Friday, September 14, 2012

Overriding Shell for Users through SSSD

What is SSSD in a nutshell?

SSSD (System Security Services Daemon) is a collection of daemons used by Linux to manage the authentication and authorization to a system. In particular, it can interface with remote directories such as those that use LDAP (Lightweight Directory Access Protocol), and internally interfaces with NSS (Network Security Services) and PAM (Pluggable Authentication Module). Essentially, it can be configured to control the behaviour of these other services. You can learn more about it here:

https://fedorahosted.org/sssd/

The problem?

I was getting the authentication information from a central LDAP directory however, they only provided /bin/csh and the environment variable for the users while I needed it to be
/bin/bash in my environment.

Ideally, SSSD would have provided a way to override the shell in its configuration files, unfortunately, at the time of this writing that is only available in version 1.9 of SSSD which is currently in beta with the Fedora project. Further, my systems were Red Hat Enterprise Linux 6 (RHEL) which typically runs a few versions behind in most things though security patches and bug-fixes are backported.

The (current) recommended solution

Currently, for versions of SSSD upto 1.8.4, the recommended way of doing this is by altering the file:

/etc/sssd/sssd.conf

You would want to add the following stanza in that file:

[nss]
allowed_shells = /bin/bash, /bin/tcsh
vetoed_shells = /bin/csh
shell_fallback = /bin/bash

Broken down these do the following in order:
  • Allow only /bin/bash and /bin/tcsh as allowed shells.
  • Disallow /bin/csh as an allowed shell.
  • Set /bin/bash as the fallback shell for when /bin/csh attempted to be set and but fails due to being disallowed.

Variable placement is important

These variables mentioned above will only work under the NSS stanza as that is where they are defined as valid for SSSD. You can check the valid variables list in one of two locations either:

1) /etc/sssd/sssd.api.conf and /etc/sssd/sssd.api.d/*

Or

2) /usr/share/sssd/sssd.api.conf and /usr/share/sssd/sssd.api.d/*

Future direction: SSSD 1.9

With SSSD 1.9 there is a new variable that has been implemented called override_shell which will essentially do the same thing but less of a hack and more of an actual option. You can see patch details about it here:

 http://article.gmane.org/gmane.linux.redhat.sssd.devel/10203/match=override_shell

The failed "solutions" (for your information)

Some other things I attempted that didn't quite work out involved:
  • Placing the variables above in the wrong stanza. :)
  • Using an "exec /bin/bash" in /etc/csh.login
  • Altering and overriding the shell in /etc/security/pam_env.conf


Posted by at
Labels: , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)