Bug 766876 - [RFE] Make HBAC srchost processing optional
Summary: [RFE] Make HBAC srchost processing optional
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-12 18:19 UTC by Jenny Severance
Modified: 2020-05-02 16:28 UTC (History)
4 users (show)

Fixed In Version: sssd-1.8.0-2.el6.beta2
Doc Type: Enhancement
Doc Text:
Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself. Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in. Change: SSSD will now ignore srchost rules in HBAC processing by default. Result: HBAC rule processing is now much faster, along with being more predictable.
Clone Of:
Environment:
Last Closed: 2012-06-20 11:49:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2120 None None None 2020-05-02 16:28:48 UTC
Red Hat Product Errata RHBA-2012:0747 normal SHIPPED_LIVE sssd bug fix and enhancement update 2012-06-19 19:31:43 UTC

Description Jenny Severance 2011-12-12 18:19:46 UTC
Description of problem:

IPA Back End ::

Source host processing is very costly (it requires us to retrieve the complete list of hosts from the FreeIPA server) and it's inherently unreliable (due to the fact that there is no PAM standard for what applications will send us in the srchost field).

We should add a new option, ipa_hbac_support_srchost that will default to False. If this option is false, we will perform a much simpler host lookup (just the current host and its parents). This will significantly improve login performance in environments with large numbers of hosts.

When it's false, we should also modify rules we retrieve to treat srchost as category = ALL (thus meaning it will always match). 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Upstream Ticket https://fedorahosted.org/sssd/ticket/1078

Comment 1 Stephen Gallagher 2012-01-30 21:13:46 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1078

Comment 4 Jenny Severance 2012-05-10 16:32:11 UTC
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Running 'getent -s sss passwd user766876'
:: [   PASS   ] :: Authentication successful for user766876, as expected
:: [   PASS   ] :: Running 'ssh_auth_success user766876 testpw123@ipa.com beast.testrelm.com'
:: [   LOG    ] :: Duration: 15s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
:: [   PASS   ] :: Clearing cache
:: [   PASS   ] :: Running 'service sssd restart'
:: [   LOG    ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=798317
:: [   PASS   ] :: Authentication successful for user766876, as expected
:: [   PASS   ] :: Running 'ssh_auth_success user766876 testpw123@ipa.com beast.testrelm.com'
:: [   PASS   ] :: Running 'sed -i 's/ipa_hbac_support_srchost = true/ipa_hbac_support_srchost = false/g' /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running 'service sssd restart'
:: [   LOG    ] :: Duration: 28s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2

version :: 
ipa-client.i686 0:2.2.0-13.el6
ipa-server.i686 0:2.2.0-13.el6

Comment 5 Stephen Gallagher 2012-06-12 13:15:07 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself.

Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in.

Change: SSSD will now ignore srchost rules in HBAC processing by default.

Result: HBAC rule processing is now much faster, along with being more predictable.

Comment 7 errata-xmlrpc 2012-06-20 11:49:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html


Note You need to log in before you can comment on or make changes to this bug.