[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    F27 Self Contained Change: Authselect: new tool to replace authconfig
From:       Jaroslav Reznik <jreznik () redhat ! com>
Date:       2017-07-18 13:48:01
Message-ID: CAMDqk56--CmGvcuo41tkp=RqJ23dZtp1TKNb+pWB6O7=mG-OyQ () mail ! gmail ! com
[Download RAW message or body]

= Proposed Self Contained Change: Authselect: new tool to replace authconfig =
https://fedoraproject.org/wiki/Changes/Authselect

Change owner(s):
* Pavel Březina <pbrezina@redhat.com>

Authselect is a tool to select system authentication and identity
sources from a list of supported profiles.

It is designed to be a replacement for authconfig but it takes a
different approach to configure the system. Instead of letting the
administrator build the pam stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested
stacks (profiles) that solve a use-case and are well tested and
supported. At the same time, some obsolete features of authconfig
would not be supported by authselect.

This tool aims to be first shipped along and later deprecate and later
replace authconfig in a future Fedora release.

== Detailed Description ==

Authselect will allow the administrator to choose one of the supported
profiles. A profile provides description of how the resulting pam and
nsswitch configuration looks like. The tool will be packaged with a
default profile set that will be fully supported. If an administrator
has different needs they can create a custom profile and make it
accessible by authselect by dropping it in the tool directory.

The authentication and identity configuration is hardcoded within the
profile. However each profile is also allowed to contain some
conditional modules that can be either enabled or disabled to allow
the administrator to enable some optional behaviour such as password
policy or ecryptfs support.

Authselect will not configure daemons that provide the selected
identity and authentication services such as SSSD or winbind, it will
only configure pam and nsswitch. Daemons must be configured manually
or through other system tools like realmd or ipa-client-install.

The default profile set will contain the following profiles:

Local users + SSSD -- local users and remote users are handled by sssd
Local users + SSSD + Fingerprint -- same as above but also pam_fprintd
is enabled
Local users + winbind -- local users are handled by files and remote
users by winbind
Local users + winbind + Fingerprint -- same as above but also
pam_fprintd is enabled

We do not want to support nss-pam-ldapd and pam_krb5 in default
profiles since their use-cases are completely or almost completely
covered by SSSD. SSSD can be used as a complete replacement for
pam_krb5 and there are only few old and rarely used maps for LDAP that
remain unimplemented within SSSD such as hosts and aliases. These maps
will be added in a future SSSD version.

== Scope ==
* Proposal owners: implement the change
* Other developers: N/A (not a System Wide Change)
* Release engineering: [1] (a check of an impact with Release
Engineering is needed)
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)

[1] https://pagure.io/releng/issue/6907

Jaroslav
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org

[prev in list] [next in list] [prev in thread] [next in thread]