Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
On Sat, May 15, 2010 at 12:31:18AM -, Daniel Richard G. wrote: This is a potential solution, but putting aside the tricky case of what happens if the common-* files have customized options, and then the PAM profile changes?, another problem with this approach is the fragility of the customization. If you deselect the module, update, then reselect it, and update... the customized module options are gone without a trace. There's no way to get them back, other than making the same edit to the common-* files again. The only real way to safeguard such customizations is to revert the files to manually-edited mode. The only way to preserve such options would be to store the authoritative configuration somewhere other than in the configuration file. (Right now, we only record what the last-seen set of module defaults are; the configuration itself is only ever stored in /etc/.) I don't think moving parts of the user configuration out of the config files is acceptable, and if you disable and then re-enable a module, I don't see any reason that the config options *should* be sticky. I'm not terribly comfortable with the way the statefulness works with this approach, either. The PAM configuration is not just a vector of bits indicating enabled/disabled profiles, but also whatever customizations have been made in the common-* files. If I'm not aware of what these customizations are, then I have no good way of knowing if my PAM config is just that vector, or if there's something more to it. There's no mechanism to tell me here are all the module options that are different from what's in the profiles. True. We could add an option for this, but as things stand today, pam-auth-update already implements the usual guarantee required by Debian/Ubuntu policy - that local configuration changes are respected. Helping the user understand which bits of the configuration *are* local changes is gravy. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
I don't think moving parts of the user configuration out of the config files is acceptable, and if you disable and then re-enable a module, I don't see any reason that the config options *should* be sticky. I wasn't so much proposing an alternative, just going over the shortcomings I see of this approach. (Sticky options would present another quandary---what if they're wrong, and you're not sure how? What easy way do you have to revert to a pristine config, if disabling/re- enabling a module doesn't do it?) pam-auth-update already implements the usual guarantee required by Debian/Ubuntu policy - that local configuration changes are respected. Helping the user understand which bits of the configuration *are* local changes is gravy. What's implemented now is serviceable, to be sure, but I think the PAM config warrants a higher level of transparency than (say) inetd.conf. Maybe it can be machine-generated comments in the common-* files that indicate which options are customized; maybe some external file (/etc/pam.overrides? pam.custom?) that stores these options, allowing easy review and editing. I don't know what the solution would be---only that I'm vaguely uncomfortable with something as critical as the PAM config having this not-easily-inspected space in which changes can be made. There's definitely room for improvement here. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel, I've opened a separate bug, bug #579826, to track the problem with pam- auth-update not saving changes to the pam_krb5 module options. Would you mind testing the libpam-runtime 1.1.1-2ubuntu3 package in lucid- proposed and reporting on that bug whether it solves the problem for you (specifically, the problem of config changes being lost - I realize you may not consider it a complete solution for your use case)? -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Happy to give it a try, Steve. I just commented in that bug report. This is a potential solution, but putting aside the tricky case of what happens if the common-* files have customized options, and then the PAM profile changes?, another problem with this approach is the fragility of the customization. If you deselect the module, update, then reselect it, and update... the customized module options are gone without a trace. There's no way to get them back, other than making the same edit to the common-* files again. The only real way to safeguard such customizations is to revert the files to manually-edited mode. I'm not terribly comfortable with the way the statefulness works with this approach, either. The PAM configuration is not just a vector of bits indicating enabled/disabled profiles, but also whatever customizations have been made in the common-* files. If I'm not aware of what these customizations are, then I have no good way of knowing if my PAM config is just that vector, or if there's something more to it. There's no mechanism to tell me here are all the module options that are different from what's in the profiles. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
On Tue, Apr 13, 2010 at 07:41:04AM -, Daniel Richard G. wrote: No, it's persistent unless you disable pam_krb5 entirely. Have you tried it? Yeah, where pam-auth-update asks you Override local changes to /etc/pam.d/common-*? I see the man page says something about preserving module options, but if I add an option to (say) common-auth, and re-run p-a-u, the option is silently blown away. (This is on my Karmic work system; has this changed since? I don't see anything in the changelog.) Er, well, shoot - it turns out there's a bug in pam-auth-update's handling of module options, that *only* affects modules with numbers in their names (like pam_krb5) :/ I knew I wasn't imagining that I had tested this code, I just didn't test it with this module... I've committed the one-liner fix for this to the Debian package, and will work on getting this into an SRU for lucid. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: At the moment, my PAM-profile override *is* put into place by the same script that adds the minimum_uid bit to krb5.conf. But that's just a workaround. I don't need a workaround; I need a fix for this, so that I can toss the workaround :-) I guess I'm a bit baffled by why fixing your PAM configuration is a workaround but installing a custom krb5.conf is a desired configuration step. That just isn't how I think about the files. But that's okay, I don't have to understand. :) (Incidentally, Russ, Steve... what would you think of asking minimum_uid as a debconf question, when initially creating krb5.conf? Other sites may want to frob this setting as well.) It's a weird situation, since krb5-config doesn't know whether you're ever going to care about the Kerberos PAM module. You may be installing a krb5.conf for some other reason entirely. A strong argument could be made that the whole [appdefaults] thing in krb5.conf is a basically bad idea (particularly since krb5.conf doesn't support file includes) and should not be used to distribute PAM configuration, or any other app-specific configuration. That's part of the reason why it was initially done through the PAM configuration directly, since after all it is configuration for the PAM module, not for the general Kerberos installation on the system. But despite feeling that at times, I do use [appdefaults] for a bunch of my stuff because it's convenient to have a nice configuration syntax and configuration reading functions built-in, and because a lot of people like to distribute Kerberos settings site-wide through krb5.conf and there are some PAM settings that are really site-wide. (I don't think of minimum_uid as one, but things like renewable lifetime or forwardable tickets are more.) -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
On Tue, Apr 13, 2010 at 04:42:37AM -, Daniel Richard G. wrote: But I suppose that's what NEWS.Debian is for. You could also stick in a debconf notice, like what x11-common had for a while (Major possible upgrade issues). This is not considered good practice, and I don't think it's warranted in this case. I agree that this is what NEWS.Debian is for. (Incidentally, Russ, Steve... what would you think of asking minimum_uid as a debconf question, when initially creating krb5.conf? Other sites may want to frob this setting as well.) They may want to, but I don't think the added complexity of debconf solely for what I believe is a rarely-used option makes sense. Given that a site-implementation of this requires nothing more than a simple sed one-liner ( sed -i -e'/pam_krb5/ { s/minimum_uid=[0-9]*/minimum_uid=/ }' /etc/pam.d/common-* ), I don't think debconf offers much benefit here. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
I guess I'm a bit baffled by why fixing your PAM configuration is a workaround but installing a custom krb5.conf is a desired configuration step. krb5.conf is a config file under /etc. That's the ideal place to make configuration changes. As it is, right now, adding the minimum_uid bit involves just appending a few lines to the file---it doesn't get much simpler than that. It's a weird situation, since krb5-config doesn't know whether you're ever going to care about the Kerberos PAM module. You may be installing a krb5.conf for some other reason entirely. Yeah, that's true. It's like with LDAP; my site uses LDAP for ls -l, ~user lookups et al., but not for authentication. Still, having it in debconf may be convenient enough for sites that use pam_krb5, to be worth the this setting only has an effect if ... qualifier for sites that don't. Though I haven't made much use of [appdefaults] myself (just for the PAM module), I've never seen a philosophical problem with it, since all the settings there would relate to Kerberos anyway---it just comes down to making the admin's job easier. Splitting them out elsewhere might be more pedantically correct, but... For that matter, has there been any talk on a better way doing krb5.conf, like doing a /etc/krb5.conf.d/ or a krb5-auth-update(8) or the like? With all that's been said here about the limitations of the file and how it's structured/managed, it seems like this is a problem that's crying out for a solution. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
They may want to, but I don't think the added complexity of debconf solely for what I believe is a rarely-used option makes sense. [...] I don't think debconf offers much benefit here. Fair enough, though I hope you're not suggesting direct modification of the /etc/pam.d/common-* files as a practical way of doing site customization. (That'll work fine until the next time someone wants to run pam-auth-update...) -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
