1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • RFC: pam: dropping support for NIS/NIS+?

    From Steve Langasek@21:1/5 to All on Wed Apr 20 20:00:01 2022
    Hi folks,

    As of glibc 2.32, upstream has split out RPC support; if you want RPC functionality, you now need to link against libtirpc instead, which is a superior, more featureful implementation.

    This is a good thing architecturally, but one of the side effects for us is that, via PAM, we are now pulling a large number of crypto libraries into
    the transitively-essential set, because pam_unix links against libtirpc for
    NIS / NIS+ support.

    Sam Hartman made a valiant attempt to make this an optional dynamic
    dependency, but ultimately abandoned the effort.

    So I'd like to take a step back and challenge an underlying assumption by asking: do any of our users actually *need* this functionality? The RPC functionality is only used for NIS and NIS+. NIS is historically quite insecure, and I'm not aware of any efforts to improve its security (AFAIK
    the linkage of the crypto libraries doesn't fix the fundamentally insecure interfaces of NIS). NIS+ is intended to be a more secure version of NIS,
    but to my knowledge there has never been a free implementation in the
    archive; this was a Sun-specific technology, which Sun deprecated two
    decades ago[1].

    If we dropped support for NIS and NIS+ in the next Debian release, would anybody miss it? Or has everyone moved on to LDAP / AD by now?

    --
    Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org

    [1] "Prior to the release of Solaris 9 in 2002, Sun announced its intent to remove NIS+ from Solaris in a future release and now recommends that
    customers instead use an LDAP-based lookup scheme." https://en.wikipedia.org/wiki/NIS+

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAmJgSaAACgkQVo0w8yGy Ez17nhAAojwIXZ57x7PTk1vSzv++KXr5CpNoCF9Bke9yMNgN+2BMpqz9GUCj8jgm 8ZljtCSEJ138iAfllb/wltywh8UvHbLVeXs155vaYGg/brlgnjclumJuw9X3Z/s/ DaW90QfI4fLRUBwGjqT0obvp22OgiWpHJArHnqRwm4+zttWtWMPr65Xp8sxvL7tI N0LB0ErPBFoaOgPez2iC/0p0ytc803s78BzNLwd9zP4pCBt6CvU4Qzm5PHA3IqUu ogELti/xyTAcRwEXb9emr4c8NZe6KOZgC2U3bTEliE6wbTs67aayFIbhAmVITzUt UhL4AtpntIjtr6NyjC041CxCM8y553yefjyPfSA8rtkKB7
  • From Boyuan Yang@21:1/5 to All on Wed Apr 20 22:30:01 2022
    Hi,

    在 2022-04-20星期三的 10:57 -0700,Steve Langasek写道:
    Hi folks,

    As of glibc 2.32, upstream has split out RPC support; if you want RPC functionality, you now need to link against libtirpc instead, which is a superior, more featureful implementation.

    This is a good thing architecturally, but one of the side effects for us is that, via PAM, we are now pulling a large number of crypto libraries into
    the transitively-essential set, because pam_unix links against libtirpc for NIS / NIS+ support.

    Sam Hartman made a valiant attempt to make this an optional dynamic dependency, but ultimately abandoned the effort.

    So I'd like to take a step back and challenge an underlying assumption by asking: do any of our users actually *need* this functionality?  The RPC functionality is only used for NIS and NIS+.  NIS is historically quite insecure, and I'm not aware of any efforts to improve its security (AFAIK
    the linkage of the crypto libraries doesn't fix the fundamentally insecure interfaces of NIS).  NIS+ is intended to be a more secure version of NIS, but to my knowledge there has never been a free implementation in the archive; this was a Sun-specific technology, which Sun deprecated two
    decades ago[1].

    If we dropped support for NIS and NIS+ in the next Debian release, would anybody miss it?  Or has everyone moved on to LDAP / AD by now?

    Before any discussion takes place, I would like to point out a previous
    attempt of Fedora trying to get rid of NIS/NIS+ back in 2021. Please check out the LWN article at https://lwn.net/Articles/874174/ , which would definitely
    be helpful for the condition in Debian.

