From Fedora Project Wiki

Revision as of 15:55, 20 October 2021 by Besser82 (talk | contribs) (Initial draft.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Drop NIS(+) support from PAM

Summary

This change is about dropping user-authentication using NIS(+) from PAM.


Owner


Current status

  • Targeted release: Fedora Linux 36
  • Last updated: 2021-10-20
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>


Detailed Description

NIS(+) has been introduced by Sun/Oracle to easily share files and system users between UNIX-alike systems within the same network, and has been around for some decades. Its simplcity on the other hand opens a variety of possible security issues, like not being able the verify whether the shared information is actually correct and/or trustworthy. That said, and with several more secure options (LDAP, Kerberos, Samba, etc.) to achieve the same goal, we should remove support for NIS at least for user authentication.


Feedback

There was some discussion on the fedora-devel mailing-list. Some people are reluctant about the removal of NIS(+) support from PAM, while most are okay with it as there are more secure alternatives (LDAP, FreeIPA, etc.) available.


Benefit to Fedora

With this change we start directing our users and developers to move away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.


Scope

  • Proposal owners:
    • Adapt the pam spec file to build without support for NIS(+).
    • Communicate the removal of the PAM configuration for user-authentication using NIS with the authselect maintainers; also offer assistance to implement the needed changes.
  • Other developers:
    • Apply the pull-request to the authselect package.
    • Test this change.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A


Upgrade/compatibility impact

Users that were relying on support for NIS(+) will need to move to secure alternatives like LDAP and/or FreeIPA.


How To Test

There is no need to test, as when configure switch is removed, support is dropped.


User Experience

For some users this change may be a bit disruptive and it may require some learning curve for switching to alternative solutions.


Dependencies

There are actually no rpms, that directly depend on the change of the functionality of the affected PAM module. However, the authselect package needs to be updated to drop its PAM configuration for user-authentication using NIS.


Contingency Plan

  • Contingency mechanism: Revert the changes made to the affected packages and rebuild them.
  • Contingency deadline: At beta freeze.
  • Blocks release? Yes.


Documentation

The documentation about sharing system users and files over NIS should be dropped, if there even is any.


Release Notes

Support for NIS(+) has been dropped from PAM. Users, who are currently using NIS(+) to share UNIX users / groups within a network, should migrate their setups to use LDAP or some other secure service providing comparable functionalities before updating to Fedora 36.