We currently have a number of PAM modules in ports, and while some of
them are specific to certain third-party software, many aren't. I
believe we would benefit from importing at least some of these into
base. My question is: which ones?
> We currently have a number of PAM modules in ports, and while some > of them are specific to certain third-party software, many aren't. > I believe we would benefit from importing at least some of these > into base. My question is: which ones?
LDAP? (We do currently have some work on LDAP integration but not
sure if the community would be interested -- this would need an import
of stripped down OpenLDAP) and modifies OpenSSH to support public key
in LDAP directory.
Cheers,
- -- Xin LI <delp...@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQEcBAEBCAAGBQJOc4eUAAoJEATO+BI/yjfBUFgH/1+fWilKMu/4YJu0X2hUpDJI
EvOuG1Mx481eXAaTV+yfVaHwGs039EQIgJpk18CCC+UbCOV4kG0B0XpK5D3VdOPE
nHoXB38YiiyBe+LVYg3u1YPrjPAoULK2ih4qMOki6Wbtw8EqV344BNd0a70joY+z
JTnNsfJQcMKAO8RpppPxuf/yy6goRcQSMUmDCvxBiOS923vZu641kyBEzyFeC+GU
BJjLTXxcBQ5V9XNGgHmp7g4nwHPNwi0aOPs6Gudgj7u3hKKEkcY//Irdac+chopF
St4AJBCffsdl49TbQMYKUvTSIyUb5YeI8ixtFzwhhdGUZLEPDOvtOJNooCd1x/w=
=VRQC
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
On Fri, 16 Sep 2011 12:29:56 -0500, Xin LI <delp...@delphij.net> wrote:
> LDAP? (We do currently have some work on LDAP integration but not
> sure if the community would be interested -- this would need an import
> of stripped down OpenLDAP) and modifies OpenSSH to support public key
> in LDAP directory.
All of this would be greatly appreciated by myself and my fellow coworkers.
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't. I
> believe we would benefit from importing at least some of these into
> base. My question is: which ones?
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't. I
> believe we would benefit from importing at least some of these into
> base. My question is: which ones?
> DES
> --
> Dag-Erling Smørgrav - d...@des.no
> _______________________________________________
> freebsd-secur...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org
> "
> On Fri, 16 Sep 2011 12:29:56 -0500, Xin LI <delp...@delphij.net> wrote:
>> LDAP? (We do currently have some work on LDAP integration but not
>> sure if the community would be interested -- this would need an import
>> of stripped down OpenLDAP) and modifies OpenSSH to support public key
>> in LDAP directory.
> All of this would be greatly appreciated by myself and my fellow coworkers.
I can publish the source code but note that it's for FreeBSD 8.2 and
OpenLDAP needs to be updated.
Changes are moderately intrusive but is in a manageable shape, it's used
in production at a company who wishes to remain anonymous (the work is
mostly putting together several open source models, fix bugs and they
have assigned a delegate for copyright to license it under compatible
license). I need to find some time to adapt the code to -HEAD and call
for feedback.
Cheers,
- -- Xin LI <delp...@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQEcBAEBCAAGBQJOc8WDAAoJEATO+BI/yjfB9p4IAIT82Z8I+6jkhyhCL/wbcXQk
KPAfpuPQCUjn1Lm2C/UUgWdBO17SYzBJUlyt1FJuDctGab18mJgvWMvjb+cUgXKH
lfcxUdmBxkhwwTSE7EfB4qLphn28si67INOZN3xSVzyXuxGTqwXcO5fJlbJly77B
nNS8JUu3X9tjMwGHwOWjG7R6n/bEdsmJUdWtMT2t3B6thFsStgqshTnKoBs18vPN
vWdY7vdX3Mco1kjLTGoq3DZUxZyBxn75IvSSpvFLtn4T4YT22U2V0KY5h1JUsz9q
MVQGLpUpudyFI8T+rzbQR3yxtv7gqgumlIuYpjF9rP0FtoQDcB2vRlMzAqM5j1o=
=m5hN
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
On 09/16/2011 08:05 AM, Dag-Erling Smørgrav wrote:
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't. I
> believe we would benefit from importing at least some of these into
> base. My question is: which ones?