    Thanks,
    Boyuan Yang

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmJgbFoACgkQwpPntGGC Ws5G7xAAsXDbbUu/IrJm+rXyImURy7EPSv16FJhbXRMem3V9MmFjTH2WeaCovpZH 9wp/jxSFXiDZVtrVCZLIZwhGr8oaVCxL93uG09DC+jEwWwbBJwBb0NyaiNtexs+n DsgRENb2O3Rsb7R580ui/GlOz4W2Z+DDQ7z1Tp12B2S9Nw3RoeqyOSprxRZgnaiy 3UTA0wAT71Q9+bzyq8+Olw+7K/zMU4Ft7ziJTQtoIIBz5NENvbd9ihbxvtcG5UAX KDcIktUKjQ7cXWvFcVNj1oYlQ1AWQ2LHbIiKEnS83LKnAHxEfPKR8RrbTzXqc3Uz 0/6YuFp/g+4EzdFAKwyNsCFaNCYzPN00dPJSb7AYmNjP2Gem980swWhnYOLK0zHf JRom/JsnvCzuQF9yoa1B3aPJAOIzlsuTt0ldaHtKwwdnfFePumuBXglcKEkSpmK0 nTRL5Jj1fk8EzpjSb0uRikN0dnc0FzLLQAG8JjdSXcd+ufswq7GtZ//lwhFL2ExS vc86uP3cEzGPbMGbXoSCHh4x7u7/i7gsDWcI6pnM5S3u81aek89Dr46GNgA/Eym/ 1tZLx/Jp2by1Dw4cjMBDWjKpY1eEn5F1ZI3IW5nmk6K+Hx9QePiXaSpOpVdcb83H 9FTngyoPKzReDuIT9gxfTEHHwb7Cns4bHMSCx+gDzIIQhYehIz8=
    =Muyk
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gabor Gombas@21:1/5 to Steve Langasek on Wed Apr 20 22:50:01 2022
    Hi,

    On Wed, Apr 20, 2022 at 10:57:58AM -0700, Steve Langasek wrote:

    So I'd like to take a step back and challenge an underlying assumption by asking: do any of our users actually *need* this functionality? The RPC functionality is only used for NIS and NIS+. NIS is historically quite insecure, and I'm not aware of any efforts to improve its security (AFAIK
    the linkage of the crypto libraries doesn't fix the fundamentally insecure interfaces of NIS). NIS+ is intended to be a more secure version of NIS,
    but to my knowledge there has never been a free implementation in the archive; this was a Sun-specific technology, which Sun deprecated two
    decades ago[1].

    If we dropped support for NIS and NIS+ in the next Debian release, would anybody miss it? Or has everyone moved on to LDAP / AD by now?

    NIS still has uses in small, closed environments where setting up LDAP
    would be overkill, or if you have to interface with some ancient
    systems. NIS+ was a nice idea in its own time, and it allowed making NFS
    more secure before RPCSEC_GSS took over. However, the strength of the
    crypto used by NIS+ probably does not worth much today anymore, so I'd
    be surprised if anyone still used it on Linux.

    Doing a quick check, PAM only seems to rely on the RPC libraries for
    changing NIS passwords. Personally, I think losing that would not be a
    big deal. While I can still see NIS being useful in some corners of the
    world, I cannot imagine such an environment wanting to enforce password expiration. And if you don't expire passwords, then you don't need PAM
    to be able to change passwords - running yppasswd should be fine for
    voluntary password changes.

    Regards,
    Gabor

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gabor Gombas@21:1/5 to Boyuan Yang on Thu Apr 21 10:10:01 2022
    Hi,

    On Wed, Apr 20, 2022 at 04:26:02PM -0400, Boyuan Yang wrote:

    Before any discussion takes place, I would like to point out a previous attempt of Fedora trying to get rid of NIS/NIS+ back in 2021. Please check out
    the LWN article at https://lwn.net/Articles/874174/ , which would definitely be helpful for the condition in Debian.

    That discussion seems to be about removing NIS/NIS+ support from the
    entire distribution. This thread is about removing NIS support from PAM.
    That's an important distinction, because in practice, NIS/NIS+ support
    mostly means the NSS modules, and the tools/servers in the case of NIS.

    Dropping NIS support from PAM would mean losing only the ability to
    change the passwords of users coming from NIS. It would not affect user lookups, and password change would still be possible using yppasswd.
    There does not even seem to be any NIS+ support in PAM - nothing seems
    to include <rpcsvc/nis.h>.

