|
|
Line 1: |
Line 1: |
| = Drop NIS(+) support from PAM =
| |
|
| |
|
|
| |
| == Summary ==
| |
|
| |
| This change is about dropping user-authentication using NIS(+) from PAM.
| |
|
| |
|
| |
| == Owner ==
| |
|
| |
| * Name: [[User:besser82 | Björn Esser]]
| |
| * Email: besser82@fedoraproject.org
| |
| * Name: [[User:ipedrosa | Iker Pedrosa]]
| |
| * Email: ipedrosa@redhat.com
| |
|
| |
|
| |
| == Current status ==
| |
|
| |
| * Targeted release: [[Releases/36 | Fedora Linux 36 ]]
| |
| * Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
| |
| * FESCo issue: <will be assigned by the Wrangler>
| |
| * Tracker bug: <will be assigned by the Wrangler>
| |
| * Release notes tracker: <will be assigned by the Wrangler>
| |
|
| |
| [[Category:SystemWideChange]]
| |
| [[Category:ChangeReadyForWrangler]]
| |
| <!-- [[Category:ChangeAnnounced]] -->
| |
| <!-- [[Category:ChangeReadyForFesco]] -->
| |
|
| |
|
| |
| == Detailed Description ==
| |
|
| |
| NIS(+) was introduced by Sun/Oracle to easily share files and system users between UNIX-alike systems within the same network, and has been around for some decades. Its simplicity though opens a variety of possible security issues, like not being able the verify whether the shared information is actually correct and/or trustworthy. That said, and with several more secure options (LDAP, Kerberos, Samba, etc.) to achieve the same goal, we should at least remove support for NIS for user authentication.
| |
|
| |
|
| |
| == Feedback ==
| |
|
| |
| There was some discussion on [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/T662DD2FD3YNPTVTOPCYFQRSOQCJWCSZ/ the fedora-devel mailing-list]. Some people are reluctant about the removal of NIS(+) support from PAM, while most are okay with it as there are more secure alternatives (LDAP, FreeIPA, etc.) available.
| |
|
| |
|
| |
| == Benefit to Fedora ==
| |
|
| |
| With this change we start directing our users and developers to move away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.
| |
|
| |
|
| |
| == Scope ==
| |
|
| |
| * Proposal owners:
| |
| ** Adapt the pam spec file to build without support for NIS(+).
| |
| ** Communicate the removal of the PAM configuration for user-authentication using NIS with the authselect maintainers; also offer assistance to implement the needed changes.
| |
|
| |
| * Other developers:
| |
| ** Apply the pull-request to the authselect package.
| |
| ** Test this change.
| |
|
| |
| * Release engineering: [https://pagure.io/releng/issue/10351 #10351]
| |
|
| |
| * Policies and guidelines: N/A (not needed for this Change)
| |
|
| |
| * Trademark approval: N/A (not needed for this Change)
| |
|
| |
| * Alignment with Objectives: N/A
| |
|
| |
|
| |
| == Upgrade/compatibility impact ==
| |
|
| |
| Users that were relying on support for NIS(+) will need to move to secure alternatives like LDAP and/or FreeIPA.
| |
|
| |
|
| |
| == How To Test ==
| |
|
| |
| There is no need to test, as when configure switch is removed, support is dropped.
| |
|
| |
|
| |
| == User Experience ==
| |
|
| |
| For some users this change may be a bit disruptive and it may require some learning curve for switching to alternative solutions.
| |
|
| |
|
| |
| == Dependencies ==
| |
|
| |
| * The authselect package needs to be updated to drop its PAM configuration for user-authentication using NIS.
| |
| * Apart from that there are actually no rpms, that directly depend on the change of the functionality of the affected PAM module.
| |
|
| |
|
| |
| == Contingency Plan ==
| |
|
| |
| * Contingency mechanism: Revert the changes made to the affected packages and rebuild them.
| |
| * Contingency deadline: At beta freeze.
| |
| * Blocks release? Yes.
| |
|
| |
|
| |
| == Documentation ==
| |
|
| |
| The documentation about sharing system users and files over NIS should be dropped, if there even is any.
| |
|
| |
|
| |
| == Release Notes ==
| |
|
| |
| Support for NIS(+) has been dropped from PAM. Users, who are currently using NIS(+) to share UNIX users / groups within a network, should migrate their setups to use LDAP or some other secure service providing comparable functionalities before updating to Fedora 36.
| |