On Sep 16, 2011 10:21 AM, "Dag-Erling Smørgrav" <d...@des.no> wrote:
> We currently have a number of PAM modules in ports, and while some of
> them are specific to certain third-party software, many aren't. I
> believe we would benefit from importing at least some of these into
> base. My question is: which ones?
On Sat, Sep 17, 2011 at 01:18:27AM -0400, Jason Hellenthal wrote:
> +1 for LDAP
> On Fri, Sep 16, 2011 at 10:25:16PM -0500, Brandon Gooch wrote:
> > On Sep 16, 2011 10:21 AM, "Dag-Erling Smørgrav" <d...@des.no> wrote:
> > > We currently have a number of PAM modules in ports, and while some of
> > > them are specific to certain third-party software, many aren't. I
> > > believe we would benefit from importing at least some of these into
> > > base. My question is: which ones?
Do not mean to reply to my own post but seems these offer the most IMHO
benefit to the project and end-users.
security/pam_jail A PAM module dropping users in jails after login
security/pam_krb5 A Pluggable Authentication Module for Kerberos5
security/pam_ldap A pam module for authenticating with LDAP
security/pam_mkhomedir Create HOME with a PAM module on demand
security/pam_p11 A PAM module using crypto tokens for auth authenticate against Unix PAM
security/pam_pwdfile A pam module for authenticating with flat passwd files
security/pam_require A PAM module for restricting access based on unix group or username
security/pam_smb NetBIOS domain logon PAM module
security/pam_ssh_agent_auth PAM module which permits authentication via ssh-agent
sysutils/pam_mount A PAM that can mount volumes for a user session
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
On Fri, Sep 16, 2011 at 10:25:16PM -0500, Brandon Gooch wrote:
> On Sep 16, 2011 10:21 AM, "Dag-Erling Smørgrav" <d...@des.no> wrote:
> > We currently have a number of PAM modules in ports, and while some of
> > them are specific to certain third-party software, many aren't. I
> > believe we would benefit from importing at least some of these into
> > base. My question is: which ones?
Hello, Xin. You wrote 16 сентября 2011 г., 21:29:56:
> LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory.
Minimal ldap client, nss/pam_ldap and SSH keys in LDAP out-of-box is great! But it is disagree with trend to stirp-down base system :(
-- // Black Lion AKA Lev Serebryakov <l...@FreeBSD.org>
> On 09/16/2011 08:05 AM, Dag-Erling Smørgrav wrote: >> We currently have a number of PAM modules in ports, and while some of >> them are specific to certain third-party software, many aren't. I >> believe we would benefit from importing at least some of these into >> base. My question is: which ones?
>> DES > LDAP support out of the box would be fantastic.
Also a strong vote for LDAP support. LDAP is our backend for several server systems and it is a kind of pain having to think first for the ports to be installed. Also I suspect and hope a better integration if LDAP gets part of the core system.
Jason Hellenthal <jh...@DataIX.net> writes:
> security/pam_jail A PAM module dropping users in jails after login
> security/pam_krb5 A Pluggable Authentication Module for Kerberos5
We already have that.
> security/pam_ldap A pam module for authenticating with LDAP
Not going to happen, since we don't have LDAP in base.
> security/pam_mkhomedir Create HOME with a PAM module on demand
> security/pam_p11 A PAM module using crypto tokens for auth authenticate against Unix PAM
Requires a PKCS11 implementation in base. I never finished the one I
started on...
> security/pam_pwdfile A pam module for authenticating with flat passwd files
> security/pam_require A PAM module for restricting access based on unix group or username
Apparently requires Perl to run, although this may be a bug in the port
> security/pam_ssh_agent_auth PAM module which permits authentication via ssh-agent
> sysutils/pam_mount A PAM that can mount volumes for a user session
> On 09/16/11 23:36, Mike Carlson wrote:
>> On 09/16/2011 08:05 AM, Dag-Erling Smørgrav wrote:
>>> We currently have a number of PAM modules in ports, and while some of
>>> them are specific to certain third-party software, many aren't. I
>>> believe we would benefit from importing at least some of these into
>>> base. My question is: which ones?
>>> DES
>> LDAP support out of the box would be fantastic.
>> Mike C
>> _______________________________________________
>> freebsd-secur...@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to
>> "freebsd-security-unsubscr...@freebsd.org"
> Also a strong vote for LDAP support. LDAP is our backend for several
> server systems and it is a kind of pain
> having to think first for the ports to be installed. Also I suspect and
> hope a better integration if LDAP gets
> part of the core system.
> On 09/16/11 23:36, Mike Carlson wrote:
> > On 09/16/2011 08:05 AM, Dag-Erling Sm??rgrav wrote:
> >> We currently have a number of PAM modules in ports, and while some of
> >> them are specific to certain third-party software, many aren't. I
> >> believe we would benefit from importing at least some of these into
> >> base. My question is: which ones?
> >> DES
> > LDAP support out of the box would be fantastic.
> Also a strong vote for LDAP support. LDAP is our backend for several
> server systems and it is a kind of pain
> having to think first for the ports to be installed. Also I suspect and
> hope a better integration if LDAP gets
> part of the core system.
I think some caution should be used whenever we discuss merging things
into the base system. There may be other ways of achieving the same
functionality, without the challenges that come with merging things
directly into the base system. Ports tend to be easier to update (in
terms of version bumps/features additions) when compared to things that
become part of base.
I think an interesting concept would be something that gave us the
ability to (easily) tie certain ports into software from the base system.
Something that would allow the software to be more easily kept current.
Perhaps this could be done via some sort of base-integrated ports
category that require extra-special care/controls when being updated.
Using the above idea, perhaps we could have ISOs or the like available
that include these 'base-integrated' ports pre-installed, thus giving
users the ability to (effectively) have an out-of-the-box solution that
included LDAP support, etc., while still having these 'base-integrated'
ports loosely coupled with the base OS. The concept could keep the base
system lean, but provide the flexibility that users desire.
Obviously there are some complexities associated with implementing the
framework and details that would need to be worked out, but this could
address:
-The desire to keep the base system lean
-The desire to provide certain features out-of-the-box
-The ability to keep these 'base-integrated' ports more current in terms
of features/functionality
-r
-- Ryan Steinmetz
PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
> I think some caution should be used whenever we discuss merging
> things into the base system. There may be other ways of achieving
> the same functionality, without the challenges that come with
> merging things directly into the base system. Ports tend to be
> easier to update (in terms of version bumps/features additions)
> when compared to things that become part of base.
> I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base
> system. Something that would allow the software to be more easily
> kept current. Perhaps this could be done via some sort of
> base-integrated ports category that require extra-special
> care/controls when being updated.
> Using the above idea, perhaps we could have ISOs or the like
> available that include these 'base-integrated' ports pre-installed,
> thus giving users the ability to (effectively) have an
> out-of-the-box solution that included LDAP support, etc., while
> still having these 'base-integrated' ports loosely coupled with the
> base OS. The concept could keep the base system lean, but provide
> the flexibility that users desire.
> Obviously there are some complexities associated with implementing
> the framework and details that would need to be worked out, but
> this could address: -The desire to keep the base system lean -The
> desire to provide certain features out-of-the-box -The ability to
> keep these 'base-integrated' ports more current in terms of
> features/functionality
That work was done to meet quakelee@'s company's needs (mostly done by
him, I helped him with some minor things with my weekends) and the
patch might needs some cleanup work (I've stripped down the unrelated
part like bringing rsync, sudo to their base system but it's well
possible rthat I've missed something or haven't removed some junk in
this patchset -- ask me and/or quakelee@ if that's the case, their
patched system works fine and I have everything in our git so let me
know if that works).
Speaking for having or not this by default for FreeBSD: It's not hard
for us to make a customized distribution, and the patchset allows one
to build a LDAP-free system, we have stripped down OpenLDAP to only do
client side and the symbols have been renamed to avoid conflicts with
port OpenLDAP. Personally I don't consider an Operating System that
have no built-in LDAP support as a complete one and consider this:
what happens when OpenLDAP's shared library version bumped (this is
not rare) and your LDAP-linked sshd, pam models would do?
"base-integrated" port -- I wouldn't object if that would ever happen
but I bet it's a much bigger one than LDAP integration :) It may take
me a day or two days to get our patchset cleaned up and updated to
- -HEAD and latest OpenLDAP -stable and universe it, plus test on amd64,
but implementing a shiny new framework is not something we (I and
quakelee@) could do.
