For my production servers I enabled local provider on the customer
facing servers. I have configured an emergency user that will not
be shown in /etc/passwd . In a hosting environment anyone can get
a a domain for a just a few $$ and this exposes passwd file. If I
add the account to /etc/passwd it could be bruteforced as most
brute-forcing scripts will reference the file. However if I add it
via sss_* tools , the account is invisible to them.
I've read the wiki page and I understood the need for replacing
it. If id_provider=local will be removed I can live without it :)
On 02/10/2017 04:18 AM, Jakub Hrozek
are there any SSSD users who actively use a configuration with:
If so, what is your use-case?
We're considering deprecating and eventually removing this provider
upstream. The replacemant for id_provider=local would be id_provider=files:
which is already under review and later extension of the SSSD's D-Bus
interface to allow manipulating custom user attributes.
My current plan for deprecating the local provider is to only build the
provider and the tools around it if a configure-time flag is provided.
This flag would be disabled by default. Then, if noone complains,
eventually just remove the code.
sssd-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org