#6 Adopt authselect for managing auth stack configuration
Opened 2 years ago by Pharaoh_Atem. Modified a year ago

I'd like to see SUSE Linux adopt authselect for managing auth stack configurations. The major reason I want this to happen is because it's one of the blockers for @hellcp and I to get FreeIPA working properly on openSUSE (which we'd like to have in place for openSUSE Leap 16).

But there are other major benefits to this. Authselect, on its own, makes it much easier to ensure users stay on "gold paths" for auth stack configurations (nsswitch, pam, etc.). And it also provides an easy mechanism to reset the stack to a working state if it gets broken somehow. This is why Fedora switched to it from authconfig1.

This would have been particularly helpful two months ago when the nsswitch configuration was modified to include usrfiles3. Having authselect and having it give you a "one shot path" to fixing the configuration would have made life a lot easier. And as more funky things need specialized profiles (I'm looking at you Oracle DB and SAP...), you can ship an authselect profile tailored for that product and have it switch to that when the product switch happens.

Authselect is already packaged in openSUSE Tumbleweed4, and @hellcp already requested a review of the profiles by SUSE Product Security5. I'd appreciate it if any needed changes could be discussed with upstream and if they aren't overly openSUSE specific, could be contributed to upstream6.

Metadata Update from @Pharaoh_Atem:
- Custom field SUSE Jira adjusted to https://jira.suse.com/browse/OPENSUSE-9

2 years ago

Current status: I need to reach out to SUSE Security folks (Johannes Segitz or Marcus Meissner) about designing profiles for SUSE distributions.

I've had no time to address this in time for 15.4, so I'm pushing this off to 15.5.

Metadata Update from @Pharaoh_Atem:
- Issue set to the milestone: 15.5 (was: 15.4)

a year ago

Login to comment on this ticket.