Bugzilla – Bug 1169241
AUDIT-0: authselect: review of profiles
Last modified: 2020-08-12 11:07:17 UTC
Hi, Due to continuous work being done with porting FreeIPA to openSUSE Distributions, we have a need to include Authselect in Factory. We want to make sure you don't have any security-related objections to the profiles shipped within it. https://build.opensuse.org/package/show/home:Pharaoh_Atem:Authselect_SUSE/authselect
Hello and thank you for approaching us. Do we need us to check out all the available profiles or should we concentrate on specific ones?
(In reply to Matthias Gerstner from comment #1) > Hello and thank you for approaching us. > > Do we need us to check out all the available profiles or should we > concentrate > on specific ones? It seems we only really need sssd profiles for FreeIPA,
(In reply to Matthias Gerstner from comment #1) > Hello and thank you for approaching us. > > Do we need us to check out all the available profiles or should we > concentrate > on specific ones? Please review all of them, but the initial priority is the SSSD one, as we need that for FreeIPA and the upcoming openSUSE Accounts platform... I'd like to get authselect into Factory with as much intact as possible, and ideally if any changes are needed that they could be proposed upstream for both Fedora and openSUSE to benefit.
(In reply to Stasiek Michalski from comment #0) > Hi, > > Due to continuous work being done with porting FreeIPA to openSUSE > Distributions, we have a need to include Authselect in Factory. We want to > make sure you don't have any security-related objections to the profiles > shipped within it. > > https://build.opensuse.org/package/show/home:Pharaoh_Atem:Authselect_SUSE/ > authselect The package has now moved to "security:idm". https://build.opensuse.org/package/show/security:idm/authselect
I will have a look into this now.
This tool is having some problems with PAM on openSUSE. It operates on /etc/pam.d/system-auth. But on openSUSE this file is not used. Instead we use the pam-config utility which creates files like /etc/pam.d/common-{account,auth,password,session}. These two tools might conflict with each other regarding the PAM configuration. Some pam module RPMs for openSUSE also explicitly call pam-config during installation to add/remove themselves to/from the PAM stack. You might want to talk about our pam and pam-config maintainers about this and if a solution can be found.
Reviewing the profiles in detail only partly makes sense. The profiles come with a bunch of "features" and depending on which features are used a large number of different combinations is the result. I can of course look into the base profiles without any features enabled but they will probably be fine given the simplicity. For now I'm waiting for you to clear up the conflict I mentioned in comment 6. Please let me know how you want to proceed with this.
Reassigning to bug creator. Can you please give a statement in which direction you like to proceed given what I said in comment 6 and comment 7? Thanks.
We will try to talk with PAM stack maintainers, and see where that leads us
Since there has been no progress for a long time I'm closing this bug as INVALID. If you can find a way to make the package compatible with SUSE then feel free to reopen and we will review.