[jira] [Commented] (RANGER-842) Allow PAM for authentication

Bolke de Bruin (JIRA) Wed, 24 Feb 2016 03:34:39 -0800

    [ 
https://issues.apache.org/jira/browse/RANGER-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15162855#comment-15162855
 ]


Bolke de Bruin commented on RANGER-842:
---------------------------------------

[~rmani] In general yes. So when you ship rpms or debs for the different 
distributions you would need to include these files and make sure they are 
installed at the right location. They are distribution specific (ie. RedHat 
uses different contents than Debian does).

In case these files are not present PAM will automatically fallback to 
/etc/pam.d/other . It again depends on the distribution what is in these files. 
Redhat/CentOS 7 default to deny everything I don't know what Debian is doing. 

In the case of UNIX authentication the *non-remote* part will still allow 
authentication from /etc/passwd. I, personally, consider this outdated and 
legacy. 

My patch does however impact the remote authentication (ie. the C 
implementation). Remote authentication now only allows PAM and does not use 
/etc/passwd anymore. If you would like to mimic the old behavior you can 
symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd . I have chosen this to 
keep remote authentication simple and to make sure you are not triggering two 
login attempts (eg. if I would try PAM first and then /etc/passwd) as that 
could be a security incident.


> Allow PAM for authentication
> ----------------------------
>
>                 Key: RANGER-842
>                 URL: https://issues.apache.org/jira/browse/RANGER-842
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 0.5.1, 0.6.0
>            Reporter: Bolke de Bruin
>              Labels: authentication, security
>             Fix For: 0.5.1, 0.6.0
>
>         Attachments: 0002-RANGER-842-pam-authentication.patch
>
>
> Ranger currently uses shadow based authentication if configured for unix 
> authentication. This way of authenticating is somewhat outdated as any recent 
> Linux system (and many of the BSDs) have PAM available. PAM allows multiple 
> authentication sources and also does authorization.
> Ranger should be able to use PAM for authentication



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (RANGER-842) Allow PAM for authentication

Reply via email to