> -----Message d'origine----- > De : Lukas Slebodnik [mailto:lsleb...@redhat.com] > Envoyé : mercredi 16 janvier 2019 12:47 > À : End-user discussions about the System Security Services Daemon > Objet : [SSSD-users] Re: Understanding sssd cache > > On (16/01/19 09:14), Maupertuis Philippe wrote: > >Hi > >I am trying to find out how th sssd cache is being populated. > >I couldn't find much about it so I did some tests. > >It seems that with enumerate = true, the cache holds all the information > needed as soon as sssd is started. > >With enumerate = false, the cache holds information about someone only > after his first connection. > >Is that right ? > >I would like to be sure that user's passwords are stored in the cache but > couldn't find any way to verify this > >With sssctl user-show I can find if a user is in the cache but with no > >details. > >With sssctl user-checks I get some information about the user but nothing > about the password. > >By examining directly the cache with ldbsearch I don't find any password > information either, only maybe shadowLastChange: with a number which I > don't understand. > >Is there any documentation about the cache management ? > > > > Hashed password is cached only after successful authentication. It is not > rerieved by "getent passwd $user". > > sssd cache is internal cache and should not be used directly by user. I understand that and was looking at it only to try to understand how it works.
> May I know what do you want to achieve? When using regular ssh access the the ssh publickey is in the cache if needed. A user who had not connected previously is able to connect even if the backend is unreachable When using the console, we have to rely on the password. When something goes wrong (sshd down or network issue), there is a high probability that the user would connect to the console for the first time. So if there is no guarantee the login could be successful offline we need to have a local (shared) account to connect to the console. A shared account is a nightmare to manage and a sore point for audits, we would like to remove it. > > LS > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/sssd- > us...@lists.fedorahosted.org !!!************************************************************************************* "Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!" _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
