LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   slackware 15 and pam (https://www.linuxquestions.org/questions/slackware-14/slackware-15-and-pam-4175483168/)

chemfire 10-14-2015 07:52 AM

Quote:

Originally Posted by ReaperX7 (Post 5434188)
What makes anyone think any administrator with years of experience would just use an off the shelf Linux distribution without some level of research and reworking on their end? Slackware doesn't even have half the patches used to secure most applications and packages, much less use SELinux and other hardening agents in the system. You guys think PAM is going to be some magic panacea to cure every problem you have? You're out of your head if you believe that nonsense.

Nobody would chose something without some research no. They might very well select Slackware. I do security auditing and I see Slackware pop up in all sorts of corporate environments. Big industrial firms you would recognize the name of if you have ever driven a car, or been anywhere in the midwest. Now they don't show up in large numbers usually they are a department server for an engineering group or something like that. They tend to be participating in NIS with other UNIX machines Solaris, HPUX, AIX and friends.

The Slackware machines (when patched) tend to be very hard targets. Why because it is so simple. There just isn't much attack surface. You can get on the box with some stolen NIS credentials or maybe toss yourself a reverse shell after attacking some badly done CGI script sombody wrote. Things you could do to any distro. Escalating privileges however and rooting the boxes tends to be difficult or impossible. This is the original argument against inclusion of PAM, it is added attack surface.

Slackware shows up in a lot places many people on these boards don't realize. I am bias I think on balance its time to add PAM, but I understand the arguments against as well. I do want to point out that contrary to what many on these boards think Slackware does make appearances in the commercial world.

@ReaperX7

If you going to make the argument that Slackware is a solid platform for building onto to meet your specific needs, than its reasonable the foundation should be something that works for as many people as possible. No PAM isn't going to solve everyone's problems but it will make many thing easier for some. As far as everyone else goes PAM isn't new any more, including it would be harmless to people with use cases like yours.

Also as far as the other MAC solutions like SELinux goes, I can count on one hand the number of times I have seen any company using something other the the out of box configuration and I have virtually seen in configured in anything but permissive mode in production. Actually setting it to enforcing is something that never seems to make it off the Security teams lab machine. I am not saying using it would not greatly improve the security posture of many applications servers but its just not happening in the real world. You see your typical sysadmin now in a large shop is often 1:100 in terms of admins to servers. There isn't time to custom tune something like that for specific apps. The better run places have a baseline configuration for each platfor so they know its that config + the application. All the patching and change pushes are automated. No they don't blindly apply updates. Usually they have a QA systems for their more important apps and they test out patch deployments on those first.

Didier Spaier 10-14-2015 07:55 AM

Quote:

Originally Posted by ReaperX7 (Post 5434407)
Wait a tick... Who the hell is Caitlyn Martin???

See the readers comments in an 2012 issue of DistroWatch Weekly.

Some comments:
  • I take no responsibility in she calling me "my dear friend Didier" in post #65. But there was probably some irony involved ;)
  • My opinion about Slackware derivatives in general and Slackel in particular has evolved since then. I think that the way Slackware is managed does encourage having derivatives and after all that's not bad as that helps broaden its scope and user base. So, thanks Dimitris for providing Slackel!

ReaperX7 10-14-2015 08:26 AM

Not to take sides, but she did make sense in post #22 in the last paragraph before she shot herself in the foot with a bazooka.

Sentence three of the last paragraph of post 22. Phone doesn't want to do copy-paste at the moment.

volkerdi 10-14-2015 02:07 PM

Quote:

Originally Posted by ivandi (Post 5433914)
1) compile MIT Kerberos
2) compile Linux-PAM

It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users. PAM is a fairly simple technology. Kerberos, on the other hand, is a complicated mess that I'd rather not see dig its tendrils into everything.

Smokey_justme 10-14-2015 02:19 PM

Well, Heimdal could be a replacement for MIT Kerberos... I know this would work with at least OpenLDAP, but the latest release is from 2012 and I don't know if it's currently being maintained or not (but according to the github pages it is still maintained).. I also don't know if it would really be any different from your point of view..

ivandi 10-14-2015 03:03 PM

Quote:

Originally Posted by volkerdi (Post 5434625)
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users. PAM is a fairly simple technology. Kerberos, on the other hand, is a complicated mess that I'd rather not see dig its tendrils into everything.


Well, that doesn't make much sense to me because samba already includes kerberos implementation. I can speculate that pam_winbind will work. But all software that support gssapi won't get it and we won't have single sign on and nfs4.


Cheers

kikinovak 10-15-2015 01:10 PM

Quote:

Originally Posted by volkerdi (Post 5434625)
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users.

