Drop NIS(+) support from PAM
This change is about dropping user-authentication using NIS(+) from PAM.
- Name: Björn Esser, Iker Pedrosa
- Email: email@example.com, firstname.lastname@example.org
- Targeted release: Fedora Linux 38
- Last updated: 2023-02-22
- FESCo issue: #2684
- Tracker bug: #2021660
- Release notes tracker: #762
NIS(+) was introduced by Sun/Oracle to easily share files and system users between UNIX-alike systems within the same network, and has been around for some decades. Its simplicity though opens a variety of possible security issues, like not being able the verify whether the shared information is actually correct and/or trustworthy. That said, and with several more secure options (LDAP, Kerberos, Samba, etc.) to achieve the same goal, we should at least remove support for NIS for user authentication.
There was some discussion on the fedora-devel mailing-list. Some people are reluctant about the removal of NIS(+) support from PAM, while most are okay with it as there are more secure alternatives (LDAP, FreeIPA, etc.) available.
Benefit to Fedora
With this change we start directing our users and developers to move away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.
- Proposal owners:
- Adapt the pam spec file to build without support for NIS(+).
- Communicate the removal of the PAM configuration for user-authentication using NIS with the authselect maintainers; also offer assistance to implement the needed changes.
- Other developers:
- Apply the pull-request to the authselect package.
- Test this change.
- Release engineering: #10351
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A
Users that were relying on support for NIS(+) will need to move to secure alternatives like LDAP and/or FreeIPA.
How To Test
There is no need to test, as when configure switch is removed, support is dropped.
For some users this change may be a bit disruptive and it may require some learning curve for switching to alternative solutions.
- The authselect package needs to be updated to drop its PAM configuration for user-authentication using NIS.
- Apart from that there are actually no rpms, that directly depend on the change of the functionality of the affected PAM module.
- Contingency mechanism: Revert the changes made to the affected packages and rebuild them.
- Contingency deadline: At beta freeze. Documentation and/or migration tools must be prominently available, per FESCo.
- Blocks release? Yes.
The documentation about sharing system users and files over NIS should be dropped, if there even is any.
Support for NIS(+) has been dropped from PAM. Users, who are currently using NIS(+) to share UNIX users / groups within a network, should migrate their setups to use LDAP or some other secure service providing comparable functionalities before updating to Fedora 36.