LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

SSSD: System Security Services Daemon

September 27, 2011

This article was contributed by Marko Myllynen

Centralized identity and authentication management offers several benefits over the ancient "solution" of spreading password files across all the systems of an organization. User information can be added, modified, and deleted in one central location and the change is effective everywhere instantly. Most commonly in today's environments user identity and authentication functions are carried out with LDAP and Kerberos-based solutions. SSSD, the System Security Services Daemon, is a fairly recent client-side all-in-one component which aims to bring together all the features previously available only in several separate components while adding new ones and providing increased flexibility and robustness.

Linux client-side configuration for centralized identity and authentication stores with caching and offline support has traditionally required configuration of several independent components; the end result and operational efficiency has not always been optimal. Offline support means that previously logged-in users' password hashes and identity information are stored locally so that all operations requiring authentication or UID to username mapping can be processed locally.

Let us consider the components in a typical case where LDAP and Kerberos are used for identity and authentication and there are mobile users who roam around with their laptops between different networks. First, nss_ldap has to be configured to retrieve the user identity information from LDAP. Then pam_krb5 needs to be configured to allow for user authentication. Alas, neither of these components supports caching or offline mode. So nscd needs to be configured to cache user information. And then finally pam_ccreds is needed for caching authentication credentials while offline. Most readers would probably agree that this scheme isn't the most efficient and robust solution so there may be some room for improvement.

What SSSD does

SSSD provides several features but the most important is to provide access to identity and authentication resources through a common framework that can provide caching and offline support to the system. For offline support SSSD keeps the credentials in a local cache. When a user logs in to an organization's network with their centrally managed account on their laptop, the user information and credentials are automatically stored in the SSSD cache.

Secondly, it supports queries to multiple servers. Thus, one can query a number of different user databases. Third, the daemon has its own NSS and PAM interfaces for use by client systems. From a performance point of view, this offers advantages. Instead of needing to set up a connection for each and every application that queries the NSS LDAP database, only a single socket from SSSD to the LDAP server is required. And all these features can be configured in a single configuration file.

For users, authentication and Kerberos tickets will then work in a straightforward way: when logging in while online (i.e., a connection to the central user account service can be made), a user enters their username and password and, once verified, a Kerberos ticket for the user is automatically acquired. A successful online login also refreshes the user's cache entry without any manual steps.

When logging in while offline, authentication is done against the cached information. When SSSD observes that the system is online again (e.g., after the user has established a VPN connection), it can acquire a Kerberos ticket for the user in the background without any additional effort by the user. Kerberos tickets can be also be automatically renewed based on the SSSD configuration. If an organization has implemented single sign-on (SSO) using Kerberos then SSSD helps to provide very smooth but secure user experience.

In practical terms, SSSD has one central configuration file, /etc/sssd/sssd.conf, which contains all the configuration options needed for one or several domains, possibly with different retention policies for each domain. NSS and PAM are configured to use the SSSD modules, libnss_sss.so and pam_sss.so, respectively, and the sssd service needs to be enabled. Distributions like Fedora and RHEL have also integrated SSSD as part of their authconfig tool used to configure user information sources removing the need for manually editing NSS or PAM configuration files (also providing basic configuration for sssd.conf).

It should be noted that, in addition to sssd.conf, /etc/krb5.conf needs to be configured when using Kerberos for authentication. That is also required for applications and utilities using the Kerberos libraries directly. The manual page sssd.conf(5) provides a comprehensive overview of the available configuration options and Fedora SSSD Guide offers a complete walk-through for setting up SSSD.

In addition to identity and authentication methods like LDAP and Kerberos, SSSD also includes support for netgroups and proxied authentication (for example to be used with NIS, since a native NIS backend is not yet available, although it is in the roadmap). These might be helpful features for organizations during a transition when moving from NIS to LDAP/Kerberos. Another interesting feature is host-based access control (HBAC) using FreeIPA. HBAC rules can be used to control which users or groups can access a specific host.

Past and future

SSSD can trace its origins to the FreeIPA project. The SSSD project, originally codenamed "Bluebox" for reasons lost to history, was envisioned as the FreeIPA's primary client component. As SSSD began to take shape, it was realized that many of the enhancements that were being developed to support FreeIPA would also be valuable for users of other LDAP and Kerberos environments. Thus the long-term vision for SSSD was revised and it became a project in its own right, related to FreeIPA, but distinct. Since its introduction in Fedora 11, SSSD's user and developer community has grown rapidly. It is now available for all major distributions (Fedora, Ubuntu, RHEL, openSUSE, and others) and there are already some large enterprises which have already deployed it globally as part of their Linux installations.

