authselect / authselect Goto Github PK
View Code? Open in Web Editor NEWSelect authentication and indentity profile to use on the system.
License: GNU General Public License v3.0
Select authentication and indentity profile to use on the system.
License: GNU General Public License v3.0
Create Zanata API hooks to automate project translation.
Since the primary reason to introduce authselect is to obsolete authconfig, we need to provide a compat layer with at least the most common features so that admins' scripts keep working.
Bump soname before release.
Right now in Atomic Host/Workstation, we're using nss-altfiles to be compatible of the Atomic model of baked configs in /usr
and user configurations in /etc
. We do this by injecting an altfiles
entry in nsswitch.conf
at compose time. (See e.g. http://ostree.readthedocs.io/en/latest/manual/adapting-existing/#usrlibpasswd and coreos/rpm-ostree#49).
In combination, this is causing issues right now in f28/rawhide where authselect
is starting to get pulled in as a dep to e.g. fprintd
. The new authselect
module in Anaconda then overwrites the nsswitch.conf
.
One idea is to add a new e.g. 'with-altfiles' feature that Anaconda can pass along for Atomic kickstart templates? Does that make sense? One annoyance is that this is likely to change in the future again, so it's just more churn. Though on the plus side, this does seem cleaner than hacking nsswitch.conf
at compose time.
If sssd profile with smartcard support is selected, system-auth stack won't authenticate local users through smartcard. This needs work also on sssd side, tracked by:
Currently, authselect overwrites existing configuration files one by one. We should write all configuration to temporary files first and then rename them so we do not break existing configuration in case of failure.
See:
authselect --trace select --debug=2 sssd
[info] [authselect_activate] Trying to activate profile [sssd]
[info] [authselect_profile] Looking up profile [sssd]
[info] [authselect_profile_open] Profile [sssd] is a default profile
[info] [authselect_profile] Profile [sssd] found at [/usr/share/authselect/default/sssd]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/README]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/system-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/password-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/smartcard-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/fingerprint-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/postlogin]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/nsswitch.conf]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-db]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-locks]
[error] [check_directories] Directory [/etc/dconf/db/distro.d] does not exist, please create it!
[error] [check_directories] Directory [/etc/dconf/db/distro.d/locks] does not exist, please create it!
[error] [authselect_activate] Some directories are not accessible by authselect!
[error] [authselect_activate] Unable to activate profile [sssd] [1]: Operation not permitted
Unable to activate profile [1]: Operation not permitted
This is a minimal docker container, so the directory is not there, but authselect should either own it,require its owner or not fail.
There are still lot of users using NIS, we should create an authselect profile for this. Compatibility tool should also write yp.conf and perform changes that authconfig would do with its NIS-related options.
NIS profile does not set all nsswitch maps supported by NIS (which is pretty much everything).
Ansible is a very widely used configuration management tool. It would help the adoption of authselect if we had an ansible role. Eventually it should be upstreamed, but a role living in some contrib/ directory would be a good start.
Authconfig shipped with a cacertdir_rehash command. This is important for correctly configuring the ldap TLS_CERTDIR, and for a number of other dependencies (python3-lib389 will depend on it).
It would be great to have cacertdir_rehash ported to authselect,
Create a backup of original files before changing them and provide a rollback mechanism in case of a failure.
I learned about authselect from this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1577243
I would like to have nss-mdns stop editing nsswitch.conf directly in Fedora. Does authselect provide a mechanism to allow for this? Could I make nss-mdns depend on authselect?
Authselect wants to own and manage /etc/nsswitch.conf but there is one important database configured in there which is not related to authentication at all -- the hosts database.
Right now, authselect just gives me:
hosts: files dns myhostname
but if you use systemd-resolved, the recommended configuration is instead:
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
More generally, if the administrator wants to configure DNS resolution at all, they will need to adjust the hosts: line but then authselect complains that the configuration is invalid because it has deviated from the profile.
Maybe authselect needs to be able to ignore (and preserve) the hosts: line in /etc/nsswitch.conf when it's updating it?
The current authselect profiles include pam_pwquality for all users:
profiles/sssd/password-auth:password requisite pam_pwquality.so try_first_pass
profiles/sssd/system-auth:password requisite pam_pwquality.so try_first_pass
profiles/winbind/password-auth:password requisite pam_pwquality.so try_first_pass
profiles/winbind/system-auth:password requisite pam_pwquality.so try_first_pass
But we probably should use the local_users_only flag..
The project, since it's hosted on github, should have a markdown readme with a nice project description, howto etc.
Spec file may call authselect enable-feature
command in order to enable with-sudo
. If this command fail we do not want to print any output.
This is in a docker container. I just installed authselect, created the dconf directories to get around issue #30 and then I run:
authselect --trace --debug select sssd
[info] [authselect_activate] Trying to activate profile [sssd]
[info] [authselect_profile] Looking up profile [sssd]
[info] [authselect_profile_open] Profile [sssd] is a default profile
[info] [authselect_profile] Profile [sssd] found at [/usr/share/authselect/default/sssd]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/README]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/system-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/password-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/smartcard-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/fingerprint-auth]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/postlogin]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/nsswitch.conf]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-db]
[info] [read_textfile_dirfd] Reading file [/usr/share/authselect/default/sssd/dconf-locks]
[info] [check_notalink] Checking that file [/etc/pam.d/system-auth] is not an authselect symbolic link [(null)]
Segmentation fault (core dumped)
/etc/pam.d/system-auth
seems to exist:
stat /etc/pam.d/system-auth
File: /etc/pam.d/system-auth
Size: 760 Blocks: 8 IO Block: 4096 regular file
Device: fd05h/64773d Inode: 2359423 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2017-08-21 14:56:55.000000000 +0000
Modify: 2017-08-21 14:56:55.000000000 +0000
Change: 2018-01-11 08:39:36.710309787 +0000
Birth: -
My hands hurt from typing.
pwquality related options are not currently supported but we should implement them.
The profiles that are currently shipped with authselect should be working but they need lots of improvements to cover more features and functionality.
Current documentation is not in the final state. We need to improve it.
that's the default on fedora since f-26 anyway..
https://github.com/pbrezina/authselect/blob/8ee9fb9a9362bfa48bbb88cd1dda4cd8f3b3ed29/src/lib/util/file.c#L58 doesn't look right, same data for wrong and expected?. Maybe
name, (statbuf->st_mode & S_IFMT), exp_type);
?
(Not that I have even compiled the code, I was just translating strings)
Authselect command should be able to print profile requirements. For example what service needs to be running, what configuration change should be done, etc.
If /etc/sysconfig/authconfig
does not exist, system is already configured with authselect
and authselect profile cannot be determined from given authconfig
options we should not change current authselect profile.
I'm not sure if this belongs to the upstream project, but I think we should work with the Fedora glibc maintainers and make authselect own the nsswitch.conf file instead of glibc.
If I run:
authselect select --help
it talks about a --debug=INT
option, but that appears to be a noop.
I use override_homedir in sssd:
override_homedir = /export/home/%u
With the new "sss files" ordering, this breaks the home directory of system users:
# getent passwd gdm
gdm:x:42:42::/export/home/gdm:/sbin/nologin
instead of
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
What was the reason for the change (commit 5799324)? The commit message doesn't explain.
John Florian, from fedora-devel mailing list:
One last thought, how friendly is this going to be with tools like
puppet and ansible? For example, would something like this be doable?
exec { 'authselect select sssd':
unless => "authselect current | grep -q '^sssd$' && authselect check
| grep -q unmodified"
}
The idea being to only run to make a change if needed to keep change
reports tidy. I can't quite tell at this point because:
$ sudo authselect current
No existing configuration detected.
In this sense, it would be helpful if authselect(8) had some details
about exit codes. Also, the "check" command could be more explicit
about what happens with exit codes/output messages when:
Maybe another command like "test" command could be ideal for the job if
it did much the same but gave diff output and suitable exit code
indicating spot-on vs. needs-change.
For example:
authselect enable-feature with-fingerprint
authselect disable-feature with-fingerprint
If such feature does not exist within a profile, it will be a noop.
Provide an equivalent to --enablerequiresmartcard and --smartcardaction authconfig options.
because authselect is Linux-specific, we can make use of attribute cleanup instead of cleaning up manually like it's the 80s.
This could be done e.g. for tmpfiles, memory etc
This module is present in default Fedora nsswitch.conf and we should include it in our profiles as well.
I noticed a potential syntax error in the sssd smartcard-auth profile where there is an erroneous additional ?
on line 1.
The command is expected to do very little, just updating config to account for changes to external packages, not change the whole auth method!
$ cat /etc/authselect/authselect.conf
nis
$ authconfig --update
...
Executing: /usr/bin/authselect select sssd --force
...
$ cat /etc/authselect/authselect.conf
sssd
Hello,
I used to make these changes on Fedora to decrypt an encrypted folder on login with GDM but I noticed on Fedora 28 that the file "/etc/pam.d/password-auth" should not be edited manually. Here is the modification I made :
/etc/pam.d/password-auth
auth required pam_mount.so
session optional pam_mount.so
/etc/security/pam_mount.conf.xml
<volume user="yourusername" fstype="fuse" path="encfs#/path/.encrypted" mountpoint="/path/Decrypted" />
Of course I made some research but didn't found anything. So what file can I edit to make it work ?
Thank you !
Profile nis doesn't contain file smartcard-auth
.
But if I run
authselect create-profile --base-on=nis --symlink-meta --symlink-dconf --symlink=fingerprint-auth --symlink=postlogin nistest
then it creates an empty file /etc/authselect/custom/nistest/smartcard-auth
.
