SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)NAMEsssd.conf - the configuration file for SSSD
FILE FORMAT
The file has an ini-style syntax and consists of sections and
parameters. A section begins with the name of the section in square
brackets and continues until the next section begins. An example of
section with single and multi-valued parameters:
[section]
key = value
key2 = value2,value3
The data types used are string (no quotes needed), integer and bool
(with values of “TRUE/FALSE”).
A line comment starts with a hash sign (“#”) or a semicolon (“;”).
Inline comments are not supported.
All sections can have an optional description parameter. Its function
is only as a label for the section.
sssd.conf must be a regular file, owned by root and only root may read
from or write to the file.
SPECIAL SECTIONS
The [sssd] section
Individual pieces of SSSD functionality are provided by special SSSD
services that are started and stopped together with SSSD. The services
are managed by a special service frequently called “monitor”. The
“[sssd]” section is used to configure the monitor as well as some other
important options like the identity domains.
Section parameters
config_file_version (integer)
Indicates what is the syntax of the config file. SSSD 0.6.0 and
later use version 2.
services
Comma separated list of services that are started when sssd itself
starts.
Supported services: nss, pam , sudo, autofs, ssh
reconnection_retries (integer)
Number of times services should attempt to reconnect in the event
of a Data Provider crash or restart before they give up
Default: 3
domains
A domain is a database containing user information. SSSD can use
more domains at the same time, but at least one must be configured
or SSSD won't start. This parameter described the list of domains
in the order you want them to be queried.
re_expression (string)
Default regular expression that describes how to parse the string
containing user name and domain into these components.
Each domain can have an individual regular expression configured.
For some ID providers there are also default regular expressions.
See DOMAIN SECTIONS for more info on these regular expressions.
full_name_format (string)
The default printf(3)-compatible format that describes how to
translate a (name, domain) tuple into a fully qualified name.
Each domain can have an individual format string configured. see
DOMAIN SECTIONS for more info on this option.
try_inotify (boolean)
SSSD monitors the state of resolv.conf to identify when it needs to
update its internal DNS resolver. By default, we will attempt to
use inotify for this, and will fall back to polling resolv.conf
every five seconds if inotify cannot be used.
There are some limited situations where it is preferred that we
should skip even trying to use inotify. In these rare cases, this
option should be set to 'false'
Default: true on platforms where inotify is supported. False on
other platforms.
Note: this option will have no effect on platforms where inotify is
unavailable. On these platforms, polling will always be used.
krb5_rcache_dir (string)
Directory on the filesystem where SSSD should store Kerberos replay
cache files.
This option accepts a special value __LIBKRB5_DEFAULTS__ that will
instruct SSSD to let libkrb5 decide the appropriate location for
the replay cache.
Default: Distribution-specific and specified at build-time.
(__LIBKRB5_DEFAULTS__ if not configured)
default_domain_suffix (string)
This string will be used as a default domain name for all names
without a domain name component. The main use case is environments
where the primary domain is intended for managing host policies and
all users are located in a trusted domain. The option allows those
users to log in just with their user name without giving a domain
name as well.
Please note that if this option is set all users from the primary
domain have to use their fully qualified name, e.g.
user@domain.name, to log in.
Default: not set
SERVICES SECTIONS
Settings that can be used to configure different services are described
in this section. They should reside in the [$NAME] section, for
example, for NSS service, the section would be “[nss]”
General service configuration options
These options can be used to configure any service.
debug_level (integer)
Bit mask that indicates which debug levels will be visible. 0x0010
is the default value as well as the lowest allowed value, 0xFFF0 is
the most verbose mode. This setting overrides the settings from
config file.
Currently supported debug levels:
0x0010: Fatal failures. Anything that would prevent SSSD from
starting up or causes it to cease running.
0x0020: Critical failures. An error that doesn't kill the SSSD, but
one that indicates that at least one major feature is not going to
work properly.
0x0040: Serious failures. An error announcing that a particular
request or operation has failed.
0x0080: Minor failures. These are the errors that would percolate
down to cause the operation failure of 2.
0x0100: Configuration settings.
0x0200: Function data.
0x0400: Trace messages for operation functions.
0x1000: Trace messages for internal control functions.
0x2000: Contents of function-internal variables that may be
interesting.
0x4000: Extremely low-level tracing information.
To log required debug levels, simply add their numbers together as
shown in following examples:
Example: To log fatal failures, critical failures, serious failures
and function data use 0x0270.
Example: To log fatal failures, configuration settings, function
data, trace messages for internal control functions use 0x1310.
Note: This is new format of debug levels introduced in 1.7.0. Older
format (numbers from 0-10) is compatible but deprecated.
debug_timestamps (bool)
Add a timestamp to the debug messages
Default: true
debug_microseconds (bool)
Add microseconds to the timestamp in debug messages
Default: false
timeout (integer)
Timeout in seconds between heartbeats for this service. This is
used to ensure that the process is alive and capable of answering
requests.
Default: 10
reconnection_retries (integer)
Number of times services should attempt to reconnect in the event
of a Data Provider crash or restart before they give up
Default: 3
fd_limit
This option specifies the maximum number of file descriptors that
may be opened at one time by this SSSD process. On systems where
SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
absolute setting. On systems without this capability, the resulting
value will be the lower value of this or the limits.conf "hard"
limit.
Default: 8192 (or limits.conf "hard" limit)
client_idle_timeout
This option specifies the number of seconds that a client of an
SSSD process can hold onto a file descriptor without communicating
on it. This value is limited in order to avoid resource exhaustion
on the system.
Default: 60
force_timeout (integer)
If a service is not responding to ping checks (see the “timeout”
option), it is first sent the SIGTERM signal that instructs it to
quit gracefully. If the service does not terminate after
“force_timeout” seconds, the monitor will forcibly shut it down by
sending a SIGKILL signal.
Default: 60
NSS configuration options
These options can be used to configure the Name Service Switch (NSS)
service.
enum_cache_timeout (integer)
How many seconds should nss_sss cache enumerations (requests for
info about all users)
Default: 120
entry_cache_nowait_percentage (integer)
The entry cache can be set to automatically update entries in the
background if they are requested beyond a percentage of the
entry_cache_timeout value for the domain.
For example, if the domain's entry_cache_timeout is set to 30s and
entry_cache_nowait_percentage is set to 50 (percent), entries that
come in after 15 seconds past the last cache update will be
returned immediately, but the SSSD will go and update the cache on
its own, so that future requests will not need to block waiting for
a cache update.
Valid values for this option are 0-99 and represent a percentage of
the entry_cache_timeout for each domain. For performance reasons,
this percentage will never reduce the nowait timeout to less than
10 seconds. (0 disables this feature)
Default: 50
entry_negative_timeout (integer)
Specifies for how many seconds nss_sss should cache negative cache
hits (that is, queries for invalid database entries, like
nonexistent ones) before asking the back end again.
Default: 15
filter_users, filter_groups (string)
Exclude certain users from being fetched from the sss NSS database.
This is particularly useful for system accounts. This option can
also be set per-domain or include fully-qualified names to filter
only users from the particular domain.
Default: root
filter_users_in_groups (bool)
If you want filtered user still be group members set this option to
false.
Default: true
override_homedir (string)
Override the user's home directory. You can either provide an
absolute value or a template. In the template, the following
sequences are substituted:
%u
login name
%U
UID number
%d
domain name
%f
fully qualified user name (user@domain)
%%
a literal '%'
This option can also be set per-domain.
example:
override_homedir = /home/%u
Default: Not set (SSSD will use the value retrieved from LDAP)
fallback_homedir (string)
Set a default template for a user's home directory if one is not
specified explicitly by the domain's data provider.
The available values for this option are the same as for
override_homedir.
example:
override_homedir = /home/%u
Default: not set (no substitution for unset home directories)
override_shell (string)
Override the login shell for all users. This option can be
specified globally in the [nss] section or per-domain.
Default: not set (SSSD will use the value retrieved from LDAP)
allowed_shells (string)
Restrict user shell to one of the listed values. The order of
evaluation is:
1. If the shell is present in “/etc/shells”, it is used.
2. If the shell is in the allowed_shells list but not in
“/etc/shells”, use the value of the shell_fallback parameter.
3. If the shell is not in the allowed_shells list and not in
“/etc/shells”, a nologin shell is used.
An empty string for shell is passed as-is to libc.
The “/etc/shells” is only read on SSSD start up, which means that a
restart of the SSSD is required in case a new shell is installed.
Default: Not set. The user shell is automatically used.
vetoed_shells (string)
Replace any instance of these shells with the shell_fallback
shell_fallback (string)
The default shell to use if an allowed shell is not installed on
the machine.
Default: /bin/sh
default_shell
The default shell to use if the provider does not return one during
lookup. This option supersedes any other shell options if it takes
effect and can be set either in the [nss] section or per-domain.
Default: not set (Return NULL if no shell is specified and rely on
libc to substitute something sensible when necessary, usually
/bin/sh)
get_domains_timeout (int)
Specifies time in seconds for which the list of subdomains will be
considered valid.
