Re: Security Issue with sssd / AD authentication?
On Fri, Nov 08, 2019 at 11:36:34AM -0600, Kent West wrote:
> Probably not the best place to put this information, but I figure here is
> better than no where...
>
> I'm tinkering with authentication a Debian (10.1) box via Active Directory,
> so that an AD user can log into the Debian box.
>
> The relevant /etc/sssd/sssd.conf file has the following modification:
>
> use_fully_qualified_names = False
>
> If I have a local account (say, "westk") and a domain account of the same
> name, but with a different password, I can log into the Debian box with the
> domain "westk"/password, but the "id" command shows me then to be logged in
> as the local "westk".
>
> The result is that if I have a local account that belongs to a completely
> different person than a person with a domain account of the same name, the
> domain account person, upon login, becomes the local account person, with
> full access as that person.
>
> Advice? Suggestions? Questions?
>
It seems like you have two options:
1. change the use_fully_qualified_names setting
2. eliminate the westk local account
While the situation has security implications, those implications are a
result of misconfiguration rather than any defect in the related
utilities.
You could experience the same issue by allowing logins from two
different domains where the same user account exists in both. It is a
risk of the use_fully_qualified_names configuration setting.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: