[
https://issues.apache.org/jira/browse/RANGER-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15162855#comment-15162855
]
Bolke de Bruin edited comment on RANGER-842 at 2/24/16 11:35 AM:
-----------------------------------------------------------------
[~rmani] In general yes. So when you ship rpms or debs for the different
distributions you would need to include these files and make sure they are
installed at the right location. They are distribution specific (ie. RedHat
uses different contents than Debian does).
In case these files are not present PAM will automatically fallback to
/etc/pam.d/other . It again depends on the distribution what is in these files.
Redhat/CentOS 7 default to deny everything I don't know what Debian is doing.
In the case of UNIX authentication the *non-remote* part will still allow
authentication from /etc/passwd. I, personally, consider this outdated and it
should be replaced by PAM. But if you choose UNIX as authentication mechanism
it will still use the old code path.
My patch does however impact the remote authentication (ie. the C
implementation). Remote authentication now only allows PAM and does not use
/etc/passwd anymore. If you would like to mimic the old behavior you can
symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd . I have chosen this to
keep remote authentication simple and to make sure you are not triggering two
login attempts (eg. if I would try PAM first and then /etc/passwd) as that
could be a security incident.
was (Author: bolke):
[~rmani] In general yes. So when you ship rpms or debs for the different
distributions you would need to include these files and make sure they are
installed at the right location. They are distribution specific (ie. RedHat
uses different contents than Debian does).
In case these files are not present PAM will automatically fallback to
/etc/pam.d/other . It again depends on the distribution what is in these files.
Redhat/CentOS 7 default to deny everything I don't know what Debian is doing.
In the case of UNIX authentication the *non-remote* part will still allow
authentication from /etc/passwd. I, personally, consider this outdated and
legacy.
My patch does however impact the remote authentication (ie. the C
implementation). Remote authentication now only allows PAM and does not use
/etc/passwd anymore. If you would like to mimic the old behavior you can
symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd . I have chosen this to
keep remote authentication simple and to make sure you are not triggering two
login attempts (eg. if I would try PAM first and then /etc/passwd) as that
could be a security incident.
> Allow PAM for authentication
> ----------------------------
>
> Key: RANGER-842
> URL: https://issues.apache.org/jira/browse/RANGER-842
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Affects Versions: 0.5.1, 0.6.0
> Reporter: Bolke de Bruin
> Labels: authentication, security
> Fix For: 0.5.1, 0.6.0
>
> Attachments: 0002-RANGER-842-pam-authentication.patch
>
>
> Ranger currently uses shadow based authentication if configured for unix
> authentication. This way of authenticating is somewhat outdated as any recent
> Linux system (and many of the BSDs) have PAM available. PAM allows multiple
> authentication sources and also does authorization.
> Ranger should be able to use PAM for authentication
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