Replace NIS/NFS with LDAP/NFS = definitely worth it :hattip:

chemfire 10-15-2015 01:34 PM

Quote:

Originally Posted by volkerdi (Post 5434625)
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users. PAM is a fairly simple technology. Kerberos, on the other hand, is a complicated mess that I'd rather not see dig its tendrils into everything.

I still think it would be highly worth it. I can't confirm 100 but I believe this would enable someone who wanted to have Slackware act a member server be able to accomplish that with just the installation of kerberos and a re-roll of the samba package. I don't think it would be necessary to rebuild other system components. That would result in a system that is at least mostly functional even if a few things that could have GSSAPI support remain built without it. This would be a huge step forward for many of the people trying to inter operate with Winders.

Alien Bob 10-15-2015 01:43 PM

When testing Samba 4 (before it went into Slackware) I was able to connect a Slackware computer to a Samba4 domain by only adding a kerberos package to the client computer. Nothing was needed in addition.
I never did thorough testing... I just was curious at the time whether a client needed a separate kerberos package.

NeoMetal 10-16-2015 11:53 AM

Quote:

Originally Posted by ivandi (Post 5434666)
Well, that doesn't make much sense to me because samba already includes kerberos implementation. I can speculate that pam_winbind will work. But all software that support gssapi won't get it and we won't have single sign on and nfs4.


Cheers



Yeah I've used pam and pam_winbind to get auth to the OS and to CIFS shares against an AD domain, which is all I wanted from it, but yeah didn't try anything with SSO or nfs4. Not sure if there is a big demand for SSO or just being able to use AD/LDAP creds to control auth to linux/linux hosted resources is the is the bigger interest, for me it's the latter.

Qury 10-16-2015 12:52 PM

Quote:

Originally Posted by NeoMetal (Post 5435601)
Not sure if there is a big demand for SSO.

Personally It would be extremely useful for me.

ivandi 10-18-2015 10:03 PM

Well, it was a busy week but today I had some spare time to do some testing.

SETUP (details are here)
Code:

Virtual network based on my SlackMATE project:

dc.example.net (192.168.0.2)  SlackMATE server. Samba AD DC for EXAMPLE.NET
www.example.net (192.168.0.5)  Web server.
                              http://www.example.net is public /var/www/htdocs
                              https://www.example.net is private /var/www/private protected by mod_auth_kerb and ssl.
cl1.example.net (dhcp)        Client 1, SlackMATE
cl2.example.net (dhcp)        Client 2, SlackMATE
slackware.example.net (dhcp)  Full stock slackware64-current. Local user ivandi.

Users: test1(cl1) test2(cl2) test3(slackware)

Firefox: in about:config network.negotiate-auth.trusted-uris is set to https://www.example.net


RESULTS

cl1 and cl2, SlackMATE desktop:

ads join works
samba shares work
samba spnego works
graphical login works
firefox sso works (no authentication needed to access https://www.example.net)
ssh sso works


Stock Slackware:

ads join works
samba shares work
spnego for samba works
login doesn't work
no sso in firefox (accessing https://www.example.net pops an authentication dialog)


Slackware + PAM (recompiled shadow and samba) no Kerberos:

ads join works
console login works, then startx
samba works with spnego
no sso in firefox (accessing https://www.example.net pops an authentication dialog)


Slackware + Kerberos no PAM:

ads join works
I loged in as ivandi (local user) and did kinit test3 then startx
samba spnego works
firefox sso works (no authentication needed to access https://www.example.net)



Cheers

chemfire 10-19-2015 08:05 AM

@ivandi

Thanks so much for doing that work so we know what the lay of the land looks like on the current release rather than my speculation based on what I know worked two years ago. I think that is a big help in making an evidence based case for or against adding PAM.

Just a couple questions if you still have your test environment up. I ask only because there are some folks that might be interested in being a member server without trying to add PAM at the moment.

In your "Slackware + Kerberos no PAM" configuration did the Kerberos build result in a login.krb5 binary? If it did and you make that the login program in /etc/inittab does that then allow you to login as a domain user? This used to work for me on prior versions of Slackware.

pcninja 10-19-2015 08:20 AM

PAM is made by red hat, the same guys behind the disastrous pulseaudio and systemd. I don't want red hat poisoning slackware.

Didier Spaier 10-19-2015 08:28 AM

Quote:

Originally Posted by pcninja (Post 5436788)
PAM is made by red hat, the same guys behind the disastrous pulseaudio and systemd. I don't want red hat poisoning slackware.

Just remove from your Slackware all that comes from Red Hat or Fedora and see what happens.


All times are GMT -5. The time now is 03:42 AM.