Default: 60
memcache_timeout (int)
Specifies time in seconds for which records in the in-memory cache
will be valid
Default: 300
PAM configuration options
These options can be used to configure the Pluggable Authentication
Module (PAM) service.
offline_credentials_expiration (integer)
If the authentication provider is offline, how long should we allow
cached logins (in days since the last successful online login).
Default: 0 (No limit)
offline_failed_login_attempts (integer)
If the authentication provider is offline, how many failed login
attempts are allowed.
Default: 0 (No limit)
offline_failed_login_delay (integer)
The time in minutes which has to pass after
offline_failed_login_attempts has been reached before a new login
attempt is possible.
If set to 0 the user cannot authenticate offline if
offline_failed_login_attempts has been reached. Only a successful
online authentication can enable offline authentication again.
Default: 5
pam_verbosity (integer)
Controls what kind of messages are shown to the user during
authentication. The higher the number to more messages are
displayed.
Currently sssd supports the following values:
0: do not show any message
1: show only important messages
2: show informational messages
3: show all messages and debug information
Default: 1
pam_id_timeout (integer)
For any PAM request while SSSD is online, the SSSD will attempt to
immediately update the cached identity information for the user in
order to ensure that authentication takes place with the latest
information.
A complete PAM conversation may perform multiple PAM requests, such
as account management and session opening. This option controls (on
a per-client-application basis) how long (in seconds) we can cache
the identity information to avoid excessive round-trips to the
identity provider.
Default: 5
pam_pwd_expiration_warning (integer)
Display a warning N days before the password expires.
Please note that the backend server has to provide information
about the expiration time of the password. If this information is
missing, sssd cannot display a warning.
If zero is set, then this filter is not applied, i.e. if the
expiration warning was received from backend server, it will
automatically be displayed.
This setting can be overridden by setting pwd_expiration_warning
for a particular domain.
Default: 0
get_domains_timeout (int)
Specifies time in seconds for which the list of subdomains will be
considered valid.
Default: 60
SUDO configuration options
These options can be used to configure the sudo service.
sudo_timed (bool)
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
Default: false
AUTOFS configuration options
These options can be used to configure the autofs service.
autofs_negative_timeout (integer)
Specifies for how many seconds should the autofs responder negative
cache hits (that is, queries for invalid map entries, like
nonexistent ones) before asking the back end again.
Default: 15
Please note that the automounter only reads the master map on startup,
so if any autofs-related changes are made to the sssd.conf, you
typically also need to restart the automounter daemon after restarting
the SSSD.
SSH configuration options
These options can be used to configure the SSH service.
ssh_hash_known_hosts (bool)
Whether or not to hash host names and addresses in the managed
known_hosts file.
Default: true
ssh_known_hosts_timeout (integer)
How many seconds to keep a host in the managed known_hosts file
after its host keys were requested.
Default: 180
DOMAIN SECTIONS
These configuration options can be present in a domain configuration
section, that is, in a section called “[domain/NAME]”
min_id,max_id (integer)
UID and GID limits for the domain. If a domain contains an entry
that is outside these limits, it is ignored.
For users, this affects the primary GID limit. The user will not be
returned to NSS if either the UID or the primary GID is outside the
range. For non-primary group memberships, those that are in range
will be reported as expected.
Default: 1 for min_id, 0 (no limit) for max_id
enumerate (bool)
Determines if a domain can be enumerated. This parameter can have
one of the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
Note: Enabling enumeration has a moderate performance impact on
SSSD while enumeration is running. It may take up to several
minutes after SSSD startup to fully complete enumerations. During
this time, individual requests for information will go directly to
LDAP, though it may be slow, due to the heavy enumeration
processing. Saving a large number of entries to cache after the
enumeration completes might also be CPU intensive as the
memberships have to be recomputed.
While the first enumeration is running, requests for the complete
user or group lists may return no results until it completes.
Further, enabling enumeration may increase the time necessary to
detect network disconnection, as longer timeouts are required to
ensure that enumeration lookups are completed successfully. For
more information, refer to the man pages for the specific
id_provider in use.
For the reasons cited above, enabling enumeration is not
recommended, especially in large environments.
force_timeout (integer)
If a service is not responding to ping checks (see the “timeout”
option), it is first sent the SIGTERM signal that instructs it to
quit gracefully. If the service does not terminate after
“force_timeout” seconds, the monitor will forcibly shut it down by
sending a SIGKILL signal.