    Personlly, I think bundling NIS password changing capability in pam_unix
    was a design mistake. It should always have been a distinct module.

    Regards,
    Gabor

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dmitry Baryshkov@21:1/5 to All on Thu Apr 21 14:40:01 2022
    чт, 21 апр. 2022 г. в 11:04, Gabor Gombas <gombasg@digikabel.hu>:

    Hi,

    On Wed, Apr 20, 2022 at 04:26:02PM -0400, Boyuan Yang wrote:

    Before any discussion takes place, I would like to point out a previous attempt of Fedora trying to get rid of NIS/NIS+ back in 2021. Please check out
    the LWN article at https://lwn.net/Articles/874174/ , which would definitely
    be helpful for the condition in Debian.

    That discussion seems to be about removing NIS/NIS+ support from the
    entire distribution. This thread is about removing NIS support from PAM. That's an important distinction, because in practice, NIS/NIS+ support
    mostly means the NSS modules, and the tools/servers in the case of NIS.

    Dropping NIS support from PAM would mean losing only the ability to
    change the passwords of users coming from NIS. It would not affect user lookups, and password change would still be possible using yppasswd.
    There does not even seem to be any NIS+ support in PAM - nothing seems
    to include <rpcsvc/nis.h>.

    Personlly, I think bundling NIS password changing capability in pam_unix
    was a design mistake. It should always have been a distinct module.

    Can we provide a separately packaged pam_unix_nis which can be used
    instead of pam_unix in cases where this functionality is still
    required?

    --
    With best wishes
    Dmitry

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve Langasek@21:1/5 to Dmitry Baryshkov on Thu Apr 21 18:20:01 2022
    On Thu, Apr 21, 2022 at 03:30:55PM +0300, Dmitry Baryshkov wrote:
    Before any discussion takes place, I would like to point out a previous attempt of Fedora trying to get rid of NIS/NIS+ back in 2021. Please check out
    the LWN article at https://lwn.net/Articles/874174/ , which would definitely
    be helpful for the condition in Debian.

    That discussion seems to be about removing NIS/NIS+ support from the
    entire distribution. This thread is about removing NIS support from PAM. That's an important distinction, because in practice, NIS/NIS+ support mostly means the NSS modules, and the tools/servers in the case of NIS.

    Dropping NIS support from PAM would mean losing only the ability to
    change the passwords of users coming from NIS. It would not affect user lookups, and password change would still be possible using yppasswd.
    There does not even seem to be any NIS+ support in PAM - nothing seems
    to include <rpcsvc/nis.h>.

    Personlly, I think bundling NIS password changing capability in pam_unix was a design mistake. It should always have been a distinct module.

    Can we provide a separately packaged pam_unix_nis which can be used
    instead of pam_unix in cases where this functionality is still
    required?

    Yes, that is technically possible and something I've already considered. I wasn't going to offer it up as a solution without some evidence of demand (which I would say this thread hasn't yet established), since it would
    require additional work on the package.

    --
    Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAmJhg+kACgkQVo0w8yGy Ez2vbA//dm2AYQI7jEjH0zXInN+q/D3nRqubtAoGIaUq9t4wvBdtkAPxl1X3/+lu AqxmhgC651lGx3tGE30wy2wDx+hBwLQJR3e4adSAY0pXcmK7AgRuvvDguaY0R5mE Ms8UlyUJJ9ZDDkt8xWfzDRugz+ePo1bPT3evmvsrJhrBB7jjPmEIKX/+T0GmZRws YqdU6W899gJRxk3UZRa+asxUeupcPGgVbzwT/kBsdlaA7pWlOM34Nopbi1De6QVH OZKbg1Vi+qkelUkbqc3t59uOezSvy3yMzUYAWwgEibNJgs7/C1mOnNQCHUDmdqD6 EJYw1B5X5fcc5xmePVX0pFVgGuBgokueQ3AUoqzGWJc0hredF2MfLzsUYnkpFl4z I+KCe61EYJjQFwY90Ar/w80XjJ3paI+DRmKjLH4S5Eh6ogVq0ILyun73rdf2fF/b Kni8ab3pqG6BzQwZcgtPmZ9f8ZOC4kJk7hKvOUa8oE2ykvbFLcAiu3tjUpko3qn3 Eh4PxxPmFuhY482HSx7D0IjQRHRw6K57QBTfRcwI+oX2TKe3XyoU6v++Bnsw/h2H JN6qmF+JtNby9huBsMzW
  • From Steve Langasek@21:1/5 to Gabor Gombas on Thu Apr 21 18:20:01 2022
    On Wed, Apr 20, 2022 at 10:23:06PM +0200, Gabor Gombas wrote:
    Doing a quick check, PAM only seems to rely on the RPC libraries for
    changing NIS passwords. Personally, I think losing that would not be a
    big deal. While I can still see NIS being useful in some corners of the world, I cannot imagine such an environment wanting to enforce password expiration. And if you don't expire passwords, then you don't need PAM
    to be able to change passwords - running yppasswd should be fine for voluntary password changes.

