From Fedora Project Wiki
15 Feb 2010
Feedback
- Need to avoid having nested firstboot screens
- Need to avoid having multiple ways to do the same thing
- UI vs command line vs config files
Technology Review
| Identity Technology | Authentication Technology | Recommended Implementation | Misc Notes |
|---|---|---|---|
| LDAP | Kerberos | SSSD | 17% |
| LDAP | LDAP | SSSD | 80% |
| NIS | Kerberos | Legacy auth-config | |
| NIS | Shadow file | Legacy auth-config | |
| Winbind | Winbind | Legacy auth-config | |
| Hesiod | Historically, Kerberos | Cut from UI / talk to Nalin first | |
| ??? | Smart Card (cert-based) | Consider cutting. Consult with Nalin / Tomas / Chandra Kannan / Jack M / Kevin U | will be in SSSD 6-12 months |
| ??? | Fingerprint | Cut from UI |
Anticipated User Complaints
- Have to know how user info maps to password. Legacy UI lets you select all the user info / password methods you want, and tries different combos until it finds something that works. The new way requires you explicitly state the user info + password mapping. (explicit mapping is less prone to accidental configuration thus more secure - less holes that could be broken through)
Suggested Screen Content (Ideal)
Tab 1: Identity & Authentication
- [ ] NIS
- [ ] Secure NIS (uses Kerberos)
- [ ] Winbind (Winbind for both)
[ ] Cache User Info
Tab 2: Advanced Options
NETWORK
- [ ] Homedir creation on login
LOCAL
- [ ] Enable local access control
- [ ] Password hash algorithm [ dropdown goes here | \/]
Review of Current Screens
Tab 1: User Info
- NIS (Should be listed #1)
- Winbind (Should be listed #2)
- Hesiod (Should be listed #3 or pulled. Talk to Nalin)
Tab 2: Password
- Kerberos (should be kept for NIS)
- LDAP (should be pulled)
- Smartcard (consider pulling, talk to Nalin, et. al.)
- Fingerprint (consider pulling)
- locally works by just installing the right package. GNOME About Me dialog handles.
- network - nobody reasonable uses this over the network
- Winbind (should be kept for winbind)
Tab 3: Options
- Cache user info KEEP
- uses nscd. Identity, not auth. Requires less nework trips if enabled - otherwise everytime you type 'ls' or 'ps ax' it uses a network trip to identify the username <=> uid mappings. Can't kill it. Has a higher-performance cache even though it gets staler / harder to flush / caches more stuff than SSSD does.
- Use shadow KILL
- this should be enabled. it removes the ability for non-root users to read your password hash.
- password hash login KEEP
- only useful for local users
- controls creation of new passwords
- folks in particular countries with particular regulations (including france?) government workers care about this
- local authorization sufficient KILL
- enable it by default
- auth sys accounts via network KILL
- disable it
- for example, apache accounts are not normally login enabled accounts anyway. this would let you auth it over the network.
- check access.conf during auth KEEP
- reword 'Enable local access control'
- create homedirs on first login KEEP
- 2 ways to do it, pam-make homedirs vs pam make homedirs dbus
- dbus method uses policykit/root, more capabilitity but currently issues with setting proper SELinux user context