Update sssd integration with pam as documented by RedHat #31969
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@GrahamcOfBorg eval |
|
Looks good to me. (But I'm no PAM expert.) You may be interested in #22789. |
|
I can give this a try on my SSSD installation. |
|
@dezgeg Any results to share ? |
|
@grahamc Can you Please check this, its small and strait forward. |
|
@grahamc btw when looking at the PR again, this doesn't seem to change anything in the pam config unless the new option is set to true (which is false by default). So I guess it should be fine to merge ? |
flokli
added a commit
to flokli/nixpkgs
that referenced
this pull request
Dec 12, 2018
Setting pam_unix set to sufficient means early-succeeding account management group, as soon as pam_unix.so is succeeding. This is not sufficient. For example, modules might install nss modules for user lookup, so pam_unix.so succeeds, and we end the stack successfully, even though other pam modules might want to do more extensive checks. Other distros set pam_unix.so to 'required', so if there are other pam modules in that management group, they get a chance to do some validation too. This broke SSSD, for which @PsyanticY added a workaround knob in NixOS#31969. This also breaks parts of Google OS Login, as the pam_oslogin_admin.so module doesn't get a chance to add a sudoers file for admins (while the NSS module fixes the lookup done in pam_unix.so) This changes the default of pam_unix.so to 'required' We don't drop the `security.pam.services.<name?>.sssdStrictAccess` option, as it's used some lines below to tweak error behaviour inside the pam sssd module.
10 tasks
flokli
added a commit
to flokli/nixpkgs
that referenced
this pull request
Dec 21, 2018
Having pam_unix set to "sufficient" means early-succeeding account management group, as soon as pam_unix.so is succeeding. This is not sufficient. For example, nixos modules might install nss modules for user lookup, so pam_unix.so succeeds, and we end the stack successfully, even though other pam account modules might want to do more extensive checks. Other distros seem to set pam_unix.so to 'required', so if there are other pam modules in that management group, they get a chance to do some validation too. For SSSD, @PsyanticY already added a workaround knob in NixOS#31969, while stating this should be the default anyway. I did some thinking in what could break - after this commit, we require pam_unix to succeed, means we require `getent passwd $username` to return something. This is the case for all local users due to the passwd nss module, and also the case for all modules installing their nss module to nsswitch.conf - true for ldap (if not explicitly disabled) and sssd. I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss module loaded? Should the pam account module be placed before pam_unix? We don't drop the `security.pam.services.<name?>.sssdStrictAccess` option, as it's also used some lines below to tweak error behaviour inside the pam sssd module itself (by changing it's 'control' field). This is also required to get admin login for Google OS Login working (NixOS#51566), as their pam_oslogin_admin accounts module takes care of sudo configuration.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
I was working on setting up an integration for NixOS instances with FreeIPA using SSSD.
In the SSSD config file i specify the groups/users that are allowed to access the server.
When setting up SSSD some changes on the pam services occurs. these changes do not allow the required behavior the way it is now as when i allow just a certain ldap user to access the server, he will just be able to access. So i needed to re-declare the pam.sshd module and add SSSD modules to the PAM configuration as specified in RedHat documentation (Check 4. ).
re-declaring the module is obviously not good practice so the option I am asking you to include will allows to include SSSD module in pam the way as Redhat specified if set to true or keep it as it is if it is false (the default state).
Please let me know if you need any further explanation or if i can improve my pull request as it is my first time contributing to an open source project :) .
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)