From Fedora Project Wiki

(Blanked the page)
Tag: Blanking
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Drop NIS(+) support from PAM =


== Summary ==
This change is about dropping user-authentication using NIS(+) from PAM.
== Owner ==
* Name: [[User:besser82 | Björn Esser]]
* Email: besser82@fedoraproject.org
* Name: [[User:ipedrosa | Iker Pedrosa]]
* Email: ipedrosa@redhat.com
== Current status ==
* Targeted release: [[Releases/36 | Fedora Linux 36 ]]
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
* FESCo issue: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
[[Category:SystemWideChange]]
[[Category:ChangePageIncomplete]]
<!-- [[Category:ChangeReadyForWrangler]] -->
<!-- [[Category:ChangeAnnounced]] -->
<!-- [[Category:ChangeReadyForFesco]] -->
== Detailed Description ==
NIS(+) was introduced by Sun/Oracle to easily share files and system users between UNIX-alike systems within the same network, and has been around for some decades. Its simplicity though opens a variety of possible security issues, like not being able the verify whether the shared information is actually correct and/or trustworthy. That said, and with several more secure options (LDAP, Kerberos, Samba, etc.) to achieve the same goal, we should at least remove support for NIS for user authentication.
== Feedback ==
There was some discussion on [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/T662DD2FD3YNPTVTOPCYFQRSOQCJWCSZ/ the fedora-devel mailing-list].  Some people are reluctant about the removal of NIS(+) support from PAM, while most are okay with it as there are more secure alternatives (LDAP, FreeIPA, etc.) available.
== Benefit to Fedora ==
With this change we start directing our users and developers to move away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.
== Scope ==
* Proposal owners:
** Adapt the pam spec file to build without support for NIS(+).
** Communicate the removal of the PAM configuration for user-authentication using NIS with the authselect maintainers; also offer assistance to implement the needed changes.
* Other developers:
** Apply the pull-request to the authselect package.
** Test this change.
* Release engineering: [https://pagure.io/releng/issue/10351 #10351]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
Users that were relying on support for NIS(+) will need to move to secure alternatives like LDAP and/or FreeIPA.
== How To Test ==
There is no need to test, as when configure switch is removed, support is dropped.
== User Experience ==
For some users this change may be a bit disruptive and it may require some learning curve for switching to alternative solutions.
== Dependencies ==
* The authselect package needs to be updated to drop its PAM configuration for user-authentication using NIS.
* Apart from that there are actually no rpms, that directly depend on the change of the functionality of the affected PAM module.
== Contingency Plan ==
* Contingency mechanism: Revert the changes made to the affected packages and rebuild them.
* Contingency deadline: At beta freeze.
* Blocks release? Yes.
== Documentation ==
The documentation about sharing system users and files over NIS should be dropped, if there even is any.
== Release Notes ==
Support for NIS(+) has been dropped from PAM.  Users, who are currently using NIS(+) to share UNIX users / groups within a network, should migrate their setups to use LDAP or some other secure service providing comparable functionalities before updating to Fedora 36.

Latest revision as of 08:49, 21 October 2021