* [PATCH 1/3] gnu: Remove comment which is factually incorrect. @ 2016-10-22 15:27 John Darrington 2016-10-22 15:27 ` [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option John Darrington 2016-10-22 15:28 ` [PATCH 3/3] gnu: Add pam-krb5 service John Darrington 0 siblings, 2 replies; 8+ messages in thread From: John Darrington @ 2016-10-22 15:27 UTC (permalink / raw) To: guix-devel; +Cc: John Darrington * gnu/system/pam.scm: Remove incorrect comment. --- gnu/system/pam.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index cd7a342..4546c1a 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -316,4 +316,4 @@ all the PAM services." (pam-configuration (services base) (transform transform)))) -;;; linux.scm ends here + -- 2.1.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. 2016-10-22 15:27 [PATCH 1/3] gnu: Remove comment which is factually incorrect John Darrington @ 2016-10-22 15:27 ` John Darrington 2016-10-23 21:45 ` Leo Famulari 2016-10-22 15:28 ` [PATCH 3/3] gnu: Add pam-krb5 service John Darrington 1 sibling, 1 reply; 8+ messages in thread From: John Darrington @ 2016-10-22 15:27 UTC (permalink / raw) To: guix-devel; +Cc: John Darrington * gnu/system/pam.scm (unix-pam-service) [auth]: Add "use_first_pass" option. --- gnu/system/pam.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index 4546c1a..0278db6 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day." (pam-entry (control "required") (module "pam_unix.so") - (arguments '("nullok"))) + (arguments '("nullok" "use_first_pass"))) unix))) (password (list (pam-entry (control "required") -- 2.1.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. 2016-10-22 15:27 ` [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option John Darrington @ 2016-10-23 21:45 ` Leo Famulari 2016-10-24 4:56 ` John Darrington 0 siblings, 1 reply; 8+ messages in thread From: Leo Famulari @ 2016-10-23 21:45 UTC (permalink / raw) To: John Darrington; +Cc: guix-devel On Sat, Oct 22, 2016 at 05:27:59PM +0200, John Darrington wrote: > * gnu/system/pam.scm (unix-pam-service) [auth]: Add "use_first_pass" option. > --- > gnu/system/pam.scm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm > index 4546c1a..0278db6 100644 > --- a/gnu/system/pam.scm > +++ b/gnu/system/pam.scm > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day." > (pam-entry > (control "required") > (module "pam_unix.so") > - (arguments '("nullok"))) > + (arguments '("nullok" "use_first_pass"))) pam_unix(8) says: use_first_pass The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access. I don't understand exactly what this means for GuixSD. Can you explain it to us? :) ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. 2016-10-23 21:45 ` Leo Famulari @ 2016-10-24 4:56 ` John Darrington 2016-10-27 12:51 ` Ludovic Courtès 0 siblings, 1 reply; 8+ messages in thread From: John Darrington @ 2016-10-24 4:56 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel, John Darrington [-- Attachment #1: Type: text/plain, Size: 1652 bytes --] On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote: > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm > index 4546c1a..0278db6 100644 > --- a/gnu/system/pam.scm > +++ b/gnu/system/pam.scm > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day." > (pam-entry > (control "required") > (module "pam_unix.so") > - (arguments '("nullok"))) > + (arguments '("nullok" "use_first_pass"))) pam_unix(8) says: use_first_pass The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access. I don't understand exactly what this means for GuixSD. Can you explain it to us? :) On its own it does nothing. It makes more sense in context with the other patch I sent. With this option in place, one can extend the unix-pam-service with another pam service (such as krb5-pam), and if the krb5 authentication fails (for example because I am not at work) then the password I gave will be presented to the regular pam_unix login. I won't be prompted for it again. J' -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. 2016-10-24 4:56 ` John Darrington @ 2016-10-27 12:51 ` Ludovic Courtès 2016-10-28 5:22 ` John Darrington 0 siblings, 1 reply; 8+ messages in thread From: Ludovic Courtès @ 2016-10-27 12:51 UTC (permalink / raw) To: John Darrington; +Cc: guix-devel, John Darrington John Darrington <john@darrington.wattle.id.au> skribis: > On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote: > > > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm > > index 4546c1a..0278db6 100644 > > --- a/gnu/system/pam.scm > > +++ b/gnu/system/pam.scm > > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day." > > (pam-entry > > (control "required") > > (module "pam_unix.so") > > - (arguments '("nullok"))) > > + (arguments '("nullok" "use_first_pass"))) > > pam_unix(8) says: > > use_first_pass > The argument use_first_pass forces the module to use a previous stacked modules > password and will never prompt the user - if no password is available or the > password is not appropriate, the user will be denied access. > > I don't understand exactly what this means for GuixSD. Can you explain > it to us? :) > > On its own it does nothing. It makes more sense in context with the other patch I sent. > With this option in place, one can extend the unix-pam-service with another pam service > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not > at work) then the password I gave will be presented to the regular pam_unix login. > I won't be prompted for it again. In that case, instead of hardcoding “use_first_pass” here, would it be possible for the pam-krb5 service to extend ‘pam-root-service-type’ with a procedure that automatically adds “use_first_pass” where needed? See elogind and ‘pam-extension-procedure’ in (gnu services desktop) for an example of that. Thanks, Ludo’. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. 2016-10-27 12:51 ` Ludovic Courtès @ 2016-10-28 5:22 ` John Darrington 2016-10-28 12:48 ` Ludovic Courtès 0 siblings, 1 reply; 8+ messages in thread From: John Darrington @ 2016-10-28 5:22 UTC (permalink / raw) To: Ludovic Court??s; +Cc: guix-devel, John Darrington [-- Attachment #1: Type: text/plain, Size: 1206 bytes --] On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote: > > On its own it does nothing. It makes more sense in context with the other patch I sent. > With this option in place, one can extend the unix-pam-service with another pam service > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not > at work) then the password I gave will be presented to the regular pam_unix login. > I won't be prompted for it again. In that case, instead of hardcoding ???use_first_pass??? here, would it be possible for the pam-krb5 service to extend ???pam-root-service-type??? with a procedure that automatically adds ???use_first_pass??? where needed? I will look into it. But almost any other pam module will want to do the same - at least any other which uses passphrase based authentication. So I thought why put the onus on every other module to do this? J' -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option. 2016-10-28 5:22 ` John Darrington @ 2016-10-28 12:48 ` Ludovic Courtès 0 siblings, 0 replies; 8+ messages in thread From: Ludovic Courtès @ 2016-10-28 12:48 UTC (permalink / raw) To: John Darrington; +Cc: guix-devel, John Darrington John Darrington <john@darrington.wattle.id.au> skribis: > On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote: > > > > On its own it does nothing. It makes more sense in context with the other patch I sent. > > With this option in place, one can extend the unix-pam-service with another pam service > > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not > > at work) then the password I gave will be presented to the regular pam_unix login. > > I won't be prompted for it again. > > In that case, instead of hardcoding ???use_first_pass??? here, would it be > possible for the pam-krb5 service to extend ???pam-root-service-type??? with > a procedure that automatically adds ???use_first_pass??? where needed? > > > I will look into it. But almost any other pam module will want to do > the same Yes, and what I suggest will allow you to do that. > - at least > any other which uses passphrase based authentication. So I thought why put the onus on > every other module to do this? It’s not entirely clear that ‘use_first_pass’ is generally desirable, Kerberos aside. So I think it makes more sense to add it as part of the Kerberos service, with an explanation of why it’s important in this context. Ludo’. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 3/3] gnu: Add pam-krb5 service. 2016-10-22 15:27 [PATCH 1/3] gnu: Remove comment which is factually incorrect John Darrington 2016-10-22 15:27 ` [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option John Darrington @ 2016-10-22 15:28 ` John Darrington 1 sibling, 0 replies; 8+ messages in thread From: John Darrington @ 2016-10-22 15:28 UTC (permalink / raw) To: guix-devel; +Cc: John Darrington * doc/guix.texi (Kerberos Services): New node. * gnu/services/kerberos.scm: New file. * gnu/local.mk: Add it. --- doc/guix.texi | 38 ++++++++++++++++++++++++++- gnu/local.mk | 1 + gnu/services/kerberos.scm | 67 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 gnu/services/kerberos.scm diff --git a/doc/guix.texi b/doc/guix.texi index 86b82c8..1f4e808 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -220,6 +220,7 @@ Services * Desktop Services:: D-Bus and desktop services. * Database Services:: SQL databases. * Mail Services:: IMAP, POP3, SMTP, and all that. +* Kerberos Services:: Kerberos