-
-
Notifications
You must be signed in to change notification settings - Fork 13.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCE OSLogin module: init #51566
GCE OSLogin module: init #51566
Conversation
e559972
to
7133576
Compare
so far, logging in using the snakeoil ssh keys works, but there is some pam weirdness going on:
I guess, that's the reason fro why |
8bcdab3
to
e8dff53
Compare
#includedir /run/google-sudoers.d | ||
''; | ||
systemd.tmpfiles.rules = [ | ||
"d /run/google-sudoers.d 660 root root -" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The -
for age means systemd will create the directory with mentioned permissions and ownership, but not automatically clean up anything.
I moved that from /var/google-sudoers.d
(and patched pam_module/pam_oslogin_admin.cc
), as that location seemed much more suitable for runtime files.
pam_oslogin_admin.cc
has code to clean up existing files if admin status is revoked, it's just a more meaningful location (and cleans up expired users on a reboot)
cc @Assassinkin @matthewbauer for other recent pam contributions |
@flokli Could you squash the fixup commits? I don't mind you force-pushing to my fork. |
I'd still like to get the TODOs fixed and #50316 merged before rebasing again. Any ideas about the " PAM unable to resolve symbol:" errors? |
e8dff53
to
6488d85
Compare
7ca5056
to
df7b1eb
Compare
Finally got sudo working - culprit was the This was fixed for sssd only in #31969, @dezgeg, @PsyanticY, can you have a look at 04bf65e5ab26634aa5981a4762f70635d129daa0, too? |
df7b1eb
to
04bf65e
Compare
Things seems to be working great now! Thanks @flokli for all the good work. |
@flokli I think it should be like that for all module not just sssd. |
Even this part
it should not be sufficient. I would suggest removing the |
Reading up on https://wiki.debian.org/LDAP/PAM, it seems this should at least work if all these 'external' pam modules provide an nss module, too. There are other examples on what can/should be done instead - but it seems to be very a combinatory hell. Maybe we should limit the pam module to only allow one external pam module (sssd/ldap/oslogin/kerberos) to be active, and check configuration for them? |
056da77
to
88d2f6f
Compare
Having pam_unix set to "sufficient" means early-succeeding account management group, as soon as pam_unix.so is succeeding. This is not sufficient. For example, nixos modules might install nss modules for user lookup, so pam_unix.so succeeds, and we end the stack successfully, even though other pam account modules might want to do more extensive checks. Other distros seem to set pam_unix.so to 'required', so if there are other pam modules in that management group, they get a chance to do some validation too. For SSSD, @PsyanticY already added a workaround knob in NixOS#31969, while stating this should be the default anyway. I did some thinking in what could break - after this commit, we require pam_unix to succeed, means we require `getent passwd $username` to return something. This is the case for all local users due to the passwd nss module, and also the case for all modules installing their nss module to nsswitch.conf - true for ldap (if not explicitly disabled) and sssd. I'm not so sure about krb5, cc @eqyiel for opinions. Is there some nss module loaded? Should the pam account module be placed before pam_unix? We don't drop the `security.pam.services.<name?>.sssdStrictAccess` option, as it's also used some lines below to tweak error behaviour inside the pam sssd module itself (by changing it's 'control' field). This is also required to get admin login for Google OS Login working (NixOS#51566), as their pam_oslogin_admin accounts module takes care of sudo configuration.
The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user's OS Login profile during ssh authentication phase. NSS Module to provide user and group information PAM Module for the sshd service, providing authorization and authentication support, allowing the system to use data stored in Google Cloud IAM permissions to control both, the ability to log into an instance, and to perform operations as root (sudo).
….security.googleOsLogin.enable is set
…-accounts-daemon Use googleOsLogin for login instead. This allows setting users.mutableUsers back to false, and to strip the security.sudo.extraConfig. security.sudo.enable is default anyhow, so we can remove that as well.
88d2f6f
to
706efad
Compare
With #52488 being merged, this should be good to go, too. |
Motivation for this change
TODO
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)