Weekly Changes – 04/10/2021
This is looking like one of our busiest weeks for a while, with quite a range of changes. Mostly these are focussed on the Ubuntu platform which sees changes for the network and openssh components. Here are all the details…
Ubuntu networking
Testing of the network component on a DICE Ubuntu machine with an additional VLAN interface revealed an issue with the way the IP address is found for a hostname when the ipaddr_$
resource for an interface is set to auto
(for example ipaddr_eth0=auto
). Investigations revealed that this was caused by a misconfiguration of the gai.conf
file on DICE Ubuntu machines.
On DICE Ubuntu the gai.conf
file is managed using the gaiconf component, this is new for Ubuntu, previously on SL7 it had been managed as part of the dns component (which has not yet been ported to Ubuntu). On SL7 the default precedence rules were taken from RFC 3484, on Ubuntu they come from the newer RFC 6724. When a hostname resolved to multiple addresses a problem arose with the order in which addresses were returned. This was because we had used the same local precedence values on Ubuntu and SL7 but they weren’t actually appropriate for the newer RFC default values.
Further to this, some modifications were made to the Systemd service files for the gaiconf and network components. The gaiconf component needs to start after the network-online.target
is reached so that it can check the addresses of the network interfaces. The network component needs to start after gaiconf so that the results of lookups for addresses are in the correct order.
On DICE we have also added the gaiconf component to the install.installmethods
resource list (and the package list for the installbase profile). The gai.conf
is now configured during the install immediately before the network component so that the netplan configuration is correct for the first reboot.
openssh
On Ubuntu the openssh component schema has been updated to version 2 and the component has gained support for generating conditional match blocks in the server configuration file (sshd_config
). This can be used to restrict configuration options by User, Group, Host, LocalAddress, LocalPort, RDomain, and Address.
There is a new sshdmatches
tag list which has sub-resources for the pattern to match and the list of options which apply. See the lcfg-openssh(8) manual page for full details, here’s an example:
LCFG_OPENSSH_SSHD_OPT(PermitRootLogin,no) !openssh.sshdmatches mADD(inf) openssh.sshdmatch_pattern_inf Host *.lcfg.org openssh.sshdmatch_opts_inf PermitRootLogin openssh.sshdmatch_opt_inf_PermitRootLogin prohibit-password
which generates:
PermitRootLogin no Match Host *.lcfg.org PermitRootLogin prohibit-password
This prohibits root logins entirely from hosts which are not in the lcfg.org domain and limits it to password-less logins (e.g. GSSAPI or a key) when connecting from the domain.
It is possible to have multiple Match blocks, order is significant so they will be generated in the order they are specified in the sshdmatches
tag list.
The SL7 platform uses a much older version of the openssh component, upgrading to the new version should be possible but will require lots of testing. If you want this feature on SL7 please test it and let us know how you get on.
xscreensaver
We recently discovered that, although xcsreensaver processes the account
section of the PAM stack, by default it does NOT honour the result. This means that if any module in the account
section for xscreensaver fails it will not block the login. This is considered a feature and can only be changed by recompiling the code with the --enable-pam-check-account-type=yes
option. See the driver/passwd-pam.c
source file for full details, the comments are:
/* On most systems, it doesn't matter whether the account modules are run, or whether they fail or succeed. On some systems, the account modules fail, because they were never configured properly, but it's necessary to run them anyway because certain PAM modules depend on side effects of the account modules having been run. And on still other systems, the account modules are actually used, and failures in them should be considered to be true! So: - We run the account modules on all systems. - Whether we ignore them is a configure option. It's all kind of a mess. */
We consider this to be a bug, if a PAM module has problems then the results may be managed appropriately within the PAM configuration file (it’s even possible to redefine failure as success…) so we have recompiled the software and the lcfg/options/xscreensaver.h
header now includes the locally-built version. We don’t expect this to cause problems for other sites as it’s likely the account
section of the xscreensaver configuration is inherited from the common-account
file.
DICE ACLs
On DICE instances where ALL
is used to permit login access are being eradicated. They are being replaced with entitlements (i.e. netgroups). In most cases this will not result in any change in the list of users which are allowed access. The new approach has a number of benefits, it is easier to manage if we need to change which users are permitted, it supports grace periods for expiring accounts and it is generally clearer which groups are expected to have access. It also improves security since local accounts, e.g. test users, are not unintentionally given access to lots of machines just because they exist in the KDC.
x509 component
Extra dependencies have been specified for the sixkts package on Ubuntu, this fixes bug#1284.
PostgreSQL
LCFG headers have been added to support the new PostgreSQL version 14 release.
There are also security updates for older versions: 9.6.23, 11.13, 12.8, 13.4.
ca-certificates
The Ubuntu Focal update for the ca-certificates package is now part of the standard updates list so it has been removed from the override package list. This is related to the recent Let’s Encrypt certificate expiration issue.
Recent comments