On Tue, Apr 13, 2010 at 06:48:21AM -, Daniel Richard G. wrote: krb5.conf is a config file under /etc. /etc/pam.d/common-* are also config files under /etc. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
On Tue, Apr 13, 2010 at 06:58:02AM -, Daniel Richard G. wrote: Fair enough, though I hope you're not suggesting direct modification of the /etc/pam.d/common-* files as a practical way of doing site customization. (That'll work fine until the next time someone wants to run pam-auth-update...) No, it's persistent unless you disable pam_krb5 entirely. Have you tried it? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
No, it's persistent unless you disable pam_krb5 entirely. Have you tried it? Yeah, where pam-auth-update asks you Override local changes to /etc/pam.d/common-*? I see the man page says something about preserving module options, but if I add an option to (say) common-auth, and re-run p-a-u, the option is silently blown away. (This is on my Karmic work system; has this changed since? I don't see anything in the changelog.) -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: For that matter, has there been any talk on a better way doing krb5.conf, like doing a /etc/krb5.conf.d/ or a krb5-auth-update(8) or the like? Debian Bug#429692. There's no progress on it so far as I know. I should look at adding something like that to Heimdal, since it would be rather convenient at times. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Er, how is it silent when pam-auth-update asks you a question? Silent, in the sense that when you run p-a-u, it doesn't indicate that the common-* files have been modified in any way; it just presents you with the same checkbox-list of profiles. You leave everything as-is, hit OK, look at the file, and the option you had just added is gone. (Not that I'm keen on the ability for p-a-u to preserve module options ---that means I have to guess what the tool does if the options change in a profile, and it has to merge that change with hand-modified options in common-*. Even worse if it asks the user what to do; how do you even word that question without confusing most people?) That seems to me like the best way to do things at scale. I don't want to forgo p-a-u. It's beneficial for single users and admins, yes, but it's a boon to large sites as well, because it reduces your entire PAM configuration from four arbitrary freeform script files (in which any mistakes can have major consequences) to a short vector of enabled/disabled PAM profiles. If a user wants to install something that hooks into the PAM stack that isn't already in the image (let's say, ConsoleKit), they don't have to hand-edit/merge anything, or come running for support when they inevitably break PAM and lock themselves out; they just check a new box. This is why I never considered hand-tuning common-*, and instead went with a custom profile. It's far better to wedge a new piece into p-a-u, than to toss p-a-u altogether and hand-maintain everything the old-fashioned way. (I can hardly even stand working with Debian Lenny anymore because it doesn't have this. That's how big an improvement it's been for me.) We can certainly try to make it work more smoothly for you, but it does feel like you're creating extra work for yourself in a few places. As I see it, custom profiles and hand-editing auto-generated files are extra work, and I'm trying to laze my way away from that! :-) Debian Bug#429692. There's no progress on it so far as I know. Just #include functionality? That seems overly modest (packages would still have to modify an existing file, they can't just drop a file into a directory), but still an improvement over what we have now. *push* *goad* *cajole* -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
But I suppose that's what NEWS.Debian is for. You could also stick in a debconf notice, like what x11-common had for a while (Major possible upgrade issues). Right -- if you're already distributing a krb5.conf with this setting, surely the same mechanism could be used to override the PAM configuration as well. At the moment, my PAM-profile override *is* put into place by the same script that adds the minimum_uid bit to krb5.conf. But that's just a workaround. I don't need a workaround; I need a fix for this, so that I can toss the workaround :-) (Incidentally, Russ, Steve... what would you think of asking minimum_uid as a debconf question, when initially creating krb5.conf? Other sites may want to frob this setting as well.) -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Steve Langasek steve.langa...