On ke, 06 loka 2021, Björn 'besser82' Esser wrote:
Am Freitag, dem 01.10.2021 um 09:31 -0400 schrieb Stephen John Smoogen:
On Fri, 1 Oct 2021 at 06:14, Björn 'besser82' Esser
<besser82@xxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> I'm currently doing some experiments with replacing the - upstream
> mostly unmaintained - pam_unix module (authentication with user
> passwd)
> with something using less bloated and cleaner code. This topic is
> currently also discussed with the upstream maintainer of pam_unix.
>
> Replacing parts of a software for the sake of less complexity
> usually
> comes with a cut-down of features; in this particular case it would
> be
> dropping support for NIS(+), which has already been abandoned by its
> initial developer SUN / Oracle for about 10 years [1].
>
> Before starting some more concrete plans, I'd like to get some
> feedback
> from the Fedora community how they feel about removing NIS(+)
> support in
> PAM. Is it even still actively used anywhere and/or by anyone in
> the
> Fedora universe?
>
The places I have seen it still being used are in Universities run by
people who learned sysadmin in the 1990's and early 2000's. It is a
light weight system which is simple to set up and tends to be the
goto-stick for a lot of 'we put this together in 1999 with RHL6 and
upgraded ever since' places.
That said, NIS in most setups causes all kinds of security problems
and audit failures that those areas are probably rapidly going away.
[And the ones I know have been moving to Debian because it keeps
various other technologies we jettisoned long ago.]
If we drop this from pam_unix, should we look to dropping ypbind and
similar tools?
Yes, finally dropping the ypbind, yp-tools, and ypserv packages seems to
make sense in this context, as from my understanding they won't be of
any practical use anymore.
Maybe libnsl, libnsl2, nss_nis, and slapi-nis can be evaluated to be
dropped also.
slapi-nis implements two separate plugins, one of which provides NIS
support. It is going to be supported in RHEL 9 and I'd like to keep NIS
part supported in Fedora as well for some time. This only requires
existence of libnsl2.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure