On 3/4/21 5:11 PM, Hans de Goede wrote:
Hi,
On 3/4/21 11:50 AM, Pavel Březina wrote:
On 3/3/21 6:11 PM, Hans de Goede wrote:
Hi,
On 3/2/21 5:20 PM, Pavel Březina wrote:
On 3/2/21 4:25 PM, Ray Strode wrote:
Hi,
Ahh, okay.
On Tue, Mar 2, 2021 at 9:31 AM Hans de Goede <hdegoede@xxxxxxxxxx> wrote:
sudo authselect select minimal
sudo authselect apply-changes
Which results in the following /etc/pam.d/fingerprint-auth file:
[hans@x1 linux]$ sudo cat /etc/pam.d/fingerprint-auth
# Generated by authselect on Tue Mar 2 15:24:53 2021
# Do not modify this file manually.
minimal profile does not support fingerprint
So it seems there are 4 profiles:
[hans@x1 ~]$ authselect list
- minimal Local users only for minimal installations
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication
What I want is a profile which uses just the good old /etc files to
avoid the overhead of running a local daemon (sssd tends to show up as
one of the top 10 wakeup sources in powertop on an idle system) and I
also don't want a config which tries to go out on the network.
So minimal seems to meet my needs; and although I personally do not
have much of a need for fingerprint auth, I don't really see why we
could not do fingerprint auth with the minimal config. I'm pretty
I'd say the answer is simple - if you go with minimal, you don't need fingerprint. And you wrote it yourself - you don't need fingerprint auth. Just because something can be done, does not mean it is worth to maintain it. More info below.
sure I can manually create a pam-config where this works just fine.
I guess its in the name minimal, where as "local" might be (1) a better
That's the point - it's minimal not local, not without-sssd. The readme explicitly says that it reserved for cases when you really care about disk and memory footprint.
It has very limited functionality by design. If you do not want to use SSSD, you can keep using sssd profile and just disable the service. It will keep working. The minimal profile is there for users that also want to remove sssd packages to safe resources, but in that case you probably don't care about fingerprint and smartcards either.
The problem is that IMHO having sssd enabled by default is really the wrong thing to do for like 95% of our users and defaults should be the settings which are best for most / almost all users.
This is really just a symptom of a much bigger problem though, which is that we simply have way too much services / daemon's starting up by default. The output of "ps aux" after a default Fedora workstation install is just way way too long. Once upon a time Linux users used to make fun of Windows with all its background processes in the mean time a default Fedora WS install has gotten worse then Windows wrt background processes. Any of these are totally unnecessary for most of our users.
We really should be smarter here and the config tools which allows a user to enroll in an authentication domain enable the sssd config when that happens and not have this on by default for everyone.
So what I would really like to see is a local profile which uses just /etc files + fprintd if there are fingerprints enrolled. Smartcards are a different story, because those likely also need significant extra setup.
Where as fingerprints can easily be enrolled from the local UI tools.
name. Note I'm not suggesting to add another profile just for this
but it would be nice if fingerprint auth would at least be a
(default off) feature for the minimal config.
Shall I file a RFE issue for this at:
https://github.com/authselect/authselect/issues/
If you need fingerprint auth then open the ticket please - but no promises here. If you don't need it then just don't open the ticket :-)
Rather then opening a ticket, what I would really like to see is a good discussion about why the sssd profile is the default, because IMHO it is a bad default for most users.
I hear you. From authselect perspective, SSSD was enabled by default
through a change page that was accepted by community. Therefore
authselect is advertising this profile as the main and only. If you want
to run without sssd, you can disable the service but you don't have to
switch to other profile.
Whether or not it should be enabled by default is a different
discussion. But... The SSSD team does acknowledge that it does not have
to be enabled by default for vast majority of Fedora users and we plan
to submit a change page that will address this. However, I am not going
to dive into details in this thread yet, since they are still developing,
Regards,
Hans
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
