Bug 766876
Summary: | [RFE] Make HBAC srchost processing optional | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.3 | CC: | grajaiya, jgalipea, prc, shaines |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.8.0-2.el6.beta2 | Doc Type: | Enhancement |
Doc Text: |
Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself.
Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in.
Change: SSSD will now ignore srchost rules in HBAC processing by default.
Result: HBAC rule processing is now much faster, along with being more predictable.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 11:49:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jenny Severance
2011-12-12 18:19:46 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/1078 verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'getent -s sss passwd user766876' :: [ PASS ] :: Authentication successful for user766876, as expected :: [ PASS ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com' :: [ LOG ] :: Duration: 15s :: [ LOG ] :: Assertions: 4 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'cat /etc/sssd/sssd.conf' :: [ PASS ] :: Running 'cat /etc/sssd/sssd.conf' :: [ PASS ] :: Clearing cache :: [ PASS ] :: Running 'service sssd restart' :: [ LOG ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=798317 :: [ PASS ] :: Authentication successful for user766876, as expected :: [ PASS ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com' :: [ PASS ] :: Running 'sed -i 's/ipa_hbac_support_srchost = true/ipa_hbac_support_srchost = false/g' /etc/sssd/sssd.conf' :: [ PASS ] :: Running 'service sssd restart' :: [ LOG ] :: Duration: 28s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2 version :: ipa-client.i686 0:2.2.0-13.el6 ipa-server.i686 0:2.2.0-13.el6 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself. Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in. Change: SSSD will now ignore srchost rules in HBAC processing by default. Result: HBAC rule processing is now much faster, along with being more predictable. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |