Am 16.05.2022 um 19:16 schrieb Richard Megginson:
[...]
> Another consideration: what if you want to remove all of your previous
> settings and restore the pam configuration to the system defaults?
> As a system administrator, I am inheriting a set of heterogeneous machines,
> and I don't know the state of pam password settings on those machines, and
> I need them all to be the same.
>
> In that use case, it would be nice to be able to revert the settings to the
> system default, then apply the given settings, to ensure that all machines
> are configured identically.
I've spent some time thinking about how to do that. And I find it pretty
hard to accomplish. The PAM stack is very complex. My role only
configures a small part of it (pam_pwquality and pam_faillock). Would I
only restore the settings from these two to the systems default settings
it could lead to a misunderstanding when speaking of system default.
Other settings could have been changed I don't be aware of.
I think that's ok. If the role only manages pam_pwquality and pam_faillock, then having some way to reset those settings, without affecting any other pam settings, is fine.
Probably it would be best if the role supports all possible PAM options,
like the system role for sshd. But I have to admit that's beyond my
capabilities. I would like to focus on the aspect of password quality. I
even think about removing the pam_faillock functionality entirely,
because it has nothing to do with the password quality and I couldn't
answer the question why would I prefer pam_faillock over pam_faildelay
for example.
OK, that is fine with me. We can always add more PAM options later.
That is - I think your role for managing pam pwd quality is very useful as is.
Well, currently I'm unsure how to proceed.
[...]
> The last part is more complicated than it seems. One simple way would be
> to replace all config files with the system defaults, then apply your
> changes, which would ensure that the system is in the exact end state you
> desire. However, the role would report changes always and would not be
> idempotent. What you really want to know is - What will be the end state
> of the system if I apply these changes, and is that state the same state
> that currently exists?
>
As I wrote above, I don't control the whole PAM configuration, only a
small well defined part of it. So it's true in my case I won't know the
exact state of the PAM stack. Maybe that's an unusual case where I only
control defined aspects of a systems configuration while other 'roots'
have control about all config options instead those which are delegated
to me.
I understand that there are a lot more details I have to think about
when it comes to using this outside of my own environment. I'll have to
think about it to figure out if I have the time and ability to do that.
Joerg
_______________________________________________
systemroles mailing list -- systemroles@lists.fedorahosted.org
To unsubscribe send an email to systemroles-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/systemroles@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure