+++ This bug was initially created as a clone of Bug #599026 +++
Description of problem:
There is a typo in the Makefile for SSSD. Using KEYUITLS_LIB instead of KEYUTILS_LIB results in the SSSD using its own internal storage instead of the slightly more secure kernel keyring.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Compile the SSSD
2. Run the sssd with krb5_store_password_if_offline
The kernel keyring is not used, and internal storage is used instead.
The kernel keyring is used.
Can you please add steps to verify? How to make sure the kernel keyring is used vs. internal storage. Thanks!
You can check /proc/keys . If a key for delayed authentication is stored you should see an entry with the user name in the description column.
[root@rhel6snap11 ~]# cat /proc/keys
107ddc77 I--Q-- 6 perm 1f3f0000 0 -1 keyring _uid.0: empty
10fdbfc8 I--Q-- 1 perm 1f3f0000 0 0 keyring _tid: 1/4
1cc03fd9 I--Q-- 5 perm 1f3f0000 0 0 keyring _ses: 1/4
25a28a63 I--Q-- 5 perm 1f3f0000 0 0 keyring _ses: 1/4
28f7beea I--Q-- 1 perm 1f3f0000 0 -1 keyring _uid_ses.0: 1/4
2d80dabe I--Q-- 3 perm 1f3f0000 0 0 keyring _ses: empty
2e418e65 I--Q-- 3 perm 1f3f0000 0 0 keyring _ses: 1/4
3b1fd6d5 I--Q-- 1 perm 3b3f0000 0 0 user sssd: 8 <<<<
3bbc0cce I--Q-- 17 perm 1f3f0000 0 0 keyring _ses: 1/4
Verified. Version: sssd-1.2.1-26.el6.x86_64.
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.