authselect / authselect Goto Github PK

Create Zanata API hooks to automate project translation.

Since the primary reason to introduce authselect is to obsolete authconfig, we need to provide a compat layer with at least the most common features so that admins' scripts keep working.

Bump soname before release.

Right now in Atomic Host/Workstation, we're using nss-altfiles to be compatible of the Atomic model of baked configs in /usr and user configurations in /etc. We do this by injecting an altfiles entry in nsswitch.conf at compose time. (See e.g. http://ostree.readthedocs.io/en/latest/manual/adapting-existing/#usrlibpasswd and coreos/rpm-ostree#49).

In combination, this is causing issues right now in f28/rawhide where authselect is starting to get pulled in as a dep to e.g. fprintd. The new authselect module in Anaconda then overwrites the nsswitch.conf.

One idea is to add a new e.g. 'with-altfiles' feature that Anaconda can pass along for Atomic kickstart templates? Does that make sense? One annoyance is that this is likely to change in the future again, so it's just more churn. Though on the plus side, this does seem cleaner than hacking nsswitch.conf at compose time.

If sssd profile with smartcard support is selected, system-auth stack won't authenticate local users through smartcard. This needs work also on sssd side, tracked by:

https://pagure.io/SSSD/sssd/issue/3512

Currently, authselect overwrites existing configuration files one by one. We should write all configuration to temporary files first and then rename them so we do not break existing configuration in case of failure.

See:

authselect --trace select --debug=2 sssd                                                       
[info] [authselect_activate] Trying to activate profile [sssd]                                                        
[info] [authselect_profile] Looking up profile [sssd]      
[info] [authselect_profile_open] Profile [sssd] is a default profile                                                  
[info] [authselect_profile] Profile [sssd] found at [/usr/share/authselect/default/sssd]                              
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/README]                                 
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/system-auth]                            
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/password-auth]                          
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/smartcard-auth]                         
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/fingerprint-auth]                       
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/postlogin]                              
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/nsswitch.conf]                          
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-db]                               
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-locks]                            
[error] [check_directories] Directory [/etc/dconf/db/distro.d] does not exist, please create it!
[error] [check_directories] Directory [/etc/dconf/db/distro.d/locks] does not exist, please create it!
[error] [authselect_activate] Some directories are not accessible by authselect!
[error] [authselect_activate] Unable to activate profile [sssd] [1]: Operation not permitted
Unable to activate profile [1]: Operation not permitted

This is a minimal docker container, so the directory is not there, but authselect should either own it,require its owner or not fail.

There are still lot of users using NIS, we should create an authselect profile for this. Compatibility tool should also write yp.conf and perform changes that authconfig would do with its NIS-related options.

NIS profile does not set all nsswitch maps supported by NIS (which is pretty much everything).

Ansible is a very widely used configuration management tool. It would help the adoption of authselect if we had an ansible role. Eventually it should be upstreamed, but a role living in some contrib/ directory would be a good start.

Authconfig shipped with a cacertdir_rehash command. This is important for correctly configuring the ldap TLS_CERTDIR, and for a number of other dependencies (python3-lib389 will depend on it).

It would be great to have cacertdir_rehash ported to authselect,

Create a backup of original files before changing them and provide a rollback mechanism in case of a failure.

I learned about authselect from this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1577243

I would like to have nss-mdns stop editing nsswitch.conf directly in Fedora. Does authselect provide a mechanism to allow for this? Could I make nss-mdns depend on authselect?

Authselect wants to own and manage /etc/nsswitch.conf but there is one important database configured in there which is not related to authentication at all -- the hosts database.

Right now, authselect just gives me:

hosts:      files dns myhostname

but if you use systemd-resolved, the recommended configuration is instead:

hosts:       files mymachines resolve [!UNAVAIL=return] dns myhostname

More generally, if the administrator wants to configure DNS resolution at all, they will need to adjust the hosts: line but then authselect complains that the configuration is invalid because it has deviated from the profile.

Maybe authselect needs to be able to ignore (and preserve) the hosts: line in /etc/nsswitch.conf when it's updating it?

The current authselect profiles include pam_pwquality for all users:

profiles/sssd/password-auth:password    requisite                                    pam_pwquality.so try_first_pass
profiles/sssd/system-auth:password    requisite                                    pam_pwquality.so try_first_pass
profiles/winbind/password-auth:password    requisite                                    pam_pwquality.so try_first_pass
profiles/winbind/system-auth:password    requisite                                    pam_pwquality.so try_first_pass

But we probably should use the local_users_only flag..

The project, since it's hosted on github, should have a markdown readme with a nice project description, howto etc.

Spec file may call authselect enable-feature command in order to enable with-sudo. If this command fail we do not want to print any output.

This is in a docker container. I just installed authselect, created the dconf directories to get around issue #30 and then I run:

authselect --trace --debug select sssd                                                                                                                                                                                
[info] [authselect_activate] Trying to activate profile [sssd]                                                                                                                                                                              
[info] [authselect_profile] Looking up profile [sssd]
[info] [authselect_profile_open] Profile [sssd] is a default profile
[info] [authselect_profile] Profile [sssd] found at [/usr/share/authselect/default/sssd]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/README]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/system-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/password-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/smartcard-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/fingerprint-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/postlogin]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/nsswitch.conf]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-db]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-locks]
[info] [check_notalink] Checking that file [/etc/pam.d/system-auth] is not an authselect symbolic link [(null)]
Segmentation fault (core dumped) 

/etc/pam.d/system-auth seems to exist:

 stat /etc/pam.d/system-auth                                                                                                                                                                                          
  File: /etc/pam.d/system-auth                                                                                                                                                                                                              
  Size: 760             Blocks: 8          IO Block: 4096   regular file
Device: fd05h/64773d    Inode: 2359423     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)                                                                                                                                                                    
Access: 2017-08-21 14:56:55.000000000 +0000                                                                                                                                                                                                 
Modify: 2017-08-21 14:56:55.000000000 +0000
Change: 2018-01-11 08:39:36.710309787 +0000
 Birth: -

My hands hurt from typing.

pwquality related options are not currently supported but we should implement them.

The profiles that are currently shipped with authselect should be working but they need lots of improvements to cover more features and functionality.

Current documentation is not in the final state. We need to improve it.

that's the default on fedora since f-26 anyway..

https://github.com/pbrezina/authselect/blob/8ee9fb9a9362bfa48bbb88cd1dda4cd8f3b3ed29/src/lib/util/file.c#L58 doesn't look right, same data for wrong and expected?. Maybe
name, (statbuf->st_mode & S_IFMT), exp_type);
?
(Not that I have even compiled the code, I was just translating strings)

Authselect command should be able to print profile requirements. For example what service needs to be running, what configuration change should be done, etc.

If /etc/sysconfig/authconfig does not exist, system is already configured with authselect and authselect profile cannot be determined from given authconfig options we should not change current authselect profile.

https://bugzilla.redhat.com/show_bug.cgi?id=1626067

I'm not sure if this belongs to the upstream project, but I think we should work with the Fedora glibc maintainers and make authselect own the nsswitch.conf file instead of glibc.

If I run:

authselect select --help

it talks about a --debug=INT option, but that appears to be a noop.

I use override_homedir in sssd:

override_homedir = /export/home/%u

With the new "sss files" ordering, this breaks the home directory of system users:

# getent passwd gdm
gdm:x:42:42::/export/home/gdm:/sbin/nologin

instead of

gdm:x:42:42::/var/lib/gdm:/sbin/nologin

What was the reason for the change (commit 5799324)? The commit message doesn't explain.

John Florian, from fedora-devel mailing list:

One last thought, how friendly is this going to be with tools like
puppet and ansible? For example, would something like this be doable?

exec { 'authselect select sssd':
unless => "authselect current | grep -q '^sssd$' && authselect check
| grep -q unmodified"
}

The idea being to only run to make a change if needed to keep change
reports tidy. I can't quite tell at this point because:

$ sudo authselect current
No existing configuration detected.

In this sense, it would be helpful if authselect(8) had some details
about exit codes. Also, the "check" command could be more explicit
about what happens with exit codes/output messages when:

• the config was created by authselect and remains unmodified
• the config was created by authselect but has since been modified
• the config hasn't apparently ever been touched by authselect

Maybe another command like "test" command could be ideal for the job if
it did much the same but gave diff output and suitable exit code
indicating spot-on vs. needs-change.

For example:

authselect enable-feature with-fingerprint
authselect disable-feature with-fingerprint

If such feature does not exist within a profile, it will be a noop.

Provide an equivalent to --enablerequiresmartcard and --smartcardaction authconfig options.

because authselect is Linux-specific, we can make use of attribute cleanup instead of cleaning up manually like it's the 80s.

This could be done e.g. for tmpfiles, memory etc

This module is present in default Fedora nsswitch.conf and we should include it in our profiles as well.

I noticed a potential syntax error in the sssd smartcard-auth profile where there is an erroneous additional ? on line 1.

The command is expected to do very little, just updating config to account for changes to external packages, not change the whole auth method!

$ cat /etc/authselect/authselect.conf
nis
$ authconfig --update
...
Executing: /usr/bin/authselect select sssd --force
...
$ cat /etc/authselect/authselect.conf
sssd

Hello,

I used to make these changes on Fedora to decrypt an encrypted folder on login with GDM but I noticed on Fedora 28 that the file "/etc/pam.d/password-auth" should not be edited manually. Here is the modification I made :

/etc/pam.d/password-auth

• At the top of "auth" section add
  auth required pam_mount.so
• At the bottom of "session" section add
  session optional pam_mount.so

/etc/security/pam_mount.conf.xml
<volume user="yourusername" fstype="fuse" path="encfs#/path/.encrypted" mountpoint="/path/Decrypted" />

Of course I made some research but didn't found anything. So what file can I edit to make it work ?
Thank you !

