For my production servers I enabled local provider on the customer
facing servers. I have configured an emergency user that will not be
shown in /etc/passwd . In a hosting environment anyone can get a a
domain for a just a few $$ and this exposes passwd file. If I add the
account to /etc/passwd it could be bruteforced as most brute-forcing
scripts will reference the file. However if I add it via sss_* tools ,
the account is invisible to them.
I've read the wiki page and I understood the need for replacing it. If
id_provider=local will be removed I can live without it :)
On 02/10/2017 04:18 AM, Jakub Hrozek wrote:
are there any SSSD users who actively use a configuration with:
If so, what is your use-case?
We're considering deprecating and eventually removing this provider
upstream. The replacemant for id_provider=local would be id_provider=files:
which is already under review and later extension of the SSSD's D-Bus
interface to allow manipulating custom user attributes.
My current plan for deprecating the local provider is to only build the
provider and the tools around it if a configure-time flag is provided.
This flag would be disabled by default. Then, if noone complains,
eventually just remove the code.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org