@canonical.com writes: Honestly, I don't see any good choices at the packaging level for permuting the pam_krb5 options used. Yeah, that's what it was looking like to me as well. Why wouldn't it work to have krb5-config do a one-time adjustment of /etc/krb5.conf on upgrade (w/ version guard), and give libpam-krb5 a versioned dependency on the version of krb5-config that implements this? Hm, yes, I suppose I could try that. I don't see an obvious problem with it, at least. I'll run that past Sam and see what he thinks about it. I'm a little concerned by the implications for sites that maintain a site-wide krb5.conf file that they distribute to all of their systems and don't have this setting in it because it doesn't apply uniformly to all of their systems. In that situation, they really need to use PAM configuration instead, and this transition could easily leave them without a minimum_uid setting. But I suppose that's what NEWS.Debian is for. As for your original problem, Daniel, - you already have to set the non-default minimum_uid in krb5.conf; why couldn't you automatically apply the same setting to /etc/pam.d/common-* by the same mechanism? There may be room for improvement in the package defaults, but ISTM that this shouldn't stand in the way of you solving your immediate problem - especially given that you're decidedly not using the package defaults anyway. Right -- if you're already distributing a krb5.conf with this setting, surely the same mechanism could be used to override the PAM configuration as well. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Isn't it possible to use debconf to change around the enabled profiles, via the libpam-runtime/profiles selection? Steve: I'm not sure I understand what you mean by automatically apply ... by the same mechanism. I can set minimum_uid in krb5.conf, but I also have to toss the minimum_uid= options in /etc/pam.d/common-*, because PAM module options take precedence over what's in krb5.conf. That's why I'm using a custom Kerberos profile. It's basically identical to the stock krb5 profile, just without the minimum_uid= bit. I *want* to use the package defaults---the only reason I can't is because minimum_uid is hardcoded in there, not in a conffile, and not under /etc. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
On Wed, Mar 31, 2010 at 05:06:48AM -, Russ Allbery wrote: No, it's not a conffile. The generated /etc/pam.d files are configuration files, but if the user is using the defaults, I believe changes to the defaults are just automatically applied (although Steve would know better than I). Yes, pam-auth-update does word-wise parsing of the options for each module in the stack, and does an automatic three-way merge of these options on upgrade. On Fri, Apr 02, 2010 at 12:31:50AM -, Russ Allbery wrote: The input files to pam-auth-update aren't configuration files, so this would need to change somewhat, but I think I can see how to do something like this. Basically, libpam-krb5 would ship two different krb5 PAM profiles and select between them based on whether or not krb5.conf had a minimum_uid setting. However, so far as I can tell, there's no way to do this right now in the existing pam-auth-update system. The package doesn't tell pam-auth-update which profile to add. It just configures all of them. So the user would keep having to select between krb5 and krb5-old (or whatever) without knowing which one too chose, and they'd conflict with each other which would make everything more complicated. Steve, if you're still following this bug report, do you have any feelings about how we should handle this? My primary concern is ending up with only ignore_root and not minimum_uid and hence opening a possible security vulnerability wherein one could authenticate as a Kerberos principal named daemon, etc., and log on to a system account. You can set up two pam module configs that conflict with one another, but there's no way for the package to automatically select between them (a limitation of the use of debconf, really). You can use maintainer script logic to post-process /etc/pam.d/common-* and tune the options for pam_krb5 based on the contents of /etc/krb5.conf, but this isn't persistent if the user at any point disables and re-enables the krb5 pam profile. Honestly, I don't see any good choices at the packaging level for permuting the pam_krb5 options used. Why wouldn't it work to have krb5-config do a one-time adjustment of /etc/krb5.conf on upgrade (w/ version guard), and give libpam-krb5 a versioned dependency on the version of krb5-config that implements this? As for your original problem, Daniel, - you already have to set the non-default minimum_uid in krb5.conf; why couldn't you automatically apply the same setting to /etc/pam.d/common-* by the same mechanism? There may be room for improvement in the package defaults, but ISTM that this shouldn't stand in the way of you solving your immediate problem - especially given that you're decidedly not using the package defaults anyway. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: Thought about the upgrade process a bit. How about this: 1. kerberos-configs starts generating new krb5.conf files with minimum_uid=1000. Then a little later... 2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On upgrade, it checks to see if this is in krb5.conf. If yes, great. If no, then copy pam-configs/krb5 to e.g. krb5_old, have pam-auth-update use that instead of the new krb5 profile, and show a warning to the user. The user can dismiss the warning, and nothing changes for him/her. krb5_old sticks around as a conffile (removed if package is purged, but otherwise remains untouched by future upgrades), and the regular krb5 profile doesn't have to be hobbled by backward-compatibility measures. The input files to pam-auth-update aren't configuration files, so this would need to change somewhat, but I think I can see how to do something like this. Basically, libpam-krb5 would ship two different krb5 PAM profiles and select between them based on whether or not krb5.conf had a minimum_uid setting. However, so far as I can tell, there's no way to do this right now in the existing pam-auth-update system. The package doesn't tell pam-auth-update which profile to add. It just configures all of them. So the user would keep having to select between krb5 and krb5-old (or whatever) without knowing which one too chose, and they'd conflict with each other which would make everything more complicated. Steve, if you're still following this bug report, do you have any feelings about how we should handle this? My primary concern is ending up with only ignore_root and not minimum_uid and hence opening a possible security vulnerability wherein one could authenticate as a Kerberos principal named daemon, etc., and log on to a system account. Fixing Debian Bug#330882 (and in general not creating real shells for system users) would remove a lot of my concern. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: What about just punting on upgrades altogether, and putting in the rearranged config only on a new install? Could that be done with appropriate postinst magic? The tricky part is coordination. At what point can libpam-krb5 drop the minimum_uid setting and assume that it's in krb5.conf? Alternately, you could pop up a big scary debconf warning... there's ample precedent for that. My concern with this is that I think this only affects a small set of users of the packages, so I'm reluctant to bother the other ones. One has to both have a mix of Kerberos-authenticated and non-Kerberos users, distinguish by UID, and mind the silent Kerberos authentication failure when handling the UNIX login. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
You can see why I'm pushing on this. It's pay now, or pay later... no real gain in waiting :-] Ah, yes, users who've been dist-upgrading their Ubuntu installs since Warty... I guess there's no such thing as temporary postinst logic, if those need to be handled. A warning wouldn't be so bad. The users who would see it are those who are (1) dist-upgrading a distribution that (2) uses Kerberos authentication. Which often occurs in (3) an institutional setting with dedicated admins who can hand-hold/auto-script the change as needed. I don't think so many would be affected, and of those who are, a large part should be spoken for by their mother hens. How did PAM-related packages manage changes to /etc/pam.d/* before pam- auth-update came along? Yeah, automated editing is gauche, but it's not like you just can't do *anything* in that sort of scenario... -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Thought about the upgrade process a bit. How about this: 1. kerberos-configs starts generating new krb5.conf files with minimum_uid=1000. Then a little later... 2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On upgrade, it checks to see if this is in krb5.conf. If yes, great. If no, then copy pam-configs/krb5 to e.g. krb5_old, have pam-auth-update use that instead of the new krb5 profile, and show a warning to the user. The user can dismiss the warning, and nothing changes for him/her. krb5_old sticks around as a conffile (removed if package is purged, but otherwise remains untouched by future upgrades), and the regular krb5 profile doesn't have to be hobbled by backward-compatibility measures. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Can we get minimum_uid out of pam-configs/krb5 for Lucid? -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: Can we get minimum_uid out of pam-configs/krb5 for Lucid? I haven't had a chance to discuss the idea with the other kerberos-configs maintainer, and at the moment this is a low priority for me since I think the current behavior is correct. At the moment, therefore, I think it's unlikely there will be any changes for lucid if they're waiting on me to initiate the work. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
I know this isn't a big deal in the larger scheme of things, but it's the difference between being able to use the stock krb5 profile, and having to maintain a custom one. (And remember, the current behavior involves headaches if you have any non-root local users.) Please bring this up with Sam when you get an opportunity -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: I know this isn't a big deal in the larger scheme of things, but it's the difference between being able to use the stock krb5 profile, and having to maintain a custom one. (And remember, the current behavior involves headaches if you have any non-root local users.) The current behavior does the correct thing if the UID allocation strategy follows Debian policy, including for local users. That's what I mean by not being convinced that the current behavior is wrong. I realize there are sites that have UID allocation strategies that don't follow the Debian guarantees about UID ranges and therefore need to use lower UIDs due to historic allocations, although I'm surprised that those sites would also be interested in using a stock PAM configuration (or, for that matter, a stock krb5.conf). You really don't want pam-krb5 to be willing to authenticate system users just because you have a principal in your local realm named daemon, and krb5-config never touches an existing krb5.conf file when upgraded, which makes me nervous about removing this setting from the default PAM configuration. This is particularly true in Debian where those accounts have valid shells by default. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
