API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 26th, 2017
277
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.36 KB | None | 0 0
raw download clone embed print report
  1. 11:51 < jkt> Honoome: ah, great -- I read your recent post and was wondering what you mean with using different tools for changing different passwords
  2. 11:52 < Honoome> jkt: passwd → changes unix password; ldappasswd → changes ldap password; kpasswd → changes kerberos password
  3. 11:52 < jkt> Honoome: I come from RHEL-like background, and most of your boxes have just local accounts in /etc/passwd and real users in LDAP, which means that no records for real people exist in the files a
  4. t all
  5. 11:52 < lejonet> igraltist: maybe it operates with regexs so you have do PAX\:?
  6. 11:53 < jkt> Honoome: now, there is no problem to unify that in such a way that users only have to remember to use `passwd` for passwords
  7. 11:53 < Honoome> jkt: there is no way to have it working as intended as I said
  8. 11:53 < jkt> Honoome: I guess it is your "change only the matching token"
  9. 11:53 < Honoome> it only works as long as there is _no_ crossover between users in different auth methods
  10. 11:54 < Honoome> which I wouldn't bet myself on, if you have such a setup you're still free to edit the one file with the definitions and do it as you prefer
  11. 11:54 < jkt> Honoome: I'm not sure what you intend, but I'm completely sure that our systems are working as I want them, and users do not have to run `ldappasswd` with crazy parameters -- they do not even ha
  12. ve to know they are managed in LDAP
  13. 11:54 < jkt> Honoome: what you mean by user crossover?
  14. 11:54 < Honoome> jkt: if one user is in both ldap and unix
  15. 11:55 < Honoome> if there are users that are on both, you can have passwd accept ONE of the two passwords or BOTH of the two passwords; and then change ONE of the two passwords or BOTH of the two passowrds
  16. 11:55 < Honoome> but not "change ldap password only if given the ldap password; change the unix password only if given the unix password"
  17. 11:55 < jkt> Honoome: well, would anyone sane have users in both places?
  18. 11:55 < jkt> in my opinion, that's extremely corner case
  19. 11:55 < Honoome> I do, with kerberos
  20. 11:56 < Honoome> and the problem is that you have a number of other authentication schemes that don't have split account information, such as smartcards and otp
  21. 11:56 < jkt> what's the reason for that?
  22. 11:56 < jkt> indeed
  23. 11:56 < Honoome> if I have network connection I log in to the kerberos server, if I don't have network connection, I log in locally
  24. 11:57 < Honoome> really, this is JUST THE DEFAULT and the default ought not to surprise anybody
  25. 11:57 < Honoome> setting all the tokens at once feels fishy to me
  26. 11:57 < Honoome> [but setting only one is simply stupid]
  27. 11:57 < jkt> I can't think of any method besides ldap and kerberos which allows for setting passwords
  28. 11:57 < Honoome> if you think you can do better, pambase is there and I'm happy to stop caring about pam myself
  29. 11:57 < jkt> you can't set an OTP password, nor a smartcard one
  30. 11:58 < Honoome> right, but then you can use an OTP password to change the Unix password if you have a single password setup like we have now
  31. 11:58 < jkt> see, I do not know what you're going to do, and your blog posts do not provide much detail for me to know what your plans are
  32. 11:58 < Honoome> …
  33. 11:58 < Honoome> are you serious?
  34. 11:58 < jkt> I just know that proposing ldappasswd for changing passwords is crazy, and everyone else does it differently
  35. 11:59 < Honoome> okay now before I start using bad words let me note a few things
  36. 11:59 < Honoome> - I post things on the blog for comments; comments is open yet you look up for me on IRC → waste my time
  37. 11:59 < Honoome> - I have pushed all the code on a git repository you can look at it just as you wish
  38. 11:59 < jkt> yes, I've read all of them, and I didn't get the idea what you're going to use the M4 for -- is it going to be a build time thing, or do you expect the admin to specify their preferences in M4?
  39. 12:00 < Honoome> - right now we have NO integration so from no integration to integration that doesn't suit YOUR needs, I don't see how that can be "crazy"
  40. 12:00 < Honoome> - I'm TIRED OF THIS BLOODY PAM and yet I'm still managing it, should I just leave all users without a PAM maintainer _again_?
  41. 12:00 < Honoome> THE CODE IS ON THE REPOSITORY, just clone the repo and do what the heck you want
  42. 12:01 < jkt> Diego, if you feel like answering my questions on IRC is wasting your time, please go ahead and do whatever you want to do, it's indeed pointless to cintinue discussing in such case
  43. 12:01 < Honoome> I have open comments on my blog and I ask for comments there FOR A REASON
  44. 12:01 -!- SIGBUS [~SIGBUS@forkbomb.nl] has quit [Ping timeout: 255 seconds]
  45. 12:01 -!- sera [~sera@189-255.62-81.cust.bluewin.ch] has quit [Ping timeout: 245 seconds]
  46. 12:01 < Honoome> beside, you're not "asking questions", you've basically started with a "you're doing it wrong"
  47. 12:02 < lejonet> One useful thing of putting this discussion on his blog is that others can comment it and it is searchable too
  48. 12:02 < Honoome> and yes, it pisses me off if instead of sending an email or leaving a comment, people use a low-latency contact like irc to tell me that I'm doing something wrong when I'm the only one tryin
  49. g to sort it the deuce out
  50. 12:02 < jkt> ad ldappasswd -- `passwd` doesn't take any, while `ldappasswd` expects you to specify the base DN of the LDAP tree, the DN to bind with and a DN of the user
  51. 12:03 < jkt> lejonet: point taken
  52. 12:03 < jkt> Honoome: I'm sorry if I expressed my technical concern in a way which offends you. I'll move this discussion to your blog and will do my best not to harm your feelings next time.
  53. 12:03 < jkt> Honoome: Thanks for your time.
  54. 12:04 < lejonet> I personally must say that the way Honoome wants to do with pam seems sane, it also increases the likelyhood that people know which password they are changing
  55. 12:04 < lejonet> if you just have one program to rule them all you might accidently change an password you did not intend to change
  56. 12:04 < Honoome> [and no, no admin needs to deal with m4, if they want passwd to change ldap password, they just set up /etc/pam.d/system-password as they prefer, and then it'll all work nicely… it's just th
  57. at _the default_ can't be something "surprising"]
  58. 12:05 < jkt> Honoome: which ML should I use for discussions?
  59. 12:05 < Honoome> jkt: there is no ML and I much prefer not using -dev, which is why it's mostly on my blog… otherwise you can mail pam-bugs alias
  60. 12:06 < jkt> so, for the sake of "archival", let's stick to blog comments, then.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!