services. * Web Services:: Web servers. * Network File System:: NFS related services. * Miscellaneous Services:: Other services. @@ -7685,6 +7686,7 @@ declaration. * Desktop Services:: D-Bus and desktop services. * Database Services:: SQL databases. * Mail Services:: IMAP, POP3, SMTP, and all that. +* Kerberos Services:: Kerberos services. * Web Services:: Web servers. * Network File System:: NFS related services. * Miscellaneous Services:: Other services. @@ -10389,6 +10391,40 @@ could instantiate a dovecot service like this: (string ""))) @end example + +@node Kerberos Services +@subsubsection Kerberos Services +@cindex Kerberos + +The @code{(gnu services Kerberos)} module provides services relating to +the authentication protocol @dfn{Kerberos}. + +@subsubheading PAM krb5 Service +@cindex pam-krb5 + +The pam-krb5 service allows for login authentication and password +management via Kerberos. +You will need this service if you want PAM enabled applications to authenticate +users using Kerberos. + +@defvr {Scheme Variable} pam-krb5-service-type +A service type for the Kerberos 5 PAM module. +@end defvr + +@deftp {Data Type} pam-krb5-configuration +Data type representing the configuration of the Kerberos 5 PAM module +This type has the following parameters: +@table @asis +@item @code{pam-krb5} (default: @code{pam-krb5}) +The pam-krb5 package to use. + +@item @code{minimum-uid} (default: @code{1000}) +The smallest user ID for which Kerberos authentications should be attempted. +Local accounts with lower values will silently fail to authenticate. +@end table +@end deftp + + @node Web Services @subsubsection Web Services @@ -10475,7 +10511,7 @@ The @dfn{global security system} (GSS) daemon provides strong security for RPC based protocols. Before exchanging RPC requests an RPC client must establish a security context. Typically this is done using the Kerberos command @command{kinit} -or automatically at login time using PAM services. +or automatically at login time using PAM services (@pxref{Kerberos Services}). @defvr {Scheme Variable} gss-service-type A service type for the Global Security System (GSS) daemon. diff --git a/gnu/local.mk b/gnu/local.mk index cfd4480..4021468 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -396,6 +396,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/dbus.scm \ %D%/services/desktop.scm \ %D%/services/dict.scm \ + %D%/services/kerberos.scm \ %D%/services/lirc.scm \ %D%/services/mail.scm \ %D%/services/mcron.scm \ diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm new file mode 100644 index 0000000..144c71b --- /dev/null +++ b/gnu/services/kerberos.scm @@ -0,0 +1,67 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016 John Darrington <jmd@gnu.org> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu services kerberos) + #:use-module (gnu packages admin) + #:use-module (gnu services) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix records) + #:export (pam-krb5-configuration + pam-krb5-configuration? + pam-krb5-service-type)) + +(define-record-type* <pam-krb5-configuration> + pam-krb5-configuration make-pam-krb5-configuration + pam-krb5-configuration? + (pam-krb5 pam-krb5-configuration-pam-krb5 + (default pam-krb5)) + (minimum-uid pam-krb5-configuration-minimum-uid + (default 1000))) + +(define (pam-krb5-pam-service config) + "Return a PAM service for Kerberos authentication." + (lambda (pam) + (define pam-krb5-module + #~(string-append #$(pam-krb5-configuration-pam-krb5 config) "/lib/security/pam_krb5.so")) + + (let ((pam-krb5-sufficient + (pam-entry + (control "sufficient") + (module pam-krb5-module) + (arguments (list + (format #f "minimum_uid=~a" + (pam-krb5-configuration-minimum-uid config))))))) + (pam-service + (inherit pam) + (auth (cons* pam-krb5-sufficient + (pam-service-auth pam))) + (session (cons* pam-krb5-sufficient + (pam-service-session pam))) + (account (cons* pam-krb5-sufficient + (pam-service-account pam))))))) + +(define (pam-krb5-pam-services config) + (list (pam-krb5-pam-service config))) + +(define pam-krb5-service-type + (service-type (name 'pam-krb5) + (extensions + (list + (service-extension pam-root-service-type + pam-krb5-pam-services))))) -- 2.1.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-10-28 12:48 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-10-22 15:27 [PATCH 1/3] gnu: Remove comment which is factually incorrect John Darrington 2016-10-22 15:27 ` [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option John Darrington 2016-10-23 21:45 ` Leo Famulari 2016-10-24 4:56 ` John Darrington 2016-10-27 12:51 ` Ludovic Courtès 2016-10-28 5:22 ` John Darrington 2016-10-28 12:48 ` Ludovic Courtès 2016-10-22 15:28 ` [PATCH 3/3] gnu: Add pam-krb5 service John Darrington
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.