Bug 785878

Summary: Support pam_check_host_attr
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED DUPLICATE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jgalipea, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-30 20:44:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Gallagher 2012-01-30 20:16:19 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/746

Splitting this ticket off from #670

From pam_ldap(5):
{{{
    pam_check_host_attr <yes|no>

        Specifies whether the "host" attribute should be checked for logon authorization ("account" in the PAM stack). The default is not to. If set to "yes" and a user has no value for the "host" attribute, then the user will be unable to login.

}}}

11/07/10 18:59:07 changed by ossman

I got a bit bored and had a look at the pam_ldap code to get details about the implementation. This is what I found:

1. The local names to try for "host" is determined by calling gethostname() and feeding that into gethostbyname(). The names tried are are then h_name and all h_aliases. Normally this means both the FQDN as well as just the first portion.

2. It first looks for entries starting with '!' to indicate explicit denies.

3. Only '*' has special meaning. I.e. no generic wild card support.
Comment 1 Jenny Severance 2012-01-30 20:44:12 UTC 
duplicate https://bugzilla.redhat.com/show_bug.cgi?id=755506

*** This bug has been marked as a duplicate of bug 755506 ***