Default: 60
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid before
asking the backend again
Default: 5400
entry_cache_user_timeout (integer)
How many seconds should nss_sss consider user entries valid before
asking the backend again
Default: entry_cache_timeout
entry_cache_group_timeout (integer)
How many seconds should nss_sss consider group entries valid before
asking the backend again
Default: entry_cache_timeout
entry_cache_netgroup_timeout (integer)
How many seconds should nss_sss consider netgroup entries valid
before asking the backend again
Default: entry_cache_timeout
entry_cache_service_timeout (integer)
How many seconds should nss_sss consider service entries valid
before asking the backend again
Default: entry_cache_timeout
entry_cache_sudo_timeout (integer)
How many seconds should sudo consider rules valid before asking the
backend again
Default: entry_cache_timeout
entry_cache_autofs_timeout (integer)
How many seconds should the autofs service consider automounter
maps valid before asking the backend again
Default: entry_cache_timeout
cache_credentials (bool)
Determines if user credentials are also cached in the local LDB
cache
User credentials are stored in a SHA512 hash, not in plaintext
Default: FALSE
account_cache_expiration (integer)
Number of days entries are left in cache after last successful
login before being removed during a cleanup of the cache. 0 means
keep forever. The value of this parameter must be greater than or
equal to offline_credentials_expiration.
Default: 0 (unlimited)
pwd_expiration_warning (integer)
Display a warning N days before the password expires.
If zero is set, then this filter is not applied, i.e. if the
expiration warning was received from backend server, it will
automatically be displayed.
Please note that the backend server has to provide information
about the expiration time of the password. If this information is
missing, sssd cannot display a warning. Also an auth provider has
to be configured for the backend.
Default: 7 (Kerberos), 0 (LDAP)
id_provider (string)
The identification provider used for the domain. Supported ID
providers are:
proxy: Support a legacy NSS provider
“local”: SSSD internal provider for local users
“ldap”: LDAP provider. See sssd-ldap(5) for more information on
configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
use_fully_qualified_names (bool)
Use the full name and domain (as formatted by the domain's
full_name_format) as the user's login name reported to NSS.
If set to TRUE, all requests to this domain must use fully
qualified names. For example, if used in LOCAL domain that contains
a "test" user, getent passwd test wouldn't find the user while
getent passwd test@LOCAL would.
Default: FALSE
auth_provider (string)
The authentication provider used for the domain. Supported auth
providers are:
“ldap” for native LDAP authentication. See sssd-ldap(5) for more
information on configuring LDAP.
“krb5” for Kerberos authentication. See sssd-krb5(5) for more
information on configuring Kerberos.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
“proxy” for relaying authentication to some other PAM target.
“none” disables authentication explicitly.
Default: “id_provider” is used if it is set and can handle
authentication requests.
access_provider (string)
The access control provider used for the domain. There are two
built-in access providers (in addition to any included in installed
backends) Internal special providers are:
“permit” always allow access. It's the only permitted access
provider for a local domain.
“deny” always deny access.
“ldap” for native LDAP authentication. See sssd-ldap(5) for more
information on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
“simple” access control based on access or deny lists. See sssd-
simple(5) for more information on configuring the simple access
module.
Default: “permit”
chpass_provider (string)
The provider which should handle change password operations for the
domain. Supported change password providers are:
“ldap” to change a password stored in a LDAP server. See sssd-
ldap(5) for more information on configuring LDAP.
“krb5” to change the Kerberos password. See sssd-krb5(5) for more
information on configuring Kerberos.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
“proxy” for relaying password changes to some other PAM target.
“none” disallows password changes explicitly.
Default: “auth_provider” is used if it is set and can handle change
password requests.
sudo_provider (string)
The SUDO provider used for the domain. Supported SUDO providers
are:
“ldap” for rules stored in LDAP. See sssd-ldap(5) for more
information on configuring LDAP.
“none” disables SUDO explicitly.
Default: The value of “id_provider” is used if it is set.
selinux_provider (string)
The provider which should handle loading of selinux settings. Note
that this provider will be called right after access provider ends.
Supported selinux providers are:
“ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
for more information on configuring IPA.
“none” disallows fetching selinux settings explicitly.
Default: “id_provider” is used if it is set and can handle selinux
loading requests.
subdomains_provider (string)
The provider which should handle fetching of subdomains. This value
should be always the same as id_provider. Supported subdomain
providers are:
“ipa” to load a list of subdomains from an IPA server. See sssd-
ipa(5) for more information on configuring IPA.
“none” disallows fetching subdomains explicitly.
Default: The value of “id_provider” is used if it is set.
autofs_provider (string)
The autofs provider used for the domain. Supported autofs providers
are:
“ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
information on configuring LDAP.
“ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
more information on configuring IPA.
“none” disables autofs explicitly.
Default: The value of “id_provider” is used if it is set.
hostid_provider (string)
The provider used for retrieving host identity information.
Supported hostid providers are:
“ipa” to load host identity stored in an IPA server. See sssd-
ipa(5) for more information on configuring IPA.
“none” disables hostid explicitly.
Default: The value of “id_provider” is used if it is set.
re_expression (string)
Regular expression for this domain that describes how to parse the
string containing user name and domain into these components.
Default for the AD and IPA provider:
“(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
which allows three different styles for user names:
· username
· username@domain.name
· domain\username
While the first two correspond to the general default the third one
is introduced to allow easy integration of users from Windows
domains.
Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
"the name is everything up to the “@” sign, the domain everything
after that"
PLEASE NOTE: the support for non-unique named subpatterns is not
available on all platforms (e.g. RHEL5 and SLES10). Only platforms
with libpcre version 7 or higher can support non-unique named
subpatterns.
PLEASE NOTE ALSO: older version of libpcre only support the Python
syntax (?P<name>) to label subpatterns.
full_name_format (string)
A printf(3)-compatible format that describes how to translate a
(name, domain) tuple for this domain into a fully qualified name.
Default: “%1$s@%2$s”.
lookup_family_order (string)
Provides the ability to select preferred address family to use when
performing DNS lookups.
Supported values:
ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
Default: ipv4_first
dns_resolver_timeout (integer)
Defines the amount of time (in seconds) to wait for a reply from
the DNS resolver before assuming that it is unreachable. If this
timeout is reached, the domain will continue to operate in offline
mode.
Default: 5
dns_discovery_domain (string)
If service discovery is used in the back end, specifies the domain
part of the service discovery DNS query.
Default: Use the domain part of machine's hostname
override_gid (integer)
Override the primary GID value with the one specified.
case_sensitive (boolean)
Treat user and group names as case sensitive. At the moment, this
option is not supported in the local provider.
Default: True
proxy_fast_alias (boolean)
When a user or group is looked up by name in the proxy provider, a
second lookup by ID is performed to "canonicalize" the name in case
the requested name was an alias. Setting this option to true would
cause the SSSD to perform the ID lookup from cache for performance
reasons.
Default: false
subdomain_homedir (string)
Use this homedir as default value for all subdomains within this
domain. See override_homedir for info about possible values.
The value can be overridden by override_homedir option.
Default: /home/%d/%u
Options valid for proxy domains.
proxy_pam_target (string)
The proxy target PAM proxies to.
Default: not set by default, you have to take an existing pam
configuration or create a new one and add the service name here.
proxy_lib_name (string)
The name of the NSS library to use in proxy domains. The NSS
functions searched for in the library are in the form of
_nss_$(libName)_$(function), for example _nss_files_getpwent.
The local domain section
This section contains settings for domain that stores users and groups
in SSSD native database, that is, a domain that uses id_provider=local.
Section parameters
default_shell (string)
The default shell for users created with SSSD userspace tools.
Default: /bin/bash
base_directory (string)
The tools append the login name to base_directory and use that as
the home directory.
Default: /home
create_homedir (bool)
Indicate if a home directory should be created by default for new
users. Can be overridden on command line.
Default: TRUE
remove_homedir (bool)
Indicate if a home directory should be removed by default for
deleted users. Can be overridden on command line.
Default: TRUE
homedir_umask (integer)
Used by sss_useradd(8) to specify the default permissions on a
newly created home directory.
Default: 077
skel_dir (string)
The skeleton directory, which contains files and directories to be
copied in the user's home directory, when the home directory is
created by sss_useradd(8)
Default: /etc/skel
mail_dir (string)
The mail spool directory. This is needed to manipulate the mailbox
when its corresponding user account is modified or deleted. If not
specified, a default value is used.
Default: /var/mail
userdel_cmd (string)
The command that is run after a user is removed. The command us
passed the username of the user being removed as the first and only
parameter. The return code of the command is not taken into
account.
Default: None, no command is run
EXAMPLE
The following example shows a typical SSSD config. It does not describe
configuration of the domains themselves - refer to documentation on
configuring domains for more details.
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = true
min_id = 10000
max_id = 20000
enumerate = False
SEE ALSOsssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sss_cache(8), sss_debuglevel(8),
sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
sss_ssh_knowhostsproxy(8),pam_sss(8).
AUTHORS
The SSSD upstream - http://fedorahosted.org/sssd
SSSD 05/28/2013 SSSD.CONF(5)