people working on making this "just work, easily"?

SSSD doesn't handle id cards directly - anyone working on this?

Posted Sep 29, 2011 14:06 UTC (Thu) by sgallagh (guest, #80524) [Link]

Smart cards are very much on our mind in the SSSD team. It's on our to-do list (currently targeted at the 1.9.0 upstream release, which we hope to release in the first quarter of 2012). We're tracking this support in the upstream ticket https://fedorahosted.org/sssd/ticket/546. Comments are certainly welcome.

Target rich environment

Posted Sep 29, 2011 17:05 UTC (Thu) by alex (subscriber, #1355) [Link]

One thing I worry about with credential holding programs (ssh-agent and gpg-agent aren't immune either) is they present a very tempting target for malware/hackers. Especially in the days of always on, suspend/resume laptops when do the credentials get flushed and the user is forced to enter the details again?

Target rich environment

Posted Sep 29, 2011 20:29 UTC (Thu) by nix (subscriber, #2304) [Link]

Both ssh-add and gpg-agent can specify maximum key lifetimes (in ssh-add's case, on a key-by-key basis: I'm not sure if you can do the same with gpg-agent).

Target rich environment

Posted Sep 30, 2011 8:07 UTC (Fri) by myllynen (subscriber, #55412) [Link]

This is a nice idea, I've filed an upstream RFE at

https://fedorahosted.org/sssd/ticket/1015

Target rich environment

Posted Sep 30, 2011 13:14 UTC (Fri) by idra (subscriber, #36289) [Link]

Not that retaining the password is optional and not enabled by default.
By default SSSD will never store your password in the clear, it will only store a salted hash for offline login purposes.

When you explicitly configure SSSD to store the clear text password for deferred ticket acquisition it is stored in the kernel keyring which is generally considered a secure storage (ie if someone gets there you already have bigger issues).

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds