On Mon, Jul 21, 2025 at 12:47 PM Dominik George <n...@naturalnet.de> wrote:
>
> Hi,
>
> currently, the userdb system only allows querying for User Records and
> Group Records, hence providing a modern replacement for NSS.
>
> I would like to propose an addition to make it support authentication as
> well. The additions to the io.systemd.UserDatabase Varlink interface
> are:

I think at first you should describe the problem you want to solve, so
that people have a chance to look, if your design solves the problem,
if there are missing pieces, if it makes sense at all or if there
isn't already a working solution?
And I'm not sure if combining a service providing user records with
authentication is a good thing. These are two different things which
have not much in common and make security only harder.
Yes, the PAM protocol is now 30 years old and it was designed for
password authentication without knowing anything about SSO, 2FA or
something similar.
But this is also the advantage: since it is so old, everything out
there in the world is supporting it. If you come with a systemd only
solution: there are also systems without systemd, and ISVs will not
support two solutions. So whatever you plan, make sure it can be
called by a PAM module.

Thorsten

-- 
Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461
Nuernberg, Germany
Managing Director: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB
36809, AG Nürnberg)

Reply via email to