Bug 1628144 - [RFE] authselect profile nis enhancements (pwquality, nis password, nsswitch.conf)
Summary: [RFE] authselect profile nis enhancements (pwquality, nis password, nsswitch....
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: authselect
Version: 28
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Pavel Březina
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1628493
TreeView+ depends on / blocked
 
Reported: 2018-09-12 11:15 UTC by Edgar Hoch
Modified: 2018-12-14 01:05 UTC (History)
4 users (show)

Fixed In Version: authselect-1.0.1-2.fc28 authselect-1.0.1-2.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1628493 (view as bug list)
Environment:
Last Closed: 2018-10-01 02:47:34 UTC
Type: Bug


Attachments (Terms of Use)

Description Edgar Hoch 2018-09-12 11:15:57 UTC
Description of problem:
I suggest the following changes to authselect profile nis (see also bug 1626067#c10):

Files password-auth and system-auth:

- We should removed "local_users_only" from password pam_pwquality.so entry, because password quality should also be applied to nis passwords, because nis (yppasswdd) doesn't check passwords for quality. The option "local_users_only" may be useful for FreeIPA which does it's own checks, but not for nis.

password    requisite                                    pam_pwquality.so try_first_pass

Admins may add files to /etc/security/pwquality.conf.d/ to modify pwquality parameters.


- We should added "nis" to password pam_unix.so, so passwords in nis can be changed with "passwd" command (and not (only) with yppasswd, which doesn't use pwquality).

> password    sufficient                                   pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok


- nis supports more services than currently in nsswitch.conf of profile nis. I use the following changes:

[root@myhost ~]# diff --ignore-space-change /usr/share/authselect/default/nis/nsswitch.conf /etc/authselect/custom/imsnis/nsswitch.conf
1,2c1
< passwd:     files nis
< group:      files nis
---
> passwd:     files nis systemd
3a3,4
> group:      files nis systemd
> hosts:      files nis mdns4_minimal dns myhostname
6c7,16
< hosts:      files nis dns myhostname
---
> ethers:     files nis
> aliases:    files nis
> netmasks:   files nis
> networks:   files nis
> services:   files
> sudoers:    files
> protocols:  files
> rpc:        files
> # bootparams: files
> # publickey:  files



Version-Release number of selected component (if applicable):
authselect-libs-1.0-1.fc28.x86_64

How reproducible:
Always

Comment 2 Pavel Březina 2018-09-13 12:58:40 UTC
I also opened:
* https://github.com/pbrezina/authselect/issues/90

Pull request:
https://github.com/pbrezina/authselect/pull/91

Could you please see the nis profile in this scratch build? Differences can be found in the pull request.
https://koji.fedoraproject.org/koji/taskinfo?taskID=29649507

Comment 3 Edgar Hoch 2018-09-13 16:22:52 UTC
Thanks for the update.

Issue 87, 88, 89 are solved, but there are still some problems:

- sssd doen't support caching for maps hosts. Because maps hosts are looked up very often, I use nscd for caching nis maps. But sssd and nscd should not run together. I had sssd.service disabled - when I have started it, because you have added sss to passwd and group entries in nsswitch.conf, I got the following message:

NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services]. It is recommended not to run NSCD in parallel with SSSD, unless NSCD is configured not to cache these.

I also have tried sssd for caching nis maps in the past, with id_provider=proxy (and other values set for our nis domain), but with no success. It didn't work - nis maps wasn't found by the system. So I have disabled sssd and enabled nscd on nis clients.

It also works to have sssd running and nscd disabled, and and sssd configured not to cache nis maps (e.g. leave sssd.conf in default (packaged) configuration). Then local files passwd and group are cached by sssd, but all nis maps are not cached. But network access to a nis server takes much longer than access to local files in /etc. So I prefer for nis clients nscd instead of sssd.

But then the question is if it is useful to have sss entries in nsswitch.conf?


- In nsswitch.conf the host line does not contain mdns4_minimal.
This causes that host names in .local domain cannot be resolved.
See also bug 1577243.

$ ssh anotherhost.local
ssh: Could not resolve hostname anotherhost.local: Name or service not known


- Not mentioned before, but it may be the time for change:

I am wondering why null passwords are allowed (by default). It is a security risk to allow user accounts without a password. Usually sshd is running, and such accounts can be used by anyone (and any bot) that tries them.

I think it is worth to check if option "nullok" can be removed from pam_unix.so:

# grep nullok /usr/share/authselect/default/nis/*
/usr/share/authselect/default/nis/password-auth:auth        sufficient                                   pam_unix.so nullok try_first_pass
/usr/share/authselect/default/nis/password-auth:password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
/usr/share/authselect/default/nis/system-auth:auth        sufficient                                   pam_unix.so nullok try_first_pass
/usr/share/authselect/default/nis/system-auth:password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis

Comment 4 Pavel Březina 2018-09-21 11:14:17 UTC
Thank you for your input, it is highly appreciated. Can you please try this build?
https://koji.fedoraproject.org/koji/taskinfo?taskID=29792066

Changes:
1) I discussed with my colleagues if it makes sense to have sssd enabled in nis profile, we decided not to include it. So feel free to disable sssd and use nscd instead for everything.

2) I added lots of options to disable specific lines in profile's nsswitch. You can use 'authselect select nis with-custom-hosts' and then set your value including mdns in /etc/authselect/user-nsswitch.conf. However, if you have a larger environment I recommend you to stick with custom profile and propagate it to all your machines.

See: https://github.com/pbrezina/authselect/pull/91/commits/55448dbcd95b1f3097b387976e0ec7d310a1bfc3

3) I added 'without-nullok' feature to disable nullok parameter with pam_unix.

Comment 5 Fedora Update System 2018-09-27 13:27:40 UTC
authselect-1.0.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-18cdaf94c1

Comment 6 Fedora Update System 2018-09-27 13:33:22 UTC
authselect-1.0.1-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-29bdc75404

Comment 7 Fedora Update System 2018-09-27 16:43:30 UTC
authselect-1.0.1-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-29bdc75404

Comment 8 Fedora Update System 2018-09-27 18:42:48 UTC
authselect-1.0.1-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-18cdaf94c1

Comment 9 Fedora Update System 2018-09-28 07:31:27 UTC
authselect-1.0.1-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-738a0e5f83

Comment 10 Fedora Update System 2018-09-28 07:31:44 UTC
authselect-1.0.1-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-00221867d7

Comment 11 Fedora Update System 2018-09-28 19:35:12 UTC
authselect-1.0.1-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-738a0e5f83

Comment 12 Fedora Update System 2018-09-28 20:31:56 UTC
authselect-1.0.1-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-00221867d7

Comment 13 Edgar Hoch 2018-09-28 21:27:17 UTC
(In reply to Pavel Březina from comment #4)
> Thank you for your input, it is highly appreciated. Can you please try this
> build?
> https://koji.fedoraproject.org/koji/taskinfo?taskID=29792066

Sorry for late testing. Now I have tested authselect-1.0.1-2.fc28 - it works fine. I think all changes from the scatch build are included in authselect-1.0.1-2.fc28?

Now nis profile is almost perfect - the only thing that doesn't fit is the host line in nsswitch.conf - it doesn't contain mdns4_minimal and we can't configure it. We need to use feature with-custom-hosts and manually modify /etc/authselect/user-nsswitch.conf.

We should be able to define "mdns4_minimal [NOTFOUND=return]", "mdns6_minimal [NOTFOUND=return]" or "mdns_minimal [NOTFOUND=return]", for example by a feature. 
This would also solve bug #1577243 - then they can use "authselect enable-feature with-custom-hosts" and "authselect disable-feature with-custom-hosts" instead of their sed script.

Thank you very much for including my ideas and suggestions!

Comment 14 Fedora Update System 2018-10-01 02:47:34 UTC
authselect-1.0.1-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Pavel Březina 2018-10-01 08:05:48 UTC
(In reply to Edgar Hoch from comment #13)
> (In reply to Pavel Březina from comment #4)
> > Thank you for your input, it is highly appreciated. Can you please try this
> > build?
> > https://koji.fedoraproject.org/koji/taskinfo?taskID=29792066
> 
> Sorry for late testing. Now I have tested authselect-1.0.1-2.fc28 - it works
> fine. I think all changes from the scatch build are included in
> authselect-1.0.1-2.fc28?

Yes. Thank you for testing.

> Now nis profile is almost perfect - the only thing that doesn't fit is the
> host line in nsswitch.conf - it doesn't contain mdns4_minimal and we can't
> configure it. We need to use feature with-custom-hosts and manually modify
> /etc/authselect/user-nsswitch.conf.

Yes. This is the intention.

> We should be able to define "mdns4_minimal [NOTFOUND=return]",
> "mdns6_minimal [NOTFOUND=return]" or "mdns_minimal [NOTFOUND=return]", for
> example by a feature. 
> This would also solve bug #1577243 - then they can use "authselect
> enable-feature with-custom-hosts" and "authselect disable-feature
> with-custom-hosts" instead of their sed script.

Unfortunately, this is not doable. There are many many nss modules available and we can not include all of them in upstream profiles. Thus we decided to have only basic nsswitch.conf that works for most users and if anyone wants to install additional modules he/she needs to either create custom profile or now they have the ability to disable specific line and user user-nsswitch.conf instead.

If you need to distribute the configuration across multiple machines, custom profile is the best choice since you have full control over the configuration.

> Thank you very much for including my ideas and suggestions!

Happy to help.

Comment 16 Fedora Update System 2018-10-02 19:33:20 UTC
authselect-1.0.1-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.