John Hodrien J.H.Hodrien@leeds.ac.uk wrote on 2014/09/25 15:06:16:
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
John Hodrien J.H.Hodrien@leeds.ac.uk wrote on 2014/09/25 11:22:52:
How is local root pw any different than domain pw? In your view remote
root
access is a big nono so sssd should also enforce no remote root login
in
that case. I have no problem using local root pw when I known what it
is
but I don't care to memorize them all, besides users can change local
root
pw.
It isn't, but sssd isn't in a position to enforce it for local accounts.
ssh
But you argue strongly for never allowing remote root login to the degree that you have forcefully disabled root login in sssd. Then it is reasonably you should also do your best to disallow local root pw login. You could scan sshd, PAM, securetty etc. and simply refuse to start if sssd finds that local root pw is allowed over the network.
is, which is why ssh provides the option:
AllowRoot without-password
Why would I want to enable that?
If users change local root passwords they can equally well break sssd. They're unlikely to remove an authorized_keys file, and if they do,
discipline
them. I can't see what advantage you have using a network root
credential
over an ssh key, or a kerberos ticket.
You just said it: "best practice", not a law. In this context, sssd
dictates
policy and that is not sssd's call to make IMHO. You should encourage
best
practice though. One day we will get there but not today :)
SSSD dictates what it does to be safe. I've no problem with that
default.
It is not a default, there is no choice
Finally, why are you not up front with this policy? Nowhere I can find
is
this documented and since this is a unusual enforcement you should
document
this limitation with "big letters" so everyone is aware beforehand, it
sure
would have saved me a lot of time.
It might be worth forgiving sssd a little here.
auth requisite pam_succeed_if.so uid >= 500 quiet
You've almost certainly got something like this in pam. Don't accept
network
auth for local system accounts is a normal PAM policy.
That is a choice I got in PAM, sssd offers no choice.
Still, I don't see how the above somehow documents sssd's "no root login whatsoever" policy. The docs actually hints the opposite: filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain. Default: root
This make me think I only have to add an empty filter_users to allow root
Jocke