[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP authentication + Configuring PAM
|
From: |
Ludovic Courtès |
|
Subject: |
Re: LDAP authentication + Configuring PAM |
|
Date: |
Tue, 03 Sep 2019 14:14:18 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hi!
Ricardo Wurmus <address@hidden> skribis:
>> Ricardo Wurmus <address@hidden> skribis:
[...]
>>> I worked around this (by lowering the G-expression first), but it’s
>>> ugly. And even then I still have the problem that I can’t control the
>>> order of PAM entries at all.
>>
>> Perhaps we could add a field in <pam-configuration> that would be
>> transformation procedure that takes the complete list of entries?
>
> I don’t know if that makes sense without a guaranteed order.
Precisely: that procedure would allow you to reorder the entries.
>>> I also recommend using “sufficient” as the default keyword for
>>> “pam_unix.so” and ending the stack with “required pam_deny.so”. This
>>> would make it easier to extend the stack without having to rewrite
>>> existing module entries.
>>
>> Why not.
>
> As far as I can tell this should not have any downsides.
Cool, feel free to push this change.
>> Tricky issues! NixOS has lots of hard-coded cases instead of a generic
>> way to extend PAM settings:
>>
>>
>> https://github.com/NixOS/nixpkgs/blob/release-19.03/nixos/modules/security/pam.nix#L304
>
> I prefer the Guix way here. It is more generic and more flexible. It
> just misses a few convenience procedures, in my opinion.
>
>> From what you wrote, it may be that PAM configuration is simply not
>> “composable”, in the sense that you cannot assemble bits without viewing
>> the global picture.
>
> I think individual services cannot generically extend the PAM
> configuration, because they cannot know what order is correct with
> respect to all other services that contribute to the configuration. But
> they *can* provide at least their own entries.
The ideal view is that services contribute bits here and there in the
service graph, such that separation of concern is guaranteed: you can
add a complex service to your ‘services’ field without knowing how it’s
implemented, and the service automatically tweaks other services as
needed and adds any services it depends on.
In the case of PAM, that may simply be impossible: each service can
contribute its own PAM entries, sure, but then, who’s in charge of
ensuring that the final list of entries is correctly ordered? How does
one know what the “correct order” is?
My understanding is that determining the correct order needs to be done
by the admin, who has to be (1) well versed in PAM, and (2)
knowledgeable about all the services that add PAM entries.
If that really is the case, it’s very different from the ideal view
above.
Thanks,
Ludo’.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: LDAP authentication + Configuring PAM,
Ludovic Courtès <=