F36 Change: Make Authselect Mandatory (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory

== Summary ==
This change wants to make authselect required to configure
authentication and identity sources and forcefully update
non-authselect configuration to the sssd authselect profile to
eliminate any existing non-authselect setups.

Even though it will still be possible to manually modify the
configuration, users that require special configuration should create
and use custom authselect profile.

''Authselect is available in Fedora since Fedora 27 and enabled by
default on new installations since Fedora 28. Authconfig compatibility
tool was removed from Fedora 35 as a
[[Changes/RemoveAuthselectCompatPackage|system wide change page]]. It
is now well accepted by the community as well as the package
maintainers. The package maintainers have repeatedly requested to make
authselect mandatory for the users which lead to creation of
[https://bugzilla.redhat.com/show_bug.cgi?id=2000936 this bugzilla].''

== Owner ==
* Name: [[User:pbrezina|Pavel Březina]]
* Email: pbrezina@xxxxxxxxxx


== Detailed Description ==
The following components must be updated to make authselect mandatory:
* authselect
* pam
* glibc
* packages that use it: systemd, ecryptfs, nss-mdns and fingerprint.


Required changes:
# Remove user-nsswitch.conf functionality from authselect
# Move ownership of /etc/nsswitch.conf and /etc/pam.d/{system-auth,
password-auth, smartcard-auth, fingerprint-auth, postlogin} to
authselect from glibc and pam
# Require authselect in pam
# Remove non-authselect support from systemd, ecryptfs, nss-mdns and fingerprint
# Select default profile when authselect is installed
# Select default profile when authselect is upgraded

=== Remove user-nsswitch.conf functionality ===
File /etc/authselect/user-nsswitch.conf was introduced in authselect
to allow partial user modifications of nsswitch.conf without the need
to create a custom authselect profile. The main driver was to enable
modules that are not included in authselect such as systemd-resolved
and nss-mdns.

This however made the situation more confusing to users and it is not
desirable any more if authselect is mandatory.

'''Authselect will drop user-nsswitch.conf functionality and instead
add more nsswitch modules to existing profiles and be more open about
future inclusion requests.'''

=== Own /etc/nsswitch.conf and /etc/pam.d/{system-auth, password-auth,
smartcard-auth, fingerprint-auth, postlogin} instead of glibc and pam
===
File /etc/nsswitch.conf is currently owned by glibc. It will be now
owned by authselect and removed from glibc.

PAM configuration generated by authselect is currently owned by pam.
It will be now owned by authselect and removed from pam.

''Note: that config-util and other will still be owned by pam since
these files are not generated by authselect.''

'''All files that are generated by authselect are now owned by authselect.'''

=== Require authselect in pam ===
The pam package will require authselect. This will tie pam and
authselect together and it will be impossible to uninstall authselect
without uninstalling pam which fundamentally makes authselect a hard
dependency on each system.

'''This step will make it impossible to uninstall authselect, making
it always available to RPM packages.'''

=== Remove non-authselect support from systemd, ecryptfs, nss-mdns and
fingerprint ===
'''Non-authselect configuration support will be dropped in these packages.'''

=== Select default profile when authselect is installed ===
If authselect configuration is not detected and this is a new
installation of authselect it will automatically select the
distribution default authselect profile by calling authselect select
--force with distribution specific parameters.

If existing authselect configuration is detected (perhaps from
previous installation), it will be updated (current behavior).

This makes sure that if authselect is installed (which is always) a
configuration is created.
Select default profile when authselect is upgraded
If authselect is upgraded from an older version and non-authselect
configuration is detected, it will forcefully overwrite it with
distribution defaults by calling authselect select --force with
distribution specific parameters.

This is a one time event so if someone does not want to use
authselect, it remains possible. However, non-authselect
configurations will not be supported by RPM packages mentioned above.

If authselect is upgraded on a system that already is configured by
it, the update process remains the same as it is now.

'''This step will forcefully update existing installations to
authselect configuration. It is a one time event and opt-out is still
possible but no longer supported.
'''

== Benefit to Fedora ==
'''Making authselect mandatory will provide better user and
maintainers experience and significantly reduce risk of breaking
system configuration.'''

The use of authselect-generated configuration is currently optional.
This means that users can uninstall authselect or just opt-out from it
by modifying the PAM and nsswitch.conf manually.

Additionally users that upgrade from pre-authselect systems (Fedora 27
and older) must opt-in to authselect manually, which is not the case
most of the time. Also sometimes an upgrade of a particular package
that did not handle authselect configuration correctly automatically
opted-out its users. Therefore we can split users into four groups:
* Those who are using authselect
* Those who were using authselect but are not anymore due to various
errors in packages
* Those who are not using authselect because they are not aware of it
and upgraded from older Fedora versions thus it was not automatically
enabled
* Those who are not using authselect knowingly

''Fedora is now split into two worlds: those who use authselect and
those who don’t. This however keeps two problems existing. Authselect
was designed to solve them both. But it will be solved only if the use
of authselect is a mandatory requirement.''

=== 1. It is difficult to deliver updates to configurations ===
FIles /etc/nsswitch.conf and /etc/pam.d/* are distributed as
%config(noreplace) which means that they are configuration files and
are only installed if they are not yet present. If they are present
then they are never overwritten with package updates, instead an
*.rpmnew file is created and the update responsibility is left
completely to the user.

It is done this way to prevent overwriting user changes
configurations. But at the same time it means that even configurations
that are not modified by the users can not be changed so we can not
deliver fixes and changes efficiently.

It is only possible through difficult scriptlets. As an example, we
can show this bugzilla where a change in Gnome required an update to
PAM otherwise the user could not authenticate. Delivering the change
was easy with authselect, but difficult for non-authselect systems.

Authselect already knows how the resulting configuration should look
and does not risk overriding user configuration. Making it mandatory
will help distribute important updates to nsswitch and PAM
configuration.

=== 2. Package maintainers wants to enable/disable nsswitch or PAM
modules automatically upon installation/uninstallation ===
Packages that install nsswitch modules (e.g. systemd, nss-mdns) or PAM
modules (e.g. ecryptfs, fprintd) want to enable the module
automatically upon RPM installation to provide a better user
experience. So they use various more or less complex and fragile
scriptlets in %post action of the RPM.

This is usually easier for the nsswitch module, when simple sed works
for most configurations. But it is not really possible for PAM
(because there is high risk of introducing security vulnerabilities or
breaking authentication completely) so the packages used authconfig
and now authselect.

Packages need to detect the current authselect state and either call
authselect when available or fallback to non-authselect scriptlets.
The end results tends to be the same for nsswitch modules but
different for PAM modules where it is either enabled with authselect
or nothing happens.

'''If authselect is made mandatory, packages can only support
authselect configuration which makes the change simple,
straightforward, easier to test and safe.'''

== Scope ==
* Proposal owners:
** authselect maintainers:
*** implement the changes described in "Detailed Description" in all
affected packages
*** open pull requests with the changes against affected packages

* Other developers:
** maintainers of affected packages must accept submitted merge request

* Release engineering: [https://pagure.io/releng/issue/10337 #10337]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A

== Upgrade/compatibility impact ==
The system will be forcefully configured with authselect, selecting
the default distribution profile (sssd), if non-authselect
configuration is detected. It will will override users configuration.
A backup will be created, users can run 'authselect backup-restore
$id' to restore their configuration when desired.

== How To Test ==
* Authselect must keep working as expected.
* Ownership of the following files is transferred to authselect-libs package
** /etc/pam.d/fingerprint-auth
** /etc/pam.d/password-auth
** /etc/pam.d/postlogin
** /etc/pam.d/smartcard-auth
** /etc/pam.d/system-auth
** /etc/nsswitch.conf
* pam requires authselect
* updating from previous system with non-authselect configuration must
result in applied authselect configuration with sssd profile
* updating from previous system with authselect configuration must
remain intact (besides applying udated profiles)
* installing/removing affected packages (see Detailed Description)
must not break authselect configuration

== User Experience ==
PAM and nsswitch.conf configuration will be automatically updated when changed.

''Note: To request inclusion of a new nsswitch or PAM module in
default authselect profiles, either open an issue on authselect GitHub
project or open a bug against authselect component in Fedora
bugzilla.''

''Note: Users will still be able to create custom profiles to include
modules that are not supported by default authselect profiles.
However, such profiles will have limited update support. It is
possible to create a custom profile with some files as symlinks to
default profiles, those files will receive updates automatically.
However, modified files of the custom profiles still need to be
updated manually and the users are responsible for the update.
''

''Note: Users will still be able to opt-out from authselect, but such
configuration will no longer be updated on upgrades or touched by
package installation.''

== Dependencies ==
This change does not break any packages that depends on authselect.

== Contingency Plan ==
* Contingency mechanism: Revert changes in affected packages.
* Contingency deadline: Beta
* Blocks release? No

== Documentation ==
There is no upstream documentation.

== Release Notes ==
Configuring system authentication and identity sources with authselect
is now mandatory. Systems with non-authselect configuration will be
automatically forcefully upgraded to authselect configuration. Users
that require special configuration are encouraged to create and use
custom authselect profile.


-- 
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux