ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bolke de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (RANGER-842) Allow PAM for authentication
Date Wed, 24 Feb 2016 11:35:18 GMT

    [ https://issues.apache.org/jira/browse/RANGER-842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15162855#comment-15162855
] 

Bolke de Bruin edited comment on RANGER-842 at 2/24/16 11:35 AM:
-----------------------------------------------------------------

[~rmani] In general yes. So when you ship rpms or debs for the different distributions you
would need to include these files and make sure they are installed at the right location.
They are distribution specific (ie. RedHat uses different contents than Debian does).

In case these files are not present PAM will automatically fallback to /etc/pam.d/other .
It again depends on the distribution what is in these files. Redhat/CentOS 7 default to deny
everything I don't know what Debian is doing. 

In the case of UNIX authentication the *non-remote* part will still allow authentication from
/etc/passwd. I, personally, consider this outdated and it should be replaced by PAM. But if
you choose UNIX as authentication mechanism it will still use the old code path.

My patch does however impact the remote authentication (ie. the C implementation). Remote
authentication now only allows PAM and does not use /etc/passwd anymore. If you would like
to mimic the old behavior you can symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd .
I have chosen this to keep remote authentication simple and to make sure you are not triggering
two login attempts (eg. if I would try PAM first and then /etc/passwd) as that could be a
security incident.



was (Author: bolke):
[~rmani] In general yes. So when you ship rpms or debs for the different distributions you
would need to include these files and make sure they are installed at the right location.
They are distribution specific (ie. RedHat uses different contents than Debian does).

In case these files are not present PAM will automatically fallback to /etc/pam.d/other .
It again depends on the distribution what is in these files. Redhat/CentOS 7 default to deny
everything I don't know what Debian is doing. 

In the case of UNIX authentication the *non-remote* part will still allow authentication from
/etc/passwd. I, personally, consider this outdated and legacy. 

My patch does however impact the remote authentication (ie. the C implementation). Remote
authentication now only allows PAM and does not use /etc/passwd anymore. If you would like
to mimic the old behavior you can symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd .
I have chosen this to keep remote authentication simple and to make sure you are not triggering
two login attempts (eg. if I would try PAM first and then /etc/passwd) as that could be a
security incident.


> Allow PAM for authentication
> ----------------------------
>
>                 Key: RANGER-842
>                 URL: https://issues.apache.org/jira/browse/RANGER-842
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 0.5.1, 0.6.0
>            Reporter: Bolke de Bruin
>              Labels: authentication, security
>             Fix For: 0.5.1, 0.6.0
>
>         Attachments: 0002-RANGER-842-pam-authentication.patch
>
>
> Ranger currently uses shadow based authentication if configured for unix authentication.
This way of authenticating is somewhat outdated as any recent Linux system (and many of the
BSDs) have PAM available. PAM allows multiple authentication sources and also does authorization.
> Ranger should be able to use PAM for authentication



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message