Several notable new features are in the roadmap. Work is going on to use sudo's plugin interface in SSSD to make it easier to maintain centralized sudo rules that also function while offline. Another planned addition is automounter integration which would allow SSSD to retrieve LDAP served automount maps for autofs. Enhanced Active Directory integration and D-Bus based interfaces for extended user information and data are also coming. There are other interesting features planned for SSSD — additional suggestions and participation from the community is warmly welcomed.

The use of the SSSD offers many benefits, especially for administrators and mobile users. Instead of having multiple accounts, users can simply use a single account. Kerberos tickets can be automatically acquired and renewed, which makes the use of "kerberized" services seamless but secure. Offline mode can also be useful in data centers to help bridge the gap caused by a temporary failure of the LDAP or Kerberos servers. Compared with older solutions, SSSD offers far more flexible management and simplified administration for client-side identity and authentication needs.

Comments (13 posted)

Brief items

Quote of the week

So, it's no wonder that hackers can just plug something new in and nobody notices. As long as it doesn't infect five million residential banking customers then nobody is going have a description of the suspect. That is the reality of hacking today, and it has nothing to do with advanced persistent threat. It has to do with the enterprise and the complete LACK of control you have over the endpoint. When security is limited to the network perimeter, you are not in control. Oh, and what a breath of fresh air the mobile device is. A new pile of software, mostly social media, that is directly connected to thousands of strangers that are not your employees, communicating in real-time with processes running within your defensive wall. In effect, you now have thousands of potential multi-homed routers to 3G-space from your network that don't belong to you.
-- Greg Hoglund

Comments (5 posted)

Garrett: Supporting UEFI secure boot on Linux: the details

Matthew Garrett continues looking into the UEFI secure boot feature. "Summary: We don't really support secure boot right now, but that's ok because you can't buy any hardware that supports it yet. Adding support is probably about a week's worth of effort at most."

Comments (7 posted)

Garrett: UEFI secure booting (part 2)

Here's a second installment from Matthew Garrett on the UEFI secure boot feature. "Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background."

Comments (61 posted)

MySQL.com Hacked to Serve Malware (PC World)

PC World reports that the MySQL.com site has been compromised. "Hackers had installed JavaScript code that threw a variety of known browser attacks at visitors to the site, so those with out-of-date browsers or unpatched versions of Adobe Flash, Reader or Java on their Windows PCs could have been quietly infected with malicious software."

Comments (17 posted)

Mozilla and Tor on the TLS attack

Messages have appeared on the Mozilla security blog and the Tor project blog regarding the recently-disclosed attack against TLS 1.0. The summary is: neither the Firefox browser nor the Tor service is vulnerable. The Tor post has a lot of information about how the attack works and why they are not worried about it. Mozilla, instead, says that some Java plugins may be vulnerable and that Java should be disabled.

Comments (9 posted)

New vulnerabilities

apt: altered package installation

Package(s):apt CVE #(s):
Created:September 23, 2011 Updated:September 29, 2011
Description: From the Ubuntu advisory:

It was discovered that the apt-key utility incorrectly verified GPG keys when downloaded via the net-update option. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. This update corrects the issue by disabling the net-update option completely. A future update will re-enable the option with corrected verification.

Alerts:
Ubuntu USN-1215-1 2011-09-22

Comments (1 posted)

cherokee: multiple vulnerabilities

Package(s):cherokee CVE #(s):CVE-2011-2190 CVE-2011-2191
Created:September 26, 2011 Updated:November 25, 2011
Description: The Cherokee server admin configuration web interface is vulnerable to CSRF. If an admin is logged into the Cherokee admin interface and visits a site which runs a malicious script, Cherokee can be reconfigured to execute arbitrary commands. It is also vulnerable to use the CSRF to produce a persistent XSS. (CVE-2011-2091)

Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user. (CVE-2011-2090)

Alerts:
Fedora FEDORA-2011-14660 2011-10-20
Fedora FEDORA-2011-14634 2011-10-20
Fedora FEDORA-2011-14622 2011-10-20
Fedora FEDORA-2011-12687 2011-09-14
Fedora FEDORA-2011-12698 2011-09-14

Comments (none posted)

flash-player: multiple vulnerabilities

Package(s):Flash-Player CVE #(s):CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2429 CVE-2011-2430 CVE-2011-2444
Created:September 23, 2011 Updated:November 8, 2011
Description: From the openSUSE advisory:

This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444).

Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

This update resolves an AVM stack overflow issue that may allow for remote code execution. (CVE-2011-2426).

This update resolves an AVM stack overflow issue that may lead to denial of service and code execution. (CVE-2011-2427).

This update resolves a logic error issue which causes a browser crash and may lead to code execution. (CVE-2011- 2428).

This update resolves a Flash Player security control bypass which could allow information disclosure. (CVE-2011-2429).

This update resolves a streaming media logic error vulnerability which could lead to code execution. (CVE-2011-2430).

Alerts:
Red Hat RHSA-2011:1434-01 2011-11-08
Gentoo 201110-11 2011-10-13
Red Hat RHSA-2011:1333-01 2011-09-22
SUSE SUSE-SU-2011:1063-1 2011-09-23
openSUSE openSUSE-SU-2011:1060-1 2011-09-23

Comments (none posted)

foomatic: insecure temporary files

Package(s):foomatic CVE #(s):CVE-2011-2924 CVE-2011-2923
Created:September 26, 2011 Updated:September 27, 2011
Description: From the Red Hat bugzilla

It was found that foomatic-rip filter used insecurely created temporary file for storage of PostScript data by rendering the data, intended to be sent to the PostScript filter, when the debug mode was enabled. A local attacker could use this flaw to conduct symlink attacks (overwrite arbitrary file accessible with the privileges of the user running the foomatic-rip universal print filter).

Alerts:
Fedora FEDORA-2011-11205 2011-08-19
Fedora FEDORA-2011-11196 2011-08-19

Comments (none posted)

NetworkManager: privilege escalation

Package(s):NetworkManager CVE #(s):CVE-2011-3364
Created:September 27, 2011 Updated:November 14, 2011
Description: From the Red Hat advisory:

An input sanitization flaw was found in the way the ifcfg-rh NetworkManager plug-in escaped network connection names containing special characters. If PolicyKit was configured to allow local, unprivileged users to create and save new network connections, they could create a connection with a specially-crafted name, leading to the escalation of their privileges. Note: By default, PolicyKit prevents unprivileged users from creating and saving network connections.

Alerts:
Mandriva MDVSA-2011:171 2011-11-11
Fedora FEDORA-2011-13401 2011-09-27
Fedora FEDORA-2011-13388 2011-09-27
Scientific Linux SL-Netw-20110926 2011-09-26
Red Hat RHSA-2011:1338-01 2011-09-26

Comments (none posted)

pango: arbitrary code execution

Package(s):evolution28-pango pango qt CVE #(s):CVE-2011-3193
Created:September 23, 2011 Updated:September 23, 2011
Description: From the Red Hat advisory:

A buffer overflow flaw was found in HarfBuzz, an OpenType text shaping engine used in Pango. If a user loaded a specially-crafted font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

Alerts:
openSUSE openSUSE-SU-2011:1120-1 2011-10-12
openSUSE openSUSE-SU-2011:1119-1 2011-10-12
Red Hat RHSA-2011:1326-01 2011-09-21
CentOS CESA-2011:1324 2011-09-22
CentOS CESA-2011:1326 2011-09-22
Scientific Linux SL-qt-20110921 2011-09-21
Scientific Linux SL-qt4-20110921 2011-09-21
Scientific Linux SL-evol-20110921 2011-09-21
Scientific Linux SL-pang-20110921 2011-09-21
Scientific Linux SL-frys-20110921 2011-09-21
Red Hat RHSA-2011:1323-01 2011-09-21
Red Hat RHSA-2011:1324-01 2011-09-21
Red Hat RHSA-2011:1327-01 2011-09-21
CentOS CESA-2011:1327 2011-09-22
CentOS CESA-2011:1325 2011-09-22
Red Hat RHSA-2011:1325-01 2011-09-21
Ubuntu USN-1504-1 2012-07-11

Comments (none posted)

qt: code execution

Package(s):qt CVE #(s):CVE-2011-3194
Created:September 23, 2011 Updated:June 4, 2012
Description: A flow in how Qt handles grayscale image files could enable an attacker to force a crash or execute arbitrary code via a malicious image.
Alerts:
openSUSE openSUSE-SU-2011:1120-1 2011-10-12
openSUSE openSUSE-SU-2011:1119-1 2011-10-12
Fedora FEDORA-2011-12193 2011-09-06
Fedora FEDORA-2011-12145 2011-09-06
Scientific Linux SL-qt-20110921 2011-09-21
Red Hat RHSA-2011:1323-01 2011-09-21
Gentoo 201206-02 2012-06-03
Ubuntu USN-1504-1 2012-07-11

Comments (none posted)

quassel: denial of service

Package(s):quassel CVE #(s):CVE-2011-3354
Created:September 26, 2011 Updated:September 27, 2011
Description: From the Red Hat bugzilla:

CtcpParser::packedReply in src/core/ctcpparser.cpp in Quassel does not process certain CTCP requests correctly, allowing a remote attacker connected to the same IRC network as the victim to cause a Denial of Service condition by sending specially crafted CTCP requests.

Alerts:
Fedora FEDORA-2011-12580 2011-09-13
Fedora FEDORA-2011-12614 2011-09-13

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds