SSSD 2.1.0

Highlights

New features

• Any provider can now match and map certificates to user identities. This feature enables to log in with a smart card without having to store the full certificate blob in the directory or in user overrides. Please see The design page for more information (#3500)
• pam_sss can now be configured to only perform Smart Card authentication or return an error if this is not possible.
• pam_sss can also prompt the user to insert a Smart Card if, during an authentication it is not available. SSSD would then wait for the card until it is inserted or until timeout defined by p11_wait_for_card_timeout passes.
• The device or reader used for Smart Card authentication can now be selected or restricted using a PKCS#11 URI (see RFC-7512) specified in the p11_uri option.
• Multiple certificates are now supported for Smart Card authentication even if SSSD is built with OpenSSL
• OCSP checks were added to the OpenSSL version of certificate authentication
• A new option crl_file can be used to select a Certificate Revocation List (CRL) file to be used during verification of a certificate for Smart Card authentication.
• Certificates with Elliptic Curve keys are now supported (#3887)
• It is now possible to refresh the KCM configuration without restarting the whole SSSD deamon, just by modifying the [kcm] section of sssd.conf and running systemctl restart sssd-kcm.service.
• A new configuration option ad_gpo_implicit_deny was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701)
• The dynamic DNS update can now batch DNS updates to include all address family updates in a single transaction to reduce replication traffic in complex environments (#3829)
• Configuration file snippets can now be used even when the main sssd.conf file does not exist. This is mostly useful to configure e.g. the KCM responder, the implicit files provider or the session recording with setups that have no explicit domain (#3439)
• The sssctl user-checks tool can now display extra attributes set with the InfoPipe user_attributes configuraton option (#3866)

Security issues fixed

• CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Notable bug fixes

• Many fixes for the internal "sbus" IPC that was rewritten in the 2.0 release including crash on reconnection (#3821), a memory leak (#3810), a proxy provider startup crash (#3812), sudo responder crash (#3854), proxy provider authentication (#3892), accessing the extraAttributes InfoPipe property (#3906) or a potential startup failure (#3924)
• The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474)
• Session recording can now be enabled also for local users when the session recording is configured with scope=some and restricted to certain groups.
• Smart Card authentication did not work with the KCM credentials cache because with KCM root cannot write to arbitrary user's credential caches (#3903)
• A KCM bug that prevented SSH Kerberos credential forwarding from functioning was fixed (#3873)
• The KCM responder did not work with completely empty database (#3815)
• The sudo responder did not reflect the case_sensitive domain option (#3820)
• The SSH responder no longer fails completely if the p11_child times out when deriving SSH keys from a certificate (#3937)t
• An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902)
• If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967)
• The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database.
• A memory leak when requesting netgroups repeatedly was fixed (#3870)
• The pysss.getgrouplist() interface that was removed by accident in the 2.0 version was re-added (#3493)
• Crash when requesting users with the FindByNameAndCertificate D-Bus method was fixed (#3863)
• SSSD can again run as the non-privileged sssd user (#3871)
• The cron PAM service name used for GPO access control now defaults to a different service name depending on the OS (Launchpad #1572908)

Packaging Changes

• The sbus code generator no longer relies on existance of the "python" binary, the python2/3 binary is used depending on which bindings are being generated (#3807)
• Very old libini library versions are no longer supported

Documentation Changes

• Two new pam_sss options try_cert_auth and require_cert_auth can restrict authentication to use a Smart Card only or wait for a Smart Card to be inserted.
• A new option p11_wait_for_card_timeout controls how long would SSSD wait for a Smart Card to be inserted before failing with PAM_AUTHINFO_UNAVAIL.
• A new option p11_uri is available to restrict the device or reader used for Smart Card authentication.

See full release notes here.