Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configure faillock #3

Merged
merged 1 commit into from
Sep 6, 2024
Merged

configure faillock #3

merged 1 commit into from
Sep 6, 2024

Conversation

AlexHearnNI
Copy link
Collaborator

@AlexHearnNI AlexHearnNI commented Aug 8, 2024
edited
Loading

Summary of Changes

add steps to configure-nilrt-snac that will install the faillock PAM plugin

Justification

pam-plugin-faillock will lock accounts after several failed attempts at authentication within a set time period.

Testing

I ran the script.

relevant output from configure-nilrt-snac:

INFO: Configuring faillock...
DEBUG: Installing pam-plugin-faillock...
Downloading http://download.ni.com/ni-linux-rt/feeds/2024Q3/x64/main/core2-64/pam-plugin-faillock_1.5.2-r0.90_core2-64.ipk.
Installing pam-plugin-faillock (1.5.2) on root
Configuring pam-plugin-faillock.

I tested that accounts are locked after 3 failed tries by adding a user and then attempting to log in with an incorrect password 4 times.

Procedure

@AlexHearnNI AlexHearnNI requested review from amstewart and a team as code owners August 8, 2024 22:36
dmondrik
dmondrik reviewed Aug 8, 2024
View reviewed changes
amstewart
amstewart requested changes Aug 9, 2024
View reviewed changes
Copy link
Collaborator

@amstewart amstewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's take this design over to the RTOS team and see if we can mainline it into the pam-faillock IPK, so that our only action in the script is to install that package.

@AlexHearnNI
Copy link
Collaborator Author

Let's take this design over to the RTOS team and see if we can mainline it into the pam-faillock IPK, so that our only action in the script is to install that package.

I've encountered an issue with this. If I enable faillock exactly as done in this PR on top of the base system image, then it breaks niauth. In particular, you can no longer ssh into the target using niauth credentials. I don't know exactly why it breaks. How should I proceed?

  • option 1: We ignore this issue. ssh will break if a user installs the pam-plugin-faillock package.
  • option 2: I can figure out why pam-plugin-faillock breaks niauth and try to resolve the conflict.
  • option 3: We can keep the configuration in the SNAC utility so that we don't have to worry about handling niauth.

@dmondrik
Copy link

  • option 1: We ignore this issue. ssh will break if a user installs the pam-plugin-faillock package.

I'm not fond of this option. We do have tests that install all packages in the core feed. That shouldn't cause the system to break.

@amstewart
Copy link
Collaborator

I've encountered an issue with this. If I enable faillock exactly as done in this PR on top of the base system image, then it breaks niauth. In particular, you can no longer ssh into the target using niauth credentials. I don't know exactly why it breaks. How should I proceed?

Repeating what we discussed at standup. I'm not surprised that faillock apparently doesn't work with niauth. I doubt it was ever tested to work or that customers use it. I don't see any reason to invest any time in making them compatible. If we're being prudent, it is worthwhile to run a quick test where you install the pam_faillock module into the PAM rules, using only the default configuration that a user would get from upstream. If that fails, then I think we have a very strong argument for marking this module as 'RCONFLICTS' with ni-auth and moving on with our lives.

The configuration tool will install this after de-installing ni-auth, and so shouldn't aggravate the conflicts.

@AlexHearnNI
Copy link
Collaborator Author

ni/meta-nilrt#724

@AlexHearnNI AlexHearnNI force-pushed the users/ahearn/faillock branch from ca5a25f to fddd735 Compare September 5, 2024 14:10
@AlexHearnNI AlexHearnNI force-pushed the users/ahearn/faillock branch from fddd735 to 410c97e Compare September 5, 2024 14:15
@amstewart amstewart merged commit e0a2ac1 into master Sep 6, 2024
1 check passed
@amstewart amstewart mentioned this pull request Sep 6, 2024
Merged
2 tasks
@AlexHearnNI AlexHearnNI deleted the users/ahearn/faillock branch September 6, 2024 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amstewart amstewart amstewart approved these changes

@dmondrik dmondrik dmondrik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AlexHearnNI @dmondrik @amstewart