© Nikita Sobolkov, 123RF.com

© Nikita Sobolkov, 123RF.com

The System Security Services Daemon

Detached

Article from ADMIN 09/2012
By
The current version of the System Security Services Daemon (SSSD) lets you evaluate sudo rules centrally on an LDAP server, even if the LDAP server is inaccessible.

While I was having lunch with a colleague recently, conversation turned to the topic of SSSD and new features in Fedora 17. We also talked about sudo integration and other useful functions. Just to remind you: SSSD (System Security Services Daemon [1]) is the client-side daemon that handles communications between clients and centralized directory services.

Various authentication mechanisms can be used for this, and communication with the client is handled by classic PAM and NSS interfaces. Different security providers are then on the back end to handle, for example, communications with an LDAP or FreeIPA server [2].

The good thing about this setup is that authentication for a client will still work if the central back end server is not available. Of course, this can happen if the server crashes, but the cause is often much more trivial. For example, roaming users who do not always have a network connection for their laptops will obviously not always be able to communicate with a central directory service.

SSSD uses the cache to store authentication information. If the user wants to log in to the system, but the central server is not available on the back end, the login will still work because the information is taken from the SSSD cache in this case. The /etc/sssd/sssd.conf configuration file also defines precisely how this cache can be used. For example, the offline_credentials_expiration parameter defines how long the data from the cache will remain valid if the back-end server is not available.

The offline_failed_login_attempts instruction ensures that a user cannot make an arbitrary number of attempts to guess another user's password. Once the integer defined here has been exceeded, the attacking user is then blocked for the time defined in the offline_failed_login_delay

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=