    Thanks, that's an important nuance that I'd forgotten about (or I would have mentioned it). Indeed, dropping support in PAM for NIS won't make the NSS modules go away - so a properly-configured /etc/nsswitch.conf will still
    give you user/group lookups via NIS or NIS+, and there are other ways to
    handle password changes.

    IMHO this further raises the bar for keeping support for these (insecure, obsolete) backends in pam.

    On Wed, Apr 20, 2022 at 04:26:02PM -0400, Boyuan Yang wrote:
    Before any discussion takes place, I would like to point out a previous attempt of Fedora trying to get rid of NIS/NIS+ back in 2021. Please
    check out the LWN article at https://lwn.net/Articles/874174/ , which
    would definitely be helpful for the condition in Debian.

    Thanks for the pointer. I think that's useful in terms of understanding the landscape in the abstract, but shouldn't be taken as a definitive answer because it doesn't really address whether any Debian users depend on this functionality today.

    NIS also dates from a period when rsh was considered acceptable, and unless
    I'm mistaken, has a comparable level of security. Allowing access to
    password hashes for users based on the IP of the machine you are querying
    from is not a sane security policy, and I don't think we should indefinitely make Debian worse for all other users (bigger minimal system == worse) to
    cater to users of these obsolete, insecure systems.

    --
    Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAmJhg0sACgkQVo0w8yGy Ez0QPA/+Np2iQMQic1Hv1j8vJp96bJNpHg1iyJZQpnshpZ5p6w+Bk09SarCLGc4e E4hWzpqX6xyVQHpulgDIzPqXCF+rvNK74Kjn70k+Patoq7S8V5GYbZxdciutZcXu m0lY+qr+gAlPsCIzS6gqumvGuvazLtiv8hkEVMAl7N7jx0Hlc1GbYMl2gcU98olq cCOAxSDy9BNn1tGjcPuygdKz6igJB7Z+D+IWaxdkhNCAUIp5l9dKFzjsZCYpJ558 Ii1W2ovRB1z7qJp3M0BaEslPKHPty/R+D66dNN5lsX0oOi8asXvm0D1M/kiD1ngv t36k3eT3fPoOI+F2qsTo9CEwfpyA9l+gycpH8OAfoyEX1NjUHRvMHUqIB5Uy1A4P TGnO5JFWKNCFKygnkEbQj0A1LFzob1C7jRv78Bg759lgeJQC33pWfiWe76n00pxF ND7Okxip9KzjWDx0HiU7D0mZ9ho2VCtUx5OjRyd1jif5YJwlSNjY17mBwA/tHS3P etZOgZXj9NYZ05cwRJvaEbpbyEiKMto69aMV5bL+SyilGTMsni8kMao15rz16O1X gx5BtbEJn5ZWFrJQsc9o
  • From lange@debian.org@21:1/5 to All on Fri Apr 22 23:10:01 2022
    On Fri, 22 Apr 2022 13:41:50 -0700, Steve Langasek <vorlon@debian.org> said:

    > If your users are using yppasswd on the NIS master for changing passwords,
    > then evidently you are not relying on support for NIS in PAM. (yppasswd
    > doesn't even link against libpam.)
    Thanks for clarifying this.

