Talk:Design/SSSD

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Technology Review)
(Technology Review)
Line 28: Line 28:
 
| Kerberos
 
| Kerberos
 
| Legacy auth-config
 
| Legacy auth-config
|
+
| should not call 'secure' because that's used to mean something else wrt NIS ('usually means you've set things up at the server so that clients can only read from certain maps (for example, 'passwd.adjunct', which is similar in purpose and use to /etc/shadow) if they send their request from privileged ports')
 
|-
 
|-
 
| NIS
 
| NIS
| Shadow file
+
| NIS
 
| Legacy auth-config
 
| Legacy auth-config
|
+
| far more common than NIS / shadow
 
|-
 
|-
 
| Winbind
 
| Winbind
Line 42: Line 42:
 
| Hesiod
 
| Hesiod
 
| Historically, Kerberos
 
| Historically, Kerberos
| Cut from UI / talk to Nalin first
+
| Cut from UI
|
+
| iastate / NCSU / MIT potential current users. iastate said it's fine to cut from UI, they don't need UI for it.
 +
|-
 +
| Smart Card (cert-based)
 +
| Smart Card (cert-based)
 +
| too difficult to manage without UI, can't drop.
 +
| will be in SSSD 6-12 months / smartcard/smartcard most common setup
 
|-
 
|-
| ???
 
 
| Smart Card (cert-based)
 
| Smart Card (cert-based)
| Consider cutting. Consult with Nalin / Tomas / Chandra Kannan / Jack M / Kevin U
+
| Kerberos
| will be in SSSD 6-12 months
+
| too difficult to manage without UI, can't drop.
 +
| Least common setup, smart card enables you to get a krb ticket
 
|-
 
|-
 
| ???
 
| ???

Revision as of 18:51, 15 February 2010

Contents

15 Feb 2010

Feedback

  • Need to avoid having nested firstboot screens
  • Need to avoid having multiple ways to do the same thing
  • UI vs command line vs config files

Technology Review

Identity Technology Authentication Technology Recommended Implementation Misc Notes
LDAP Kerberos SSSD 17%
LDAP LDAP SSSD 80%
NIS Kerberos Legacy auth-config should not call 'secure' because that's used to mean something else wrt NIS ('usually means you've set things up at the server so that clients can only read from certain maps (for example, 'passwd.adjunct', which is similar in purpose and use to /etc/shadow) if they send their request from privileged ports')
NIS NIS Legacy auth-config far more common than NIS / shadow
Winbind Winbind Legacy auth-config
Hesiod Historically, Kerberos Cut from UI iastate / NCSU / MIT potential current users. iastate said it's fine to cut from UI, they don't need UI for it.
Smart Card (cert-based) Smart Card (cert-based) too difficult to manage without UI, can't drop. will be in SSSD 6-12 months / smartcard/smartcard most common setup
Smart Card (cert-based) Kerberos too difficult to manage without UI, can't drop. Least common setup, smart card enables you to get a krb ticket
 ??? Fingerprint Cut from UI

Anticipated User Complaints

  • Have to know how user info maps to password. Legacy UI lets you select all the user info / password methods you want, and tries different combos until it finds something that works. The new way requires you explicitly state the user info + password mapping. (explicit mapping is less prone to accidental configuration thus more secure - less holes that could be broken through)


Suggested Screen Content (Ideal)

Tab 1: Identity & Authentication

  • [ ] NIS
    • [ ] Secure NIS (uses Kerberos)
  • [ ] Winbind (Winbind for both)

[ ] Cache User Info

Tab 2: Advanced Options

NETWORK

  • [ ] Homedir creation on login

LOCAL

  • [ ] Enable local access control
  • [ ] Password hash algorithm [ dropdown goes here | \/]


Review of Current Screens

Tab 1: User Info

  • NIS (Should be listed #1)
  • Winbind (Should be listed #2)
  • Hesiod (Should be listed #3 or pulled. Talk to Nalin)

Tab 2: Password

  • Kerberos (should be kept for NIS)
  • LDAP (should be pulled)
  • Smartcard (consider pulling, talk to Nalin, et. al.)
  • Fingerprint (consider pulling)
    • locally works by just installing the right package. GNOME About Me dialog handles.
    • network - nobody reasonable uses this over the network
  • Winbind (should be kept for winbind)

Tab 3: Options

  • Cache user info KEEP
    • uses nscd. Identity, not auth. Requires less nework trips if enabled - otherwise everytime you type 'ls' or 'ps ax' it uses a network trip to identify the username <=> uid mappings. Can't kill it. Has a higher-performance cache even though it gets staler / harder to flush / caches more stuff than SSSD does.
  • Use shadow KILL
    • this should be enabled. it removes the ability for non-root users to read your password hash.
  • password hash login KEEP
    • only useful for local users
    • controls creation of new passwords
    • folks in particular countries with particular regulations (including france?) government workers care about this
  • local authorization sufficient KILL
    • enable it by default
  • auth sys accounts via network KILL
    • disable it
    • for example, apache accounts are not normally login enabled accounts anyway. this would let you auth it over the network.
  • check access.conf during auth KEEP
    • reword 'Enable local access control'
  • create homedirs on first login KEEP
    • 2 ways to do it, pam-make homedirs vs pam make homedirs dbus
    • dbus method uses policykit/root, more capabilitity but currently issues with setting proper SELinux user context