3
stop
133d

Somebody: (whinwy) we need something to log into nonprivileged technical accounts without our rootssh proxy. We want this pammodule pam_X.so
me: this stuff is old (-2013) and i can't find any source for it. How about using SSSD with libsss_sudo? Its an modern solution which would allow this with an advantage of using the existing infrastructure.
somebody: NO I WANT THIS MODULE.
me: ok i have it packaged under this name. Could you please test it by manipulating the pam config?
Somebody: WHAT WHY DO I NEED TO MANIPULATE THE PAMCONFIG?
me: because another package on our servers already manipulates the config and i don't want to create trouble by manipulate it.
Somebody: why are we discussing this. I said clearly what we need and we need it NOW.

we have an package that changes the pam config to our needs, we are starting to roll out the config via ansible, but we still use configuration packages on many servers
For authentication as root we use cyberark for logging the ssh sessions.
The older solution allowed additionally the login into non-rootaccounts, but it is shut down in the next few weeks after over half an year of both systems active and over half an year with the information that the login into non-privileged accounts will be no more.

Comments
  • 1
    You don't fuck around with PAM.

    That's a golden rule...

    *Gets the frying pan ready* Who is the customer, sweetheart?
  • 0
    @IntrusionCM the story is still happening so i won't say anything about somebody.
  • 0
    @IntrusionCM but yes pam has already a lot of modules that are available and the module was build 2013, so it is affected by a whole lot of possible security holes like meltdown/spectre.
  • 1
    @stop in general touching PAM without a good reason is in my opinion "dangerous".

    Security is one thing, but even PAM changes now and then - and nothing is worse than a machine that "suddenly" lost it's possibility to login remotely or that is doing... Weird... Stuff when logging in.

    PAM is a very fragile thing - not in the sense that it itself is bad, rather that due to what it does it's easy to break.
  • 1
    @IntrusionCM especially when it comes to multiple modules that process the user and one of the grants the access.
  • 0
    SMALL UPDATE:
    i packaged the module binaries without building the sourcecode and now its in testing. our old solution has been shut down and the blame is not on me anymore.
  • 0
    bro html is not a lnaguage remove from ur bio thx
Add Comment