If I run
authselect create-profile --base-on=nis --symlink-meta --symlink-dconf --symlink=fingerprint-auth --symlink=smartcard-auth --symlink=postlogin nistest
then it creates a symbolic link /etc/authselect/custom/nistest/smartcard-auth -> /usr/share/authselect/default/nis/smartcard-auth
which points to a nonexistent file.
Is this behavior intended?
it seems that the package build from this repo is missing dependency on dconf. After 'dnf install dconf' it kind of work, but before it was throwing and error:
$ sudo authselect select sssd
$ sh: /usr/bin/dconf: No such file or directory
This is breaking the scripts calling to authselect
Having admnistrator custom profiles under /usr is not very correct since it is the place where only packages should place data. We should move it in /etc or optionally in /usr/local.
Authselect has the ability to perform nsswitch.conf modifications that are allowed by profiles. Existing nsswitch modules packages usually manually parse and modify nsswitch.conf during installation. Authselect should provide a way for these packages to perform the modification.
To make this feature really useful, we need to ensure that:
/etc/authselect/user-nsswitch.conf
/etc/nsswitch.conf
(so they affect current configuration) and /etc/authselect/user-nsswitch.conf
(so they affect possible future authselect configuration)We should provide some simple cli interface to create a new custom profile based on an existing profile.
pwquality.conf must not contain options without value.
We are testing the SSSD auth profiles in this repo due to RedHat mentioning in the 7.4 release notes that authselect will replace authconfig. We found that the configuration of the SSSD profiles password-auth
and system-auth
on lines 4 to 9 did not work as expected.
and...
1000
will not be allowed to login and will return a failed authentication result immediately to the calling application if the condition is metpam_faillock
and pam_unix
and try pam_sss
The reason we want to skip faillock for non-local users is to let SSSD's auth_provider
to handle lockouts. The benefit of this is we can manage unlocking accounts centrally for example using Active Directory.
The following example configuration would match our expected behavior...
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth [default=2 ignore=ignore success=ok] pam_localuser.so
auth requisite pam_faillock.so preauth audit deny=3 unlock_time=900
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_sss.so forward_pass
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth required pam_faillock.so authfail deny=4 unlock_time=1200
Or it should look very similar to how this RedHat article recommends to configure PAM: How to setup account lockout policy using pam_faillock when system is an LDAP client?
password-auth
and system-auth
profile is that (starting from line 4)...1000
are able to login because the first pam_succeed_if
does not fail the authentication immediately and the second pam_succeed_if
will never run if pam_unix
is successful due to the sufficient
control fieldsufficient - If the module succeeds the PAM framework returns success to the application immediately without trying any other modules. - https://linux.die.net/man/5/pam.conf
pam_faillock
is ran for non-local users due to the check pam_localuser
not skipping pam_faillock
. This can be a confusing problem because users logging in with their Active Directory account would expect to get locked out from the directory service not locally on the serverIs there any document that details the rationale behind the selected PAM configuration that I may read so I can get an understanding of what it is trying to accomplish? Thanks!
make[2]: Leaving directory '/home/remote/jhrozek/devel/authselect/obj/authselect-0.1/_build/sub/src/lib'
Making distclean in src/cli
make[2]: Entering directory '/home/remote/jhrozek/devel/authselect/obj/authselect-0.1/_build/sub/src/cli'
Makefile:464: ../common/.deps/debug.Po: No such file or directory
Makefile:465: ../common/.deps/malloc.Po: No such file or directory
make[2]: *** No rule to make target '../common/.deps/malloc.Po'. Stop.
make[2]: Leaving directory '/home/remote/jhrozek/devel/authselect/obj/authselect-0.1/_build/sub/src/cli'
Makefile:502: recipe for target 'distclean-recursive' failed
make[1]: *** [distclean-recursive] Error 1
make[1]: Leaving directory '/home/remote/jhrozek/devel/authselect/obj/authselect-0.1/_build/sub'
Makefile:708: recipe for target 'distcheck' failed
make: *** [distcheck] Error 1
the standard way to provide hints to users of a devel package is through a pkg-config file. This is not urgent unless we want to support the devel package API.
in order to avoid breaking master with every commit, we should have a CI that will automatically gate every PR with a make, make distcheck, make check etc..
We can use travis-ci for free for that.
Without debug enabled, authselect is unhelpful:
Unable to activate profile [22]: Invalid argument
Enabling debug works better:
sudo authselect --debug select sssd
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/system-auth] exist but it needs to be overwritten!
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/password-auth] exist but it needs to be overwritten!
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/fingerprint-auth] exist but it needs to be overwritten!
[error] [authselect_check_symlinks_presence] File [/etc/pam.d/smartcard-auth] exist but it needs to be overwritten!
[error] [authselect_activate] File that needs to be overwritten was found and no overwrite options was specified.
[error] [authselect_activate] Unable to activate profile [22]: Invalid argument
Unable to activate profile [22]: Invalid argument
The other thing is that the messages should tell me that I can force the selection.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.