On Sat, Feb 11, 2017 at 02:41:12PM -0500, Mario Rossi wrote:
For my production servers I enabled local provider on the customer facing
servers. I have configured an emergency user that will not be shown in
/etc/passwd . In a hosting environment anyone can get a a domain for a just
a few $$ and this exposes passwd file. If I add the account to /etc/passwd
it could be bruteforced as most brute-forcing scripts will reference the
file. However if I add it via sss_* tools , the account is invisible to
I've read the wiki page and I understood the need for replacing it. If
id_provider=local will be removed I can live without it :)
Interesting use-case. By the way, I've received some other feedback from
users who configure the id_provider=local, so I'm no longer sure we can
remove it. And, as Sumit noted to me off-list, the local provider is
sufficiently tested by Red Hat's QA team, so we are usually reminded
quite quickly if something goes south.
Thanks for the response.