Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On Tue, Oct 12, 2021, at 11:32 AM, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory Just to raise the visibility here, this currently breaks all ostree-based systems (*again*): https://bugzilla.redhat.com/show_bug.cgi?id=2019052#c1 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On 10/14/21 14:57, Michael Catanzaro wrote: Enforce Authselect Configuration Consistency This sounds good, I updated the page title. Thank you. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On Thu, Oct 14 2021 at 01:28:23 PM +0200, Pavel Březina wrote: Do you have any proposals on the name? To me, this change means that if you don't use authselect, you are basically on your own and I'd like to stress this as much as possible. Enforce Authselect Configuration Consistency? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On 10/12/21 7:12 PM, Michael Catanzaro wrote: This change is well-considered and includes detailed reasoning to support it. Looks good to me. I think the change proposal should be renamed, though, since authselect would clearly not *actually* be mandatory. Of course you'll risk severe breakage if you turn it off and edit these low-level configurations directly, but that is really no different than it was before. Do you have any proposals on the name? To me, this change means that if you don't use authselect, you are basically on your own and I'd like to stress this as much as possible. But yes, it is still possible to opt-out. However, the package maintainers won't (should not) care about non-authselect configuration anymore. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On 10/12/21 5:45 PM, Neal Gompa wrote: On Tue, Oct 12, 2021 at 11:33 AM Ben Cotton wrote: === 1. It is difficult to deliver updates to configurations === FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as %config(noreplace) which means that they are configuration files and are only installed if they are not yet present. If they are present then they are never overwritten with package updates, instead an *.rpmnew file is created and the update responsibility is left completely to the user. It is done this way to prevent overwriting user changes configurations. But at the same time it means that even configurations that are not modified by the users can not be changed so we can not deliver fixes and changes efficiently. It is only possible through difficult scriptlets. As an example, we can show this bugzilla where a change in Gnome required an update to PAM otherwise the user could not authenticate. Delivering the change was easy with authselect, but difficult for non-authselect systems. Authselect already knows how the resulting configuration should look and does not risk overriding user configuration. Making it mandatory will help distribute important updates to nsswitch and PAM configuration. PAM gained support for systemd-style overlay configuration some time ago. Actually a number of core system components did, if the libeconf dependency is turned on. Instead of forcing authselect, we should probably make sure base functional configuration is shipped in something like /usr/share/pam/pam.d or something like that. This way, it would be possible to update the *default* configuration. If the configuration is modified (e.g. added fingerprint support) the user config won't be updted, but still possible with authselect. Packages would still have to use difficult scriptlets to enable/disable their modules. With authselect, they can just call "authselect enable-feature with-fingerprint" and fingerprint will be enabled if the profile supports it. Note: imho packages should not do these kind of changes and rather explain how to enable modules in documentation, but they are doing it. Not that I think authselect is bad, but I think it's a bad hammer to solve this problem. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On Wed, Oct 13 2021 at 10:22:14 AM +0200, Hans de Goede wrote: Making what IMHO is a poor default of always using sssd everywhere hardcoded even deeper into Fedora seems like a bad idea to me. I think we can fix this at the same time. Make authselect default to its minimal profile rather than its sssd profile, and make realmd responsible for running authselect to enable the sssd profile when it is required. I think realmd is already capable of installing the dependencies it needs when enabled, right? This way, most Fedora systems would no longer run sssd, but enabling enterprise login would not require manual configuration for those who need it. Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
Hi, On 10/12/21 5:32 PM, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory > > == Summary == > This change wants to make authselect required to configure > authentication and identity sources and forcefully update > non-authselect configuration to the sssd authselect profile to > eliminate any existing non-authselect setups. > > Even though it will still be possible to manually modify the > configuration, users that require special configuration should create > and use custom authselect profile. > > ''Authselect is available in Fedora since Fedora 27 and enabled by > default on new installations since Fedora 28. Authconfig compatibility > tool was removed from Fedora 35 as a > [[Changes/RemoveAuthselectCompatPackage|system wide change page]]. It > is now well accepted by the community as well as the package > maintainers. The package maintainers have repeatedly requested to make > authselect mandatory for the users which lead to creation of > [https://bugzilla.redhat.com/show_bug.cgi?id=2000936 this bugzilla].'' > > == Owner == > * Name: [[User:pbrezina|Pavel Březina]] > * Email: pbrez...@redhat.com > > > == Detailed Description == > The following components must be updated to make authselect mandatory: > * authselect > * pam > * glibc > * packages that use it: systemd, ecryptfs, nss-mdns and fingerprint. > > > Required changes: > # Remove user-nsswitch.conf functionality from authselect > # Move ownership of /etc/nsswitch.conf and /etc/pam.d/{system-auth, > password-auth, smartcard-auth, fingerprint-auth, postlogin} to > authselect from glibc and pam > # Require authselect in pam > # Remove non-authselect support from systemd, ecryptfs, nss-mdns and > fingerprint > # Select default profile when authselect is installed > # Select default profile when authselect is upgraded > > === Remove user-nsswitch.conf functionality === > File /etc/authselect/user-nsswitch.conf was introduced in authselect > to allow partial user modifications of nsswitch.conf without the need > to create a custom authselect profile. The main driver was to enable > modules that are not included in authselect such as systemd-resolved > and nss-mdns. > > This however made the situation more confusing to users and it is not > desirable any more if authselect is mandatory. > > '''Authselect will drop user-nsswitch.conf functionality and instead > add more nsswitch modules to existing profiles and be more open about > future inclusion requests.''' > > === Own /etc/nsswitch.conf and /etc/pam.d/{system-auth, password-auth, > smartcard-auth, fingerprint-auth, postlogin} instead of glibc and pam > === > File /etc/nsswitch.conf is currently owned by glibc. It will be now > owned by authselect and removed from glibc. > > PAM configuration generated by authselect is currently owned by pam. > It will be now owned by authselect and removed from pam. > > ''Note: that config-util and other will still be owned by pam since > these files are not generated by authselect.'' > > '''All files that are generated by authselect are now owned by authselect.''' > > === Require authselect in pam === > The pam package will require authselect. This will tie pam and > authselect together and it will be impossible to uninstall authselect > without uninstalling pam which fundamentally makes authselect a hard > dependency on each system. > > '''This step will make it impossible to uninstall authselect, making > it always available to RPM packages.''' > > === Remove non-authselect support from systemd, ecryptfs, nss-mdns and > fingerprint === > '''Non-authselect configuration support will be dropped in these packages.''' > > === Select default profile when authselect is installed === > If authselect configuration is not detected and this is a new > installation of authselect it will automatically select the > distribution default authselect profile by calling authselect select > --force with distribution specific parameters. > > If existing authselect configuration is detected (perhaps from > previous installation), it will be updated (current behavior). > > This makes sure that if authselect is installed (which is always) a > configuration is created. > Select default profile when authselect is upgraded > If authselect is upgraded from an older version and non-authselect > configuration is detected, it will forcefully overwrite it with > distribution defaults by calling authselect select --force with > distribution specific parameters. > > This is a one time event so if someone does not want to use > authselect, it remains possible. However, non-authselect > configurations will not be supported by RPM packages mentioned above. > > If authselect is upgraded on a system that already is configured by > it, the update process remains the same as it is now. > > '''This step will forcefully update existing installations to > authselect configuration. It is a one time event and opt-out is still > possible but no lon
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
Dne 12. 10. 21 v 17:45 Neal Gompa napsal(a): On Tue, Oct 12, 2021 at 11:33 AM Ben Cotton wrote: === 1. It is difficult to deliver updates to configurations === FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as %config(noreplace) which means that they are configuration files and are only installed if they are not yet present. If they are present then they are never overwritten with package updates, instead an *.rpmnew file is created and the update responsibility is left completely to the user. It is done this way to prevent overwriting user changes configurations. But at the same time it means that even configurations that are not modified by the users can not be changed so we can not deliver fixes and changes efficiently. It is only possible through difficult scriptlets. As an example, we can show this bugzilla where a change in Gnome required an update to PAM otherwise the user could not authenticate. Delivering the change was easy with authselect, but difficult for non-authselect systems. Authselect already knows how the resulting configuration should look and does not risk overriding user configuration. Making it mandatory will help distribute important updates to nsswitch and PAM configuration. PAM gained support for systemd-style overlay configuration some time ago. Actually a number of core system components did, if the libeconf dependency is turned on. Instead of forcing authselect, we should probably make sure base functional configuration is shipped in something like /usr/share/pam/pam.d or something like that. Not that I think authselect is bad, but I think it's a bad hammer to solve this problem. Right, the best would be if all the "configuration" files were removed from /etc. I have never had a need to change the configurations, but I had to fix those files several times. Vít ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On Tue, Oct 12 2021 at 01:44:12 PM -0400, Neal Gompa wrote: Why hasn't the nsswitch.conf situation been fixed to work in /usr/share like it does in /etc? Guess: probably nobody proposed it to the glibc developers yet. Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On Tue, Oct 12, 2021 at 1:13 PM Michael Catanzaro wrote: > > > This change is well-considered and includes detailed reasoning to > support it. Looks good to me. > > I think the change proposal should be renamed, though, since authselect > would clearly not *actually* be mandatory. Of course you'll risk severe > breakage if you turn it off and edit these low-level configurations > directly, but that is really no different than it was before. > > On Tue, Oct 12 2021 at 11:45:28 AM -0400, Neal Gompa > wrote: > > PAM gained support for systemd-style overlay configuration some time > > ago. Actually a number of core system components did, if the libeconf > > dependency is turned on. Instead of forcing authselect, we should > > probably make sure base functional configuration is shipped in > > something like /usr/share/pam/pam.d or something like that. > > That is not possible with nsswitch.conf, though. This proposal is a > good solution to the problems we've had with correctly maintaining > nsswitch.conf. The status quo (see "Therefore we can split users into > four groups:" in the change proposal) is just not good compared to > Fedora's usual quality standards, and this change proposal would > address all of the problems we've had. Also, I'm pretty sure the > scriptlets we currently rely on to maintain correct configurations just > do not work at all on Silverblue/Kinoite/CoreOS (where editing /etc in > RPM scriplets just does not work), and I suspect nobody really knows > what the situation there is for users who have upgraded from older > releases. > Why hasn't the nsswitch.conf situation been fixed to work in /usr/share like it does in /etc? -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
This change is well-considered and includes detailed reasoning to support it. Looks good to me. I think the change proposal should be renamed, though, since authselect would clearly not *actually* be mandatory. Of course you'll risk severe breakage if you turn it off and edit these low-level configurations directly, but that is really no different than it was before. On Tue, Oct 12 2021 at 11:45:28 AM -0400, Neal Gompa wrote: PAM gained support for systemd-style overlay configuration some time ago. Actually a number of core system components did, if the libeconf dependency is turned on. Instead of forcing authselect, we should probably make sure base functional configuration is shipped in something like /usr/share/pam/pam.d or something like that. That is not possible with nsswitch.conf, though. This proposal is a good solution to the problems we've had with correctly maintaining nsswitch.conf. The status quo (see "Therefore we can split users into four groups:" in the change proposal) is just not good compared to Fedora's usual quality standards, and this change proposal would address all of the problems we've had. Also, I'm pretty sure the scriptlets we currently rely on to maintain correct configurations just do not work at all on Silverblue/Kinoite/CoreOS (where editing /etc in RPM scriplets just does not work), and I suspect nobody really knows what the situation there is for users who have upgraded from older releases. Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
On Tue, Oct 12, 2021 at 11:33 AM Ben Cotton wrote: > > === 1. It is difficult to deliver updates to configurations === > FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as > %config(noreplace) which means that they are configuration files and > are only installed if they are not yet present. If they are present > then they are never overwritten with package updates, instead an > *.rpmnew file is created and the update responsibility is left > completely to the user. > > It is done this way to prevent overwriting user changes > configurations. But at the same time it means that even configurations > that are not modified by the users can not be changed so we can not > deliver fixes and changes efficiently. > > It is only possible through difficult scriptlets. As an example, we > can show this bugzilla where a change in Gnome required an update to > PAM otherwise the user could not authenticate. Delivering the change > was easy with authselect, but difficult for non-authselect systems. > > Authselect already knows how the resulting configuration should look > and does not risk overriding user configuration. Making it mandatory > will help distribute important updates to nsswitch and PAM > configuration. > PAM gained support for systemd-style overlay configuration some time ago. Actually a number of core system components did, if the libeconf dependency is turned on. Instead of forcing authselect, we should probably make sure base functional configuration is shipped in something like /usr/share/pam/pam.d or something like that. Not that I think authselect is bad, but I think it's a bad hammer to solve this problem. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F36 Change: Make Authselect Mandatory (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory == Summary == This change wants to make authselect required to configure authentication and identity sources and forcefully update non-authselect configuration to the sssd authselect profile to eliminate any existing non-authselect setups. Even though it will still be possible to manually modify the configuration, users that require special configuration should create and use custom authselect profile. ''Authselect is available in Fedora since Fedora 27 and enabled by default on new installations since Fedora 28. Authconfig compatibility tool was removed from Fedora 35 as a [[Changes/RemoveAuthselectCompatPackage|system wide change page]]. It is now well accepted by the community as well as the package maintainers. The package maintainers have repeatedly requested to make authselect mandatory for the users which lead to creation of [https://bugzilla.redhat.com/show_bug.cgi?id=2000936 this bugzilla].'' == Owner == * Name: [[User:pbrezina|Pavel Březina]] * Email: pbrez...@redhat.com == Detailed Description == The following components must be updated to make authselect mandatory: * authselect * pam * glibc * packages that use it: systemd, ecryptfs, nss-mdns and fingerprint. Required changes: # Remove user-nsswitch.conf functionality from authselect # Move ownership of /etc/nsswitch.conf and /etc/pam.d/{system-auth, password-auth, smartcard-auth, fingerprint-auth, postlogin} to authselect from glibc and pam # Require authselect in pam # Remove non-authselect support from systemd, ecryptfs, nss-mdns and fingerprint # Select default profile when authselect is installed # Select default profile when authselect is upgraded === Remove user-nsswitch.conf functionality === File /etc/authselect/user-nsswitch.conf was introduced in authselect to allow partial user modifications of nsswitch.conf without the need to create a custom authselect profile. The main driver was to enable modules that are not included in authselect such as systemd-resolved and nss-mdns. This however made the situation more confusing to users and it is not desirable any more if authselect is mandatory. '''Authselect will drop user-nsswitch.conf functionality and instead add more nsswitch modules to existing profiles and be more open about future inclusion requests.''' === Own /etc/nsswitch.conf and /etc/pam.d/{system-auth, password-auth, smartcard-auth, fingerprint-auth, postlogin} instead of glibc and pam === File /etc/nsswitch.conf is currently owned by glibc. It will be now owned by authselect and removed from glibc. PAM configuration generated by authselect is currently owned by pam. It will be now owned by authselect and removed from pam. ''Note: that config-util and other will still be owned by pam since these files are not generated by authselect.'' '''All files that are generated by authselect are now owned by authselect.''' === Require authselect in pam === The pam package will require authselect. This will tie pam and authselect together and it will be impossible to uninstall authselect without uninstalling pam which fundamentally makes authselect a hard dependency on each system. '''This step will make it impossible to uninstall authselect, making it always available to RPM packages.''' === Remove non-authselect support from systemd, ecryptfs, nss-mdns and fingerprint === '''Non-authselect configuration support will be dropped in these packages.''' === Select default profile when authselect is installed === If authselect configuration is not detected and this is a new installation of authselect it will automatically select the distribution default authselect profile by calling authselect select --force with distribution specific parameters. If existing authselect configuration is detected (perhaps from previous installation), it will be updated (current behavior). This makes sure that if authselect is installed (which is always) a configuration is created. Select default profile when authselect is upgraded If authselect is upgraded from an older version and non-authselect configuration is detected, it will forcefully overwrite it with distribution defaults by calling authselect select --force with distribution specific parameters. This is a one time event so if someone does not want to use authselect, it remains possible. However, non-authselect configurations will not be supported by RPM packages mentioned above. If authselect is upgraded on a system that already is configured by it, the update process remains the same as it is now. '''This step will forcefully update existing installations to authselect configuration. It is a one time event and opt-out is still possible but no longer supported. ''' == Benefit to Fedora == '''Making authselect mandatory will provide better user and maintainers experience and significantly reduce risk of breaking system configuration.''' The use of authselect-generated configuration is currently optional. This me