Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@IntrusionCM the story is still happening so i won't say anything about somebody.
-
@IntrusionCM but yes pam has already a lot of modules that are available and the module was build 2013, so it is affected by a whole lot of possible security holes like meltdown/spectre.
-
@stop in general touching PAM without a good reason is in my opinion "dangerous".
Security is one thing, but even PAM changes now and then - and nothing is worse than a machine that "suddenly" lost it's possibility to login remotely or that is doing... Weird... Stuff when logging in.
PAM is a very fragile thing - not in the sense that it itself is bad, rather that due to what it does it's easy to break. -
@IntrusionCM especially when it comes to multiple modules that process the user and one of the grants the access.
Protecting credentials from eavesdropping using HTTP Basic Authorization header:
Somebody: (whinwy) we need something to log into nonprivileged technical accounts without our rootssh proxy. We want this pammodule pam_X.so
me: this stuff is old (-2013) and i can't find any source for it. How about using SSSD with libsss_sudo? Its an modern solution which would allow this with an advantage of using the existing infrastructure.
somebody: NO I WANT THIS MODULE.
me: ok i have it packaged under this name. Could you please test it by manipulating the pam config?
Somebody: WHAT WHY DO I NEED TO MANIPULATE THE PAMCONFIG?
me: because another package on our servers already manipulates the config and i don't want to create trouble by manipulate it.
Somebody: why are we discussing this. I said clearly what we need and we need it NOW.
we have an package that changes the pam config to our needs, we are starting to roll out the config via ansible, but we still use configuration packages on many servers
For authentication as root we use cyberark for logging the ssh sessions.
The older solution allowed additionally the login into non-rootaccounts, but it is shut down in the next few weeks after over half an year of both systems active and over half an year with the information that the login into non-privileged accounts will be no more.
rant
authentication
sssd
internal customer