This week I have been mainly focussed on preparing the PAM configuration required for DICE Ubuntu machines. Comprehending all the PAM config is always a bit of a brain-melting process, the syntax is horrid, the options are myriad and the potential for introducing a security hole is high. I’ve taken the chance to modernise parts of the config and rework some of it so that we do things in the “Debian way”. Generally I like the Debian approach to common shared configuration. On Redhat we’ve always had a single
system-auth file which contains the config for all 4 sections auth, account, password and session. That doesn’t help with readability, the separate file for each approach of Debian is a little easier to handle (
The way we manage the authorization of access to machines has also been improved so that we have the option of a more flexible approach in the future. This was previously done in the common configuration which meant that all services were using the same approach, mostly that has suited our needs, but being able to limit different services (e.g. sshd and local login) to different groups of people could be very useful.
As part of the process I also finally took the chance to actually document how our PAM configuration is meant to work, it’s important to share this information amongst our team so that it’s not just one person who understands it all and if nothing else it won’t be so hard to remember next time.
Although most of the changes were in our DICE configuration a few bits have been tweaked at the LCFG level:
- cinnamonscreensaver was dropped from the default list of services, it will be re-added in a separate header.
- The pam_gnomekeyring module was removed from the commonpass configuration. The relevant package isn’t installed in our base set which meant this was causing annoying warning messages in syslog
- The pam_group module was dropped from the default login configuration. It’s unlikely anyone will need it and there are some security implications with having it enabled.
- All references to the pam_selinux module were removed from the default configuration. If you want them back you need to define the
USE_SELINUXmacro to a true value in your profile or site-wide header.
- The pam_mail module was removed from various configurations. It’s unlikely to be useful in a world where most people get their email via IMAP.