RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 766876 - [RFE] Make HBAC srchost processing optional
Summary: [RFE] Make HBAC srchost processing optional
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-12 18:19 UTC by Jenny Severance
Modified: 2020-05-02 16:28 UTC (History)
4 users (show)

Fixed In Version: sssd-1.8.0-2.el6.beta2
Doc Type: Enhancement
Doc Text:
Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself. Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in. Change: SSSD will now ignore srchost rules in HBAC processing by default. Result: HBAC rule processing is now much faster, along with being more predictable.
Clone Of:
Environment:
Last Closed: 2012-06-20 11:49:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2120 0 None None None 2020-05-02 16:28:48 UTC
Red Hat Product Errata RHBA-2012:0747 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2012-06-19 19:31:43 UTC

Description Jenny Severance 2011-12-12 18:19:46 UTC 
Description of problem:

IPA Back End ::

Source host processing is very costly (it requires us to retrieve the complete list of hosts from the FreeIPA server) and it's inherently unreliable (due to the fact that there is no PAM standard for what applications will send us in the srchost field).

We should add a new option, ipa_hbac_support_srchost that will default to False. If this option is false, we will perform a much simpler host lookup (just the current host and its parents). This will significantly improve login performance in environments with large numbers of hosts.

When it's false, we should also modify rules we retrieve to treat srchost as category = ALL (thus meaning it will always match). 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Upstream Ticket https://fedorahosted.org/sssd/ticket/1078
Comment 1 Stephen Gallagher 2012-01-30 21:13:46 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1078
Comment 4 Jenny Severance 2012-05-10 16:32:11 UTC 
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Running 'getent -s sss passwd user766876'
:: [   PASS   ] :: Authentication successful for user766876, as expected
:: [   PASS   ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com'
:: [   LOG    ] :: Duration: 15s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
:: [   PASS   ] :: Clearing cache
:: [   PASS   ] :: Running 'service sssd restart'
:: [   LOG    ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=798317
:: [   PASS   ] :: Authentication successful for user766876, as expected
:: [   PASS   ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com'
:: [   PASS   ] :: Running 'sed -i 's/ipa_hbac_support_srchost = true/ipa_hbac_support_srchost = false/g' /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running 'service sssd restart'
:: [   LOG    ] :: Duration: 28s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2

version :: 
ipa-client.i686 0:2.2.0-13.el6
ipa-server.i686 0:2.2.0-13.el6
Comment 5 Stephen Gallagher 2012-06-12 13:15:07 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself.

Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in.

Change: SSSD will now ignore srchost rules in HBAC processing by default.

Result: HBAC rule processing is now much faster, along with being more predictable.
Comment 7 errata-xmlrpc 2012-06-20 11:49:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html
Note You need to log in before you can comment on or make changes to this bug.