Hi, On 3/5/21 11:59 AM, Pavel Březina wrote: > On 3/4/21 5:11 PM, Hans de Goede wrote: >> Hi, >> >> On 3/4/21 11:50 AM, Pavel Březina wrote: >>> On 3/3/21 6:11 PM, Hans de Goede wrote: >>>> Hi, >>>> >>>> On 3/2/21 5:20 PM, Pavel Březina wrote: >>>>> On 3/2/21 4:25 PM, Ray Strode wrote: >>>>>> Hi, >>>>>> >>>>>> Ahh, okay. >>>>>> >>>>>> On Tue, Mar 2, 2021 at 9:31 AM Hans de Goede <hdego...@redhat.com> wrote: >>>>>>> sudo authselect select minimal >>>>>>> sudo authselect apply-changes >>>>>>> >>>>>>> Which results in the following /etc/pam.d/fingerprint-auth file: >>>>>>> >>>>>>> [hans@x1 linux]$ sudo cat /etc/pam.d/fingerprint-auth >>>>>>> # Generated by authselect on Tue Mar 2 15:24:53 2021 >>>>>>> # Do not modify this file manually. >>>>> >>>>> minimal profile does not support fingerprint >>>> >>>> So it seems there are 4 profiles: >>>> >>>> [hans@x1 ~]$ authselect list >>>> - minimal Local users only for minimal installations >>>> - nis Enable NIS for system authentication >>>> - sssd Enable SSSD for system authentication (also for local users >>>> only) >>>> - winbind Enable winbind for system authentication >>>> >>>> What I want is a profile which uses just the good old /etc files to >>>> avoid the overhead of running a local daemon (sssd tends to show up as >>>> one of the top 10 wakeup sources in powertop on an idle system) and I >>>> also don't want a config which tries to go out on the network. >>>> >>>> So minimal seems to meet my needs; and although I personally do not >>>> have much of a need for fingerprint auth, I don't really see why we >>>> could not do fingerprint auth with the minimal config. I'm pretty >>> >>> I'd say the answer is simple - if you go with minimal, you don't need >>> fingerprint. And you wrote it yourself - you don't need fingerprint auth. >>> Just because something can be done, does not mean it is worth to maintain >>> it. More info below. >>> >>>> sure I can manually create a pam-config where this works just fine. >>>> >>>> I guess its in the name minimal, where as "local" might be (1) a better >>> >>> That's the point - it's minimal not local, not without-sssd. The readme >>> explicitly says that it reserved for cases when you really care about disk >>> and memory footprint. >>> >>> It has very limited functionality by design. If you do not want to use >>> SSSD, you can keep using sssd profile and just disable the service. It will >>> keep working. The minimal profile is there for users that also want to >>> remove sssd packages to safe resources, but in that case you probably don't >>> care about fingerprint and smartcards either. >> >> The problem is that IMHO having sssd enabled by default is really the wrong >> thing to do for like 95% of our users and defaults should be the settings >> which are best for most / almost all users. >> >> This is really just a symptom of a much bigger problem though, which is that >> we simply have way too much services / daemon's starting up by default. The >> output of "ps aux" after a default Fedora workstation install is just way >> way too long. Once upon a time Linux users used to make fun of Windows with >> all its background processes in the mean time a default Fedora WS install >> has gotten worse then Windows wrt background processes. Any of these are >> totally unnecessary for most of our users. >> >> We really should be smarter here and the config tools which allows a user to >> enroll in an authentication domain enable the sssd config when that happens >> and not have this on by default for everyone. >> >> So what I would really like to see is a local profile which uses just /etc >> files + fprintd if there are fingerprints enrolled. Smartcards are a >> different story, because those likely also need significant extra setup. >> >> Where as fingerprints can easily be enrolled from the local UI tools. >> >>>> name. Note I'm not suggesting to add another profile just for this >>>> but it would be nice if fingerprint auth would at least be a >>>> (default off) feature for the minimal config. >>>> >>>> Shall I file a RFE issue for this at: >>>> https://github.com/authselect/authselect/issues/ >>> >>> If you need fingerprint auth then open the ticket please - but no promises >>> here. If you don't need it then just don't open the ticket :-) >> >> Rather then opening a ticket, what I would really like to see is a good >> discussion about why the sssd profile is the default, because IMHO it is a >> bad default for most users. > > I hear you. From authselect perspective, SSSD was enabled by default through > a change page that was accepted by community. Therefore authselect is > advertising this profile as the main and only. If you want to run without > sssd, you can disable the service but you don't have to switch to other > profile. > > Whether or not it should be enabled by default is a different discussion. > But... The SSSD team does acknowledge that it does not have to be enabled by > default for vast majority of Fedora users and we plan to submit a change page > that will address this. However, I am not going to dive into details in this > thread yet, since they are still developing,
Oh, that sounds interesting / sounds like a good development. I'll patiently await the change page for this. Regards, Hans _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
