pluggable authentication module (PAM) support on Coreos

[sabraham]

Hi,

What is the current plan for support for PAM on Coreos. I found this [https://github.com/coreos/coreos-overlay/issues/499] which said that is support is being dropped. Is it is some kind of roadmap for Coreos?

[Brandon Philips]

Hello Sabraham-

What is your use case for PAM? 

Thank You,

Brandon

On Wed, Aug 26, 2015 at 11:05 PM sabraham <shijin...@gmail.com> wrote:

Hi,

What is the current plan for support for PAM on Coreos. I found this [https://github.com/coreos/coreos-overlay/issues/499] which said that is support is being dropped. Is it is some kind of roadmap for Coreos?

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[sabraham]

Hi ,

I am trying have my app authenticate against the Coreos user credentials. I read that the recommended way of doing this is via PAM. 

Regards

[Brandon Philips]

Hello Sabraham-

What type of application? It is generally not recommended to do authentication against local unix users these days and instead most services utilize an external identity service using OAUTH, LDAP, or something else.

Brandon

[c...@winged.kiwi]

How about custom password authentication, or two factor authentication, or Token based authentication.

Those are all realized using PAM modules.

for my use case I need want to integrate a Token based authentication, but need PAM support for it.

Why was PAM support dropped from CoreOS?

Will it ever be integrated back to CoreOS?

[Bernd Prager]

I second that. I am trying to do Google two factor authentication. Any chance that will be supported in the near future?

[Michael Marineau]

It was dropped way way back when we transitioned from read-only root to read-only /usr and since pam has such a complicated configuration scheme in /etc I dropped support due to the effort required to come up with a system that would be safe with our update model. At some point Kay from systemd posted a proof-of-concept patch for pam to make it work similar to systemd's model of default system configs in /usr and admin provided configs in /etc. I don't know if that has gone anywhere since then, haven't had time to look at the situation in quite some time.

It is something we need to revisit but I'm not sure when. On the up side avoiding pam did side step at least one remote ssh vulnerability!

[Camilo Aguilar]

If PAM is not shipped with CoreOS, what's the suggested approach to authenticate ssh users through third party auth systems?

[Michael Marineau]

We don't really have a recommendation until we add PAM and related modules. It is planned but hasn't been started yet. What sort of system do you need to integrate with?

On Feb 26, 2016 5:09 AM, "Camilo Aguilar" <camilo....@gmail.com> wrote:

If PAM is not shipped with CoreOS, what's the suggested approach to authenticate ssh users through third party auth systems?

[Camilo Aguilar]

Hashicorp's Vault

[Michael Marineau]

Doing something like this
https://github.com/hashicorp/vault-ssh-helper or something else?

On Fri, Feb 26, 2016 at 8:54 AM, Camilo Aguilar

[Camilo Aguilar]

Yes using that helper.

[Richard Bucker]

I just read the project home page and the ssh helper relies on PAM. I do not see how this is an alternative when it requires the thing?

Personally I just implemented 2-factor authentication using Yubico's Yubikey. (initially failed with AlpineLinux in a container).

All that PAM complexity not withstanding I wonder if 2-factor with public access makes any sense on the domain-zero OS. In fact I think putting the sshd service in a container makes more sense. Compromising the domain-zero machine means making the containers largely accessible etc etc etc yadda yadda yadda.

[Bernd Prager]

Richard,

I am not sure, if I understand.
AFAIK the idea of MFA (Multi-Factor Authentication) is to to reduce the chance of compromising. So, the domain-zero machine, is the first thing one want to secure, no?

-- Bernd

You received this message because you are subscribed to a topic in the Google Groups "CoreOS User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/coreos-user/vwh6VcMeOs8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to coreos-user...@googlegroups.com.

[sabraham]

Bumping up the original question. I read references to PAM on CoreOS but couldn't find any documents. Is is enabled on CoreOS now?. 

[Bernd Prager]

I looks like it. I have not tested it yet:

https://github.com/ragnar-johannsson/coreos-pam-sshd

-- Bernd

On 6/14/16 2:15 PM, sabraham wrote:

Bumping up the original question. I read references to PAM on CoreOS but couldn't find any documents. Is is enabled on CoreOS now?.