Security
SSSD: System Security Services Daemon
Centralized identity and authentication management offers several benefits over the ancient "solution" of spreading password files across all the systems of an organization. User information can be added, modified, and deleted in one central location and the change is effective everywhere instantly. Most commonly in today's environments user identity and authentication functions are carried out with LDAP and Kerberos-based solutions. SSSD, the System Security Services Daemon, is a fairly recent client-side all-in-one component which aims to bring together all the features previously available only in several separate components while adding new ones and providing increased flexibility and robustness.Linux client-side configuration for centralized identity and authentication stores with caching and offline support has traditionally required configuration of several independent components; the end result and operational efficiency has not always been optimal. Offline support means that previously logged-in users' password hashes and identity information are stored locally so that all operations requiring authentication or UID to username mapping can be processed locally.
Let us consider the components in a typical case where LDAP and Kerberos are used for identity and authentication and there are mobile users who roam around with their laptops between different networks. First, nss_ldap has to be configured to retrieve the user identity information from LDAP. Then pam_krb5 needs to be configured to allow for user authentication. Alas, neither of these components supports caching or offline mode. So nscd needs to be configured to cache user information. And then finally pam_ccreds is needed for caching authentication credentials while offline. Most readers would probably agree that this scheme isn't the most efficient and robust solution so there may be some room for improvement.
What SSSD does
SSSD provides several features but the most important is to provide access to identity and authentication resources through a common framework that can provide caching and offline support to the system. For offline support SSSD keeps the credentials in a local cache. When a user logs in to an organization's network with their centrally managed account on their laptop, the user information and credentials are automatically stored in the SSSD cache.
Secondly, it supports queries to multiple servers. Thus, one can query a number of different user databases. Third, the daemon has its own NSS and PAM interfaces for use by client systems. From a performance point of view, this offers advantages. Instead of needing to set up a connection for each and every application that queries the NSS LDAP database, only a single socket from SSSD to the LDAP server is required. And all these features can be configured in a single configuration file.
For users, authentication and Kerberos tickets will then work in a straightforward way: when logging in while online (i.e., a connection to the central user account service can be made), a user enters their username and password and, once verified, a Kerberos ticket for the user is automatically acquired. A successful online login also refreshes the user's cache entry without any manual steps.
When logging in while offline, authentication is done against the cached information. When SSSD observes that the system is online again (e.g., after the user has established a VPN connection), it can acquire a Kerberos ticket for the user in the background without any additional effort by the user. Kerberos tickets can be also be automatically renewed based on the SSSD configuration. If an organization has implemented single sign-on (SSO) using Kerberos then SSSD helps to provide very smooth but secure user experience.
In practical terms, SSSD has one central configuration file, /etc/sssd/sssd.conf, which contains all the configuration options needed for one or several domains, possibly with different retention policies for each domain. NSS and PAM are configured to use the SSSD modules, libnss_sss.so and pam_sss.so, respectively, and the sssd service needs to be enabled. Distributions like Fedora and RHEL have also integrated SSSD as part of their authconfig tool used to configure user information sources removing the need for manually editing NSS or PAM configuration files (also providing basic configuration for sssd.conf).
It should be noted that, in addition to sssd.conf, /etc/krb5.conf needs to be configured when using Kerberos for authentication. That is also required for applications and utilities using the Kerberos libraries directly. The manual page sssd.conf(5) provides a comprehensive overview of the available configuration options and Fedora SSSD Guide offers a complete walk-through for setting up SSSD.
In addition to identity and authentication methods like LDAP and Kerberos, SSSD also includes support for netgroups and proxied authentication (for example to be used with NIS, since a native NIS backend is not yet available, although it is in the roadmap). These might be helpful features for organizations during a transition when moving from NIS to LDAP/Kerberos. Another interesting feature is host-based access control (HBAC) using FreeIPA. HBAC rules can be used to control which users or groups can access a specific host.
Past and future
SSSD can trace its origins to the FreeIPA project. The SSSD project, originally codenamed "Bluebox" for reasons lost to history, was envisioned as the FreeIPA's primary client component. As SSSD began to take shape, it was realized that many of the enhancements that were being developed to support FreeIPA would also be valuable for users of other LDAP and Kerberos environments. Thus the long-term vision for SSSD was revised and it became a project in its own right, related to FreeIPA, but distinct. Since its introduction in Fedora 11, SSSD's user and developer community has grown rapidly. It is now available for all major distributions (Fedora, Ubuntu, RHEL, openSUSE, and others) and there are already some large enterprises which have already deployed it globally as part of their Linux installations.
Several notable new features are in the roadmap. Work is going on to use sudo's plugin interface in SSSD to make it easier to maintain centralized sudo rules that also function while offline. Another planned addition is automounter integration which would allow SSSD to retrieve LDAP served automount maps for autofs. Enhanced Active Directory integration and D-Bus based interfaces for extended user information and data are also coming. There are other interesting features planned for SSSD — additional suggestions and participation from the community is warmly welcomed.
The use of the SSSD offers many benefits, especially for administrators and mobile users. Instead of having multiple accounts, users can simply use a single account. Kerberos tickets can be automatically acquired and renewed, which makes the use of "kerberized" services seamless but secure. Offline mode can also be useful in data centers to help bridge the gap caused by a temporary failure of the LDAP or Kerberos servers. Compared with older solutions, SSSD offers far more flexible management and simplified administration for client-side identity and authentication needs.
Brief items
Quote of the week
Garrett: Supporting UEFI secure boot on Linux: the details
Matthew Garrett continues looking into the UEFI secure boot feature. "Summary: We don't really support secure boot right now, but that's ok because you can't buy any hardware that supports it yet. Adding support is probably about a week's worth of effort at most."
Garrett: UEFI secure booting (part 2)
Here's a second installment from Matthew Garrett on the UEFI secure boot feature. "Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said. As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems. But let's have some more background."
MySQL.com Hacked to Serve Malware (PC World)
PC World reports that the MySQL.com site has been compromised. "Hackers had installed JavaScript code that threw a variety of known browser attacks at visitors to the site, so those with out-of-date browsers or unpatched versions of Adobe Flash, Reader or Java on their Windows PCs could have been quietly infected with malicious software."
Mozilla and Tor on the TLS attack
Messages have appeared on the Mozilla security blog and the Tor project blog regarding the recently-disclosed attack against TLS 1.0. The summary is: neither the Firefox browser nor the Tor service is vulnerable. The Tor post has a lot of information about how the attack works and why they are not worried about it. Mozilla, instead, says that some Java plugins may be vulnerable and that Java should be disabled.
New vulnerabilities
apt: altered package installation
| Package(s): | apt | CVE #(s): | |||||
| Created: | September 23, 2011 | Updated: | September 29, 2011 | ||||
| Description: | From the Ubuntu advisory:
It was discovered that the apt-key utility incorrectly verified GPG keys when downloaded via the net-update option. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. This update corrects the issue by disabling the net-update option completely. A future update will re-enable the option with corrected verification. | ||||||
| Alerts: |
| ||||||
cherokee: multiple vulnerabilities
| Package(s): | cherokee | CVE #(s): | CVE-2011-2190 CVE-2011-2191 | ||||||||||||||||||||
| Created: | September 26, 2011 | Updated: | November 25, 2011 | ||||||||||||||||||||
| Description: | The Cherokee server admin configuration web interface is vulnerable to CSRF. If an admin is logged into the Cherokee admin
interface and visits a site which runs a malicious script, Cherokee can be
reconfigured to execute arbitrary commands. It is also vulnerable to use
the CSRF to produce a persistent XSS. (CVE-2011-2091)
Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user. (CVE-2011-2090) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
flash-player: multiple vulnerabilities
| Package(s): | Flash-Player | CVE #(s): | CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2429 CVE-2011-2430 CVE-2011-2444 | ||||||||||||||||||||
| Created: | September 23, 2011 | Updated: | November 8, 2011 | ||||||||||||||||||||
| Description: | From the openSUSE advisory:
This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444). Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. This update resolves an AVM stack overflow issue that may allow for remote code execution. (CVE-2011-2426). This update resolves an AVM stack overflow issue that may lead to denial of service and code execution. (CVE-2011-2427). This update resolves a logic error issue which causes a browser crash and may lead to code execution. (CVE-2011- 2428). This update resolves a Flash Player security control bypass which could allow information disclosure. (CVE-2011-2429). This update resolves a streaming media logic error vulnerability which could lead to code execution. (CVE-2011-2430). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
foomatic: insecure temporary files
| Package(s): | foomatic | CVE #(s): | CVE-2011-2924 CVE-2011-2923 | ||||||||
| Created: | September 26, 2011 | Updated: | September 27, 2011 | ||||||||
| Description: | From the Red Hat bugzilla
It was found that foomatic-rip filter used insecurely created temporary file for storage of PostScript data by rendering the data, intended to be sent to the PostScript filter, when the debug mode was enabled. A local attacker could use this flaw to conduct symlink attacks (overwrite arbitrary file accessible with the privileges of the user running the foomatic-rip universal print filter). | ||||||||||
| Alerts: |
| ||||||||||
NetworkManager: privilege escalation
| Package(s): | NetworkManager | CVE #(s): | CVE-2011-3364 | ||||||||||||||||||||
| Created: | September 27, 2011 | Updated: | November 14, 2011 | ||||||||||||||||||||
| Description: | From the Red Hat advisory:
An input sanitization flaw was found in the way the ifcfg-rh NetworkManager plug-in escaped network connection names containing special characters. If PolicyKit was configured to allow local, unprivileged users to create and save new network connections, they could create a connection with a specially-crafted name, leading to the escalation of their privileges. Note: By default, PolicyKit prevents unprivileged users from creating and saving network connections. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
pango: arbitrary code execution
| Package(s): | evolution28-pango pango qt | CVE #(s): | CVE-2011-3193 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 23, 2011 | Updated: | September 23, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A buffer overflow flaw was found in HarfBuzz, an OpenType text shaping engine used in Pango. If a user loaded a specially-crafted font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
qt: code execution
| Package(s): | qt | CVE #(s): | CVE-2011-3194 | ||||||||||||||||||||||||||||||||||||
| Created: | September 23, 2011 | Updated: | June 4, 2012 | ||||||||||||||||||||||||||||||||||||
| Description: | A flow in how Qt handles grayscale image files could enable an attacker to force a crash or execute arbitrary code via a malicious image. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
quassel: denial of service
| Package(s): | quassel | CVE #(s): | CVE-2011-3354 | ||||||||
| Created: | September 26, 2011 | Updated: | September 27, 2011 | ||||||||
| Description: | From the Red Hat bugzilla:
CtcpParser::packedReply in src/core/ctcpparser.cpp in Quassel does not process certain CTCP requests correctly, allowing a remote attacker connected to the same IRC network as the victim to cause a Denial of Service condition by sending specially crafted CTCP requests. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>