From Fedora Project Wiki
mNo edit summary
No edit summary
 
Line 9: Line 9:
* Name: [[User:pbrezina| Pavel Březina]]
* Name: [[User:pbrezina| Pavel Březina]]
* Email: pbrezina@redhat.com
* Email: pbrezina@redhat.com
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/76 #76]
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>

Latest revision as of 14:39, 2 March 2018

Make authselect default tool instead of authconfig

Summary

Replace authconfig with authselect and make authselect a default tool to configure PAM and nsswitch.conf. A compatibility tool will help with transition period from authconfig to authselect.

Authselect is a tool to select system authentication and identity sources from a list of supported profiles and it is available to users since Fedora 27. Authselect is designed to be a replacement for authconfig but it takes a different approach to configure the system. Instead of letting the administrator build the pam stack with a tool (which may potentially end up with a broken configuration), it ships several tested stacks (profiles) that solve primary supported use cases and are well tested and supported. At the same time, some obsolete features of authconfig are not supported by authselect. Additionally, authselect is written in C and has a small footprint which allows it to be also part of minimal installations.

Owner

Current status

Detailed Description

Authselect allows the administrator to choose one of the supported profiles. A profile provides description of how the resulting pam and nsswitch configuration looks like. The tool is packaged with a default profile set that is fully supported. If an administrator has different needs they can create a custom profile and make it accessible in authselect by dropping it in the tool specific directory.

The authentication and identity configuration is hardcoded within the profile. However each profile is also allowed to contain some conditional modules that can be either enabled or disabled to allow the administrator to enable some optional behaviour such as account locking or ecryptfs support.

Authselect does not configure daemons that provide the selected identity and authentication services such as SSSD or winbind, it only configures PAM and nsswitch. Daemons must be configured manually or through other system tools like realmd or ipa-client-install that are better suited for this task.

The default profile set contains the following profiles:

  • Local users + SSSD -- local users and remote users are handled by sssd
    • With optional smartcard or fingerprint authentication
  • Local users + winbind -- local users are handled by files and remote users by winbind
    • With optional fingerprint authentication

There is no need for a separate local users profile without SSSD because the SSSD module is not called for local users and it also gracefully detect when the daemon is not running.

Since authselect is very different from the authconfig, we will provide a compatibility tool that will mimic most but not all options of authconfig and translate those operations into an authselect call and configuration changes so we do not break users scripts.

Benefit to Fedora

Authconfig is the current tool to configure pam and nsswitch services with a possibility to generate basic configuration for various daemons (sssd, ldap, kerberos, …). Most importantly authconfig generates the resulting PAM stack from many selectable options which proved to be quite error prone by growing needs of users and services. Authconfig is an old tool and gained a lot of technical debt over the years which makes it hard to maintain. Some parts of it were already deprecated (gui, tui) or obsoleted (relic features such as hesiod support) in Fedora 26.

Authconfig does its best to always generate a valid pam stack but it is not possible test every combination of options and identity and authentication daemons configuration. It is also quite regression prone since those daemons are in active development on their own and independent on authconfig. When a new feature is implemented in an authentication daemon it takes some time to propagate this feature into authconfig. It also often requires a drastic changes to the PAM stack which may easily introduce regressions since it is hard to test properly with so many possible different setups.

The authselect tool aims to simplify the configuration by providing only small set of profiles that are fully tested and supported and move the daemon configuration away from this tool to the tools that are better suited for this task. New features introduced by underlying pam modules may be implemented by providing a new profile that clearly shows the differences, keeping the old profile still available. It is also possible for the authentication daemons to provide and manage their own profile set.

Scope

  • Proposal owners: Authselect is already ready and shipped with Fedora. Owners will provide compatibility tool to help with the transition.
  • Other developers: anaconda-core, fprintd-pam, freeipa-client and realmd are packages that depends on authconfig. We will coordinate efforts to either switch those packages to authselect or make sure that the compatibility tool is sufficient to cover their needs.
  • Policies and guidelines: The policies and guidelines do not need to be updated.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

On new installations, authselect, together with the compatibility tool will be installed by default instead of authconfig.

On upgraded installations, authconfig will be replaced with the compatibility tool but the configuration generated by authconfig will be intact unless the user will call authselect or the compatibility tool (which provides /sbin/authconfig) is run.

How To Test

  • authselect
    • Run authselect with each of the default profile and see that pam and nsswitch is correctly configured.
    • Test installation and upgrade to Fedora 28, since anaconda-core is one of the affected packages.
    • Test that joining through IPA domain works with ipa-client-install.
    • Test that joining through AD or IPA domains works with realmd.
  • authelect-compat (authconfig)
    • call authconfig command and see that the compatibility tool is run
    • check that user can authenticate through expected sources

User Experience

Fully tested pam and nsswitch configuration. Lower chance for regressions.

Dependencies

These packages currently depends on authconfig:

  • Anaconda-core, freeipa-client, realmd - use authconfig to setup PAM and nsswitch.conf
  • Fprintd-pam - uses authconfig to disable fingerprint authentication when the package is being uninstalled

We must make sure that these packages work with authselect instead of authconfig or that compatibility tool provides required functionality.

Tracker bugs:

Contingency Plan

  • Contingency mechanism: Rollback or disable changes to depending packages.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

Release Notes