    --
    regards Thomas

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From lange@debian.org@21:1/5 to All on Fri Apr 22 22:30:01 2022
    Hi,

    I'm using NIS since 20+ years in a small network with about 60 computers.
    Since I manage all computers and the physical network can be seen as secure
    (I know it's not perfect secure) I do not need the additional crypto
    features of NIS+ or LDAP, which would be overkill. All my users use
    yppasswd on the NIS master for changing their password. I guess I
    still need pam support for this because I set things like this in pam.d/common-password:

    password requisite pam_cracklib.so retry=3 difok=3 minlen=14


    Yes, I surely would miss the NIS support.

    --
    regards Thomas

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve Langasek@21:1/5 to lange@debian.org on Fri Apr 22 22:50:01 2022
    Hi Thomas,

    On Fri, Apr 22, 2022 at 10:07:52PM +0200, lange@debian.org wrote:
    I'm using NIS since 20+ years in a small network with about 60 computers. Since I manage all computers and the physical network can be seen as secure (I know it's not perfect secure) I do not need the additional crypto
    features of NIS+ or LDAP, which would be overkill. All my users use
    yppasswd on the NIS master for changing their password. I guess I
    still need pam support for this because I set things like this in pam.d/common-password:

    password requisite pam_cracklib.so retry=3 difok=3 minlen=14

    Yes, I surely would miss the NIS support.

    If your users are using yppasswd on the NIS master for changing passwords,
    then evidently you are not relying on support for NIS in PAM. (yppasswd doesn't even link against libpam.)

    --
    Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAmJjEwgACgkQVo0w8yGy Ez0WCg//S0QSjaAaNnWrzF8C5W5IwLW3ye6O9c8zLfGGjzVvm7DIOxdIHIJoXWcJ xaKe3g/qOFtPxs7aXDIt9OFP6ER3NuBsGTLSley2rRRbePKMmn0WU6RMF5zND8Ll 27VmdBAe6cJj+J2UU5zFjNCZeKx6y/ptK2liFJgYHQBHG6/ObG9DwnG12UJsSZTf JPXsJSq2AjDk06BIMPnHPW/7/WPYaMTAssf3hoPgdA+gzCZErO6nME+ulwddihVJ R1iGg5TOEFV0Tfc4ye2G+wLuKeHNFZD1lP4/ou8nC25UQ4qi51H93JpSSryzEeKp MJKIl0M1AayH+u9fekjsKztaybQclvIaZj9SXA70rbqsvBA/OdGLQCF9doftZXsQ j3x8o6ZW7t+hcZsAYdoU+QCS6vTVC6FzsmvVds79E/nh1BjLDOfX6wYvp45FM7rO 00X1dn5SPZspWS4H6N9n3hixY+BNJYLN54yJqXL5yvCs8eE29ZDLKwp4b6WSZuvO 3QZRLEyGACC0SOn4Aco3UkGayajyIhcGlJPITzduFugxyb9GKIPdf5TQiM0oG49b nmboUq45SbrS3Oq3+SlY
  • From Thomas Lange@21:1/5 to All on Fri Apr 22 23:20:01 2022
    On Fri, 22 Apr 2022 13:41:50 -0700, Steve Langasek <vorlon@debian.org> said:

    > If your users are using yppasswd on the NIS master for changing passwords,
    > then evidently you are not relying on support for NIS in PAM. (yppasswd
    > doesn't even link against libpam.)
    Thanks for clarifying this.

    --
    regards Thomas

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Bunk@21:1/5 to Steve Langasek on Sun May 8 14:20:01 2022
    On Fri, Apr 22, 2022 at 01:41:50PM -0700, Steve Langasek wrote:
    ...
    On Fri, Apr 22, 2022 at 10:07:52PM +0200, lange@debian.org wrote:
    I'm using NIS since 20+ years in a small network with about 60 computers. Since I manage all computers and the physical network can be seen as secure (I know it's not perfect secure) I do not need the additional crypto features of NIS+ or LDAP, which would be overkill. All my users use yppasswd on the NIS master for changing their password. I guess I
    still need pam support for this because I set things like this in pam.d/common-password:

    password requisite pam_cracklib.so retry=3 difok=3 minlen=14

    Yes, I surely would miss the NIS support.

    If your users are using yppasswd on the NIS master for changing passwords, then evidently you are not relying on support for NIS in PAM. (yppasswd doesn't even link against libpam.)

    Could you add this information to NEWS.Debian and/or the release notes?

    People administrating networks tend to be the people who actually read
    the release notes before planning an upgrade to a new release.

    Thanks
    Adrian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)