Talk:Design/SSSD

From FedoraProject

Revision as of 17:54, 15 February 2010 by Duffy (Talk | contribs)

Jump to: navigation, search

Contents

15 Feb 2010

Feedback

  • Need to avoid having nested firstboot screens
  • Need to avoid having multiple ways to do the same thing
  • UI vs command line vs config files

Technology Review

Identity Technology Authentication Technology Recommended Implementation Misc Notes
LDAP Kerberos SSSD 17%
LDAP LDAP SSSD 80%
NIS Kerberos Legacy auth-config
NIS Shadow file Legacy auth-config
Winbind Winbind Legacy auth-config
Hesiod Historically, Kerberos Cut from UI / talk to Nalin first
 ??? Smart Card (cert-based) Consider cutting. Consult with Nalin / Tomas / Chandra Kannan / Jack M / Kevin U will be in SSSD 6-12 months
 ??? Fingerprint Cut from UI

Anticipated User Complaints

  • Have to know how user info maps to password. Legacy UI lets you select all the user info / password methods you want, and tries different combos until it finds something that works. The new way requires you explicitly state the user info + password mapping. (explicit mapping is less prone to accidental configuration thus more secure - less holes that could be broken through)


Suggested Screen Content (Ideal)

Tab 1: Identity & Authentication

  • [ ] NIS
    • [ ] Secure NIS (uses Kerberos)
  • [ ] Winbind (Winbind for both)

[ ] Cache User Info

Tab 2: Advanced Options

NETWORK

  • [ ] Homedir creation on login

LOCAL

  • [ ] Enable local access control
  • [ ] Password hash algorithm [ dropdown goes here | \/]


Review of Current Screens

Tab 1: User Info

  • NIS (Should be listed #1)
  • Winbind (Should be listed #2)
  • Hesiod (Should be listed #3 or pulled. Talk to Nalin)

Tab 2: Password

  • Kerberos (should be kept for NIS)
  • LDAP (should be pulled)
  • Smartcard (consider pulling, talk to Nalin, et. al.)
  • Fingerprint (consider pulling)
    • locally works by just installing the right package. GNOME About Me dialog handles.
    • network - nobody reasonable uses this over the network
  • Winbind (should be kept for winbind)

Tab 3: Options

  • Cache user info KEEP
    • uses nscd. Identity, not auth. Requires less nework trips if enabled - otherwise everytime you type 'ls' or 'ps ax' it uses a network trip to identify the username <=> uid mappings. Can't kill it. Has a higher-performance cache even though it gets staler / harder to flush / caches more stuff than SSSD does.
  • Use shadow KILL
    • this should be enabled. it removes the ability for non-root users to read your password hash.
  • password hash login KEEP
    • only useful for local users
    • controls creation of new passwords
    • folks in particular countries with particular regulations (including france?) government workers care about this
  • local authorization sufficient KILL
    • enable it by default
  • auth sys accounts via network KILL
    • disable it
    • for example, apache accounts are not normally login enabled accounts anyway. this would let you auth it over the network.
  • check access.conf during auth KEEP
    • reword 'Enable local access control'
  • create homedirs on first login KEEP
    • 2 ways to do it, pam-make homedirs vs pam make homedirs dbus
    • dbus method uses policykit/root, more capabilitity but currently issues with setting proper SELinux user context