No no, the goal is not to have Kerberos users with uid 1000. It's to push minimum_uid higher, so that you can have normal 1000-something-uid local users authenticate without any Kerberos interaction. Same argument as for the root user and ignore_root. As for doing the upgrade, isn't pam-configs/krb5 a conffile? The user would see what's going on. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Daniel Richard G. sk...@iskunk.org writes: No no, the goal is not to have Kerberos users with uid 1000. It's to push minimum_uid higher, so that you can have normal 1000-something-uid local users authenticate without any Kerberos interaction. Same argument as for the root user and ignore_root. Oh, sorry. I forgot the context. I even re-read the bug and missed that. Apologies. As for doing the upgrade, isn't pam-configs/krb5 a conffile? The user would see what's going on. No, it's not a conffile. The generated /etc/pam.d files are configuration files, but if the user is using the defaults, I believe changes to the defaults are just automatically applied (although Steve would know better than I). And krb5.conf normally isn't updated once written and I don't think it could be updated with this particular type of change. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
What about just punting on upgrades altogether, and putting in the rearranged config only on a new install? Could that be done with appropriate postinst magic? Alternately, you could pop up a big scary debconf warning... there's ample precedent for that. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Hi Daniel, Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? Because this is the correct default minimum_uid value to use on Ubuntu systems, where 1000 marks the boundary between system and user accounts, and this default has not been otherwise specified. The problem is that some installations may have the convention of a higher minimum UID for Kerberos users, and their options are limited to either modifying the number in the profile file (a no-no given that the file lives in /usr and not /etc), or bypassing the krb5 profile altogether (either with a custom profile, or direct edits to /etc/pam.d/*). Well, no, you have two other options: - edit /etc/pam.d/common-* directly to remove / modify the minimum_uid option according to your sites needs (these are config files, and pam-auth-update is meant to honor any changes you make to the module options - if it fails to do so, that's a bug), or - provide your own 'krb5-mysite' profile in /usr/share/pam-configs/ and use that in place of the default one. But it would also be reasonable to set this default via appdefaults in /etc/krb5.conf, which I didn't know was possible - if that were done in the default krb5.conf, then we could drop the module option from /usr/share/pam/configs/krb5. So I'll mark this bug as invalid for pam- krb5, and open a task on kerberos-configs. ** Changed in: libpam-krb5 (Ubuntu) Status: New = Invalid ** Also affects: kerberos-configs (Ubuntu) Importance: Undecided Status: New ** Changed in: kerberos-configs (Ubuntu) Importance: Undecided = Low ** Changed in: kerberos-configs (Ubuntu) Status: New = Triaged -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Steve Langasek steve.langa...@canonical.com writes: But it would also be reasonable to set this default via appdefaults in /etc/krb5.conf, which I didn't know was possible - if that were done in the default krb5.conf, then we could drop the module option from /usr/share/pam/configs/krb5. So I'll mark this bug as invalid for pam-krb5, and open a task on kerberos-configs. In practice, krb5.conf files usually aren't a useful place to set distribution options. A lot of sites that use Kerberos (such as Stanford) distribute a global krb5.conf file for the whole site and encourage all users to just install it. One has to assume that in most cases krb5.conf is going to get overridden by the user. (This is one of the reasons why it's not a conffile in kerberos-configs and instead is only created once and then very selectively modified, so note that no changes will be picked up by existing systems, only by new installations.) I'm not sure there's any reason *not* to set the option in krb5.conf, other than maybe a minor slippery slope argument that setting application options in the distribution default krb5.conf isn't going to scale well since we don't have an include mechanism for fragments. But it may or may not really fix the problem of preventing Kerberos getting in the way of local logins as thoroughly as using a PAM option. The reason why that option is recommended is because if there's something wrong with the network that causes pam-krb5 to hang for long periods, login can time out and leave you in a situation where you can't log in as root. Maybe it would make sense to leave minimum_uid for /etc/krb5.conf but set ignore_root in the profile to eliminate the worst of the problem of not having minimum_uid set. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs