On the Localizer


One of NetAuth’s primary goals has always been authentication and identity for Linux servers. For many servers, this means PAM and NSS. While these are both widespread they are not particularly easy to interact with.

For example, NSS has no concept of a failure during processing. This largely precludes on-line lookups, and even in the offline case the lookup path needs to be bulletproof. Bugs in NSS handlers can quickly turn into security incidents by nature of the information that NSS handles. PAM isn’t much better, depending on being able to load shared objects into the target’s address space. This is in stark contrast to the bsdauth system where a program is executed in a highly restricted context and its return code checked for whether authentication succeeded.

Over time, its become desirable to support systems where NSS and PAM are not available. Where can one find such systems you ask? The very popular Alpine Linux ships with this configuration. There is no NSS available because that is simply not a part of the musl design specification, and there is no PAM because it is often unnecessary.

NetAuth will solve this with a pair of new projects. The first one, the localizer, will replace the entire NSS integration path for standard purposes. It will be able to directly modify the passwd, group, and shadow files to update users that the system is aware of. Additional planned functionality beyond the initial release includes writing autofs mount maps, and even a plugin to the NetAuth server which would permit synchronizing shadow hashes directly to targeted machines in environments where PAM is unacceptable.

In environments where PAM is acceptable, the existing pam_netauth will be replaced with a shim executable that can be consumed by pam_exec.so. This will allow cleaner integration and unit testing by being able to drop CGO compilation options. It will also dramatically simplify the story of running a PAM integration on non-GLibc systems, where Go’s shared object compilation is not supported.

Look forward to both of these new components in the coming months. The original NSS integration will be maintained on a best effort basis moving forwards, and the original pam_netauth will be retired entirely due to its limited support and security critical function.

>> Home