From Fedora Project Wiki
(Change announced on Jul-18)
(https://pagure.io/fesco/issue/1690#comment-455832)
 
(One intermediate revision by the same user not shown)
Line 83: Line 83:
 
== Release Notes ==
 
== Release Notes ==
  
[[Category:ChangeAnnounced]]
+
[[Category:ChangePageIncomplete]]
 
[[Category:SelfContainedChange]]
 
[[Category:SelfContainedChange]]

Latest revision as of 08:26, 8 August 2017

Authselect: new tool to replace authconfig

Summary

Authselect is a tool to select system authentication and identity sources from a list of supported profiles.

It is designed to be a replacement for authconfig but it takes a different approach to configure the system. Instead of letting the administrator build the pam stack with a tool (which may potentially end up with a broken configuration), it would ship several tested stacks (profiles) that solve a use-case and are well tested and supported. At the same time, some obsolete features of authconfig would not be supported by authselect.

This tool aims to be first shipped along and later deprecate and later replace authconfig in a future Fedora release.

Owner

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-08-08
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Authselect will allow the administrator to choose one of the supported profiles. A profile provides description of how the resulting pam and nsswitch configuration looks like. The tool will be packaged with a default profile set that will be fully supported. If an administrator has different needs they can create a custom profile and make it accessible by authselect by dropping it in the tool directory.

The authentication and identity configuration is hardcoded within the profile. However each profile is also allowed to contain some conditional modules that can be either enabled or disabled to allow the administrator to enable some optional behaviour such as password policy or ecryptfs support.

Authselect will not configure daemons that provide the selected identity and authentication services such as SSSD or winbind, it will only configure pam and nsswitch. Daemons must be configured manually or through other system tools like realmd or ipa-client-install.

The default profile set will contain the following profiles:

  • Local users + SSSD -- local users and remote users are handled by sssd
  • Local users + SSSD + Fingerprint -- same as above but also pam_fprintd is enabled
  • Local users + winbind -- local users are handled by files and remote users by winbind
  • Local users + winbind + Fingerprint -- same as above but also pam_fprintd is enabled

We do not want to support nss-pam-ldapd and pam_krb5 in default profiles since their use-cases are completely or almost completely covered by SSSD. SSSD can be used as a complete replacement for pam_krb5 and there are only few old and rarely used maps for LDAP that remain unimplemented within SSSD such as hosts and aliases. These maps will be added in a future SSSD version.

Benefit to Fedora

Authconfig is the current tool to configure pam and nsswitch services with a possibility to generate basic configuration for various daemons (sssd, ldap, kerberos, …). Most importantly authconfig generates the resulting pam stack from many selectable options which proved to be quite error prone by growing needs of users and services. Authconfig is an old tool and gained a lot of technical debt over the years which makes it hard to maintain. Some parts of it were already deprecated (gui, tui) or obsoleted (relic features such as hesiod support) in Fedora 26.

Authconfig does its best to always generate a valid pam stack but it is not possible test every combination of options and identity and authentication daemons configuration. It is also quite regression prone since those daemons are in active development on their own and independent on authconfig. When a new feature is implemented in an authentication daemon it takes some time to propagate this feature into authconfig. It also may require a drastic change to the pam stack which may easily introduce regressions since it is hard to test properly with so many possible different setups.

The authselect tool aims to simplify the configuration by providing only small set of profiles that are fully tested and supported and move the daemon configuration away from this tool to the tools that are better suited for this task. New features introduced by underlying pam modules may be implemented by providing a new profile that clearly shows the differences, keeping the old profile still available. It is also possible for the authentication daemons to provide and manage their own profile set.

Authconfig itself stays as default for now. This change is about introducing and promoting authselect as a future default tool to configure identity and authentication and to allow Fedora users to try this and provide feedback on what is missing.

Scope

  • Proposal owners: implement the change
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: #6907 (a check of an impact with Release Engineering is needed)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Either authconfig or authselect can be used to configure system authentication and identity sources. If usage of authconfig is detected, authselect will refuse to perform changes (unless an option to override this behaviour is set).

How To Test

Run authselect with each of the default profile and see that pam and nsswitch is correctly configured.

User Experience

Fully tested pam and nsswitch configuration. Lower chance for regressions.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)
  • Blocks product? No

Documentation

N/A (not a System Wide Change)

Release Notes