Cheers,
- -- Xin LI <delp...@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQEcBAEBCAAGBQJOdQlKAAoJEATO+BI/yjfB1YgIAJE4l+KOsTg+BPtWe3lJhLfF
bTk7HlpeZOpTgTYFJ93E0+kIls4+iZN6LfwNaiDGEQXMA6Ot7utf2oa87uK+dSxv
9mjj/cUgkYOaN2wTOs15H2bTKbq/Fyh0eD2ewZ0cu9U9S+6earPK/n/VseQYa9M7
aXcOdcrVqKpTMb7+JiEDjiAzGYKgnwldoTFEnKaVoKay032gWPP5RJ1rMiZa8HXu
p/1QrMgpumg8rS0Tk1qlpSljAOqG3T5/iEXgcIYvi6APbp/Wy9KGvLO68/xJodaf
gxLKZ1Hx4xE+4vIou/5jV9XqP2XcIueH1WJFdyDx5tDEyGrpP3NIs2lObupQ36M=
=oorR
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
>> We currently have a number of PAM modules in ports, and while some >> of them are specific to certain third-party software, many aren't. >> I believe we would benefit from importing at least some of these >> into base. My question is: which ones? > LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory.
I'd love to see LDAP integration, I'm looking forward to it.
-- Best regards, Lukasz Wasikowski _______________________________________________ freebsd-secur...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Xin LI <delp...@delphij.net> writes: > LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory.
I would vote for importing a *complete* OpenLDAP, unless there are good reasons not to; "slim base" isn't, considering how useful LDAP is.
> Xin LI <delp...@delphij.net> writes:
>> LDAP? (We do currently have some work on LDAP integration but not
>> sure if the community would be interested -- this would need an import
>> of stripped down OpenLDAP) and modifies OpenSSH to support public key
>> in LDAP directory.
> I would vote for importing a *complete* OpenLDAP, unless there are good
> reasons not to; "slim base" isn't, considering how useful LDAP is.
> On 09/16/2011 11:05 AM, Dag-Erling Smørgrav wrote:
>> My question is: which ones?
> security/pam_ssh_agent_auth
> It is BSD licensed and handy for sudo.
Neato, I didnt know of this module for sudo! However, with the default
install on AMD64, I am getting coredump.
I added
# auth
auth include system
-
+auth sufficient /usr/local/lib/pam_ssh_agent_auth.so
file=/etc/sudokeys debug
# account
account include system
to /usr/local/etc/pam.d/sudo
and added
--- sudoers.sample 2011-09-19 13:24:56.000000000 -0400
+++ sudoers 2011-09-19 13:29:17.000000000 -0400
@@ -62,6 +62,10 @@
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE
QT_IM_SWITCHER"
+
+Defaults env_keep += SSH_AUTH_SOCK
+
+
I must be missing something obvious?
---Mike
-- -------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
> On 9/16/2011 3:10 PM, Corey Smith wrote:
>> On 09/16/2011 11:05 AM, Dag-Erling Smørgrav wrote:
>>> My question is: which ones?
>> security/pam_ssh_agent_auth
>> It is BSD licensed and handy for sudo.
> Neato, I didnt know of this module for sudo! However, with the default
> install on AMD64, I am getting coredump.
Actually, I tried the same setup on i386 and it seems to work just fine.
However, on an AMD64 machine, sudo just coredumps. Anyone running this
setup on amd64 ?
Running with -D9, normally it looks something like
> # auth
> auth include system
> -
> +auth sufficient /usr/local/lib/pam_ssh_agent_auth.so
> file=/etc/sudokeys debug
> # account
> account include system
> to /usr/local/etc/pam.d/sudo
> and added
> --- sudoers.sample 2011-09-19 13:24:56.000000000 -0400
> +++ sudoers 2011-09-19 13:29:17.000000000 -0400
> @@ -62,6 +62,10 @@
> ## Uncomment to enable special input methods. Care should be taken as
> ## this may allow users to subvert the command being run via sudo.
> # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE
> QT_IM_SWITCHER"
> +
> +Defaults env_keep += SSH_AUTH_SOCK
> +
> +
> I must be missing something obvious?
> ---Mike
-- -------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
