For my production servers I enabled local provider on the customer facing servers. I have configured an emergency user that will not be shown in /etc/passwd . In a hosting environment anyone can get a a domain for a just a few $$ and this exposes passwd file. If I add the account to /etc/passwd it could be bruteforced as most brute-forcing scripts will reference the file. However if I add it via sss_* tools , the account is invisible to them.

I've read the wiki page and I understood the need for replacing it. If id_provider=local will be removed I can live without it :)


On 02/10/2017 04:18 AM, Jakub Hrozek wrote:

are there any SSSD users who actively use a configuration with:
    id_provider=local ?
If so, what is your use-case?

We're considering deprecating and eventually removing this provider
upstream. The replacemant for id_provider=local would be id_provider=files:
which is already under review and later extension of the SSSD's D-Bus
interface to allow manipulating custom user attributes.

My current plan for deprecating the local provider is to only build the
provider and the tools around it if a configure-time flag is provided.
This flag would be disabled by default. Then, if noone complains,
eventually just remove the code.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org