Profile nis doesn't contain file smartcard-auth.
But if I run
authselect create-profile --base-on=nis --symlink-meta --symlink-dconf --symlink=fingerprint-auth --symlink=postlogin nistest
then it creates an empty file /etc/authselect/custom/nistest/smartcard-auth .

If I run
authselect create-profile --base-on=nis --symlink-meta --symlink-dconf --symlink=fingerprint-auth --symlink=smartcard-auth --symlink=postlogin nistest
then it creates a symbolic link /etc/authselect/custom/nistest/smartcard-auth -> /usr/share/authselect/default/nis/smartcard-auth which points to a nonexistent file.

Is this behavior intended?

it seems that the package build from this repo is missing dependency on dconf. After 'dnf install dconf' it kind of work, but before it was throwing and error:
$ sudo authselect select sssd
$ sh: /usr/bin/dconf: No such file or directory

This is breaking the scripts calling to authselect

Having admnistrator custom profiles under /usr is not very correct since it is the place where only packages should place data. We should move it in /etc or optionally in /usr/local.

Authselect has the ability to perform nsswitch.conf modifications that are allowed by profiles. Existing nsswitch modules packages usually manually parse and modify nsswitch.conf during installation. Authselect should provide a way for these packages to perform the modification.

To make this feature really useful, we need to ensure that:

• when system is configured by authselect the changes are reflected in /etc/authselect/user-nsswitch.conf
• when system is not configured by authselect the changes are written in both /etc/nsswitch.conf (so they affect current configuration) and /etc/authselect/user-nsswitch.conf (so they affect possible future authselect configuration)

We should provide some simple cli interface to create a new custom profile based on an existing profile.

pwquality.conf must not contain options without value.

https://bugzilla.redhat.com/show_bug.cgi?id=1618865

We are testing the SSSD auth profiles in this repo due to RedHat mentioning in the 7.4 release notes that authselect will replace authconfig. We found that the configuration of the SSSD profiles password-auth and system-auth on lines 4 to 9 did not work as expected.

https://github.com/pbrezina/authselect/blob/d034782d2df9d9b64bb03096229f64ddae0f2166/profiles/sssd/password-auth#L4-L9

and...

https://github.com/pbrezina/authselect/blob/d034782d2df9d9b64bb03096229f64ddae0f2166/profiles/sssd/system-auth#L4-L9

The behavior expected is that (starting from line 4)...

1. Users with a UID less than 1000 will not be allowed to login and will return a failed authentication result immediately to the calling application if the condition is met
2. Check if the user is a local user, if they are not a local user skip pam_faillock and pam_unix and try pam_sss

The reason we want to skip faillock for non-local users is to let SSSD's auth_provider to handle lockouts. The benefit of this is we can manage unlocking accounts centrally for example using Active Directory.

The following example configuration would match our expected behavior...

auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        [default=2 ignore=ignore success=ok]         pam_localuser.so
auth        requisite                                    pam_faillock.so preauth audit deny=3 unlock_time=900
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        sufficient                                   pam_sss.so forward_pass
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200

Or it should look very similar to how this RedHat article recommends to configure PAM: How to setup account lockout policy using pam_faillock when system is an LDAP client?

The behavior we are experiencing using this projects SSSD password-auth and system-auth profile is that (starting from line 4)...

1. Users with a UID less than 1000 are able to login because the first pam_succeed_if does not fail the authentication immediately and the second pam_succeed_if will never run if pam_unix is successful due to the sufficient control field

sufficient - If the module succeeds the PAM framework returns success to the application immediately without trying any other modules. - https://linux.die.net/man/5/pam.conf

2. pam_faillock is ran for non-local users due to the check pam_localuser not skipping pam_faillock. This can be a confusing problem because users logging in with their Active Directory account would expect to get locked out from the directory service not locally on the server

Is there any document that details the rationale behind the selected PAM configuration that I may read so I can get an understanding of what it is trying to accomplish? Thanks!

the standard way to provide hints to users of a devel package is through a pkg-config file. This is not urgent unless we want to support the devel package API.

in order to avoid breaking master with every commit, we should have a CI that will automatically gate every PR with a make, make distcheck, make check etc..

We can use travis-ci for free for that.

Without debug enabled, authselect is unhelpful:

Unable to activate profile [22]: Invalid argument

Enabling debug works better:

sudo authselect --debug select sssd
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/system-auth] exist but it needs to be overwritten!
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/password-auth] exist but it needs to be overwritten!
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/fingerprint-auth] exist but it needs to be overwritten!
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/smartcard-auth] exist but it needs to be overwritten!
[error] [authselect_activate] File that needs to be overwritten was found and no overwrite options was specified.
[error] [authselect_activate] Unable to activate profile [22]: Invalid argument
Unable to activate profile [22]: Invalid argument

The other thing is that the messages should tell me that I can force the selection.