Re: RFC: pam: dropping support for NIS/NIS+?

To: debian-devel@lists.debian.org
Subject: Re: RFC: pam: dropping support for NIS/NIS+?
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 21 Apr 2022 09:16:17 -0700
Message-id: <[🔎] YmGDUUmqaHxiHZa7@homer.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] YmBrqho4CTwdH4Q9@lan>
References: <[🔎] YmBJpo1SyFd80gDd@homer.dodds.net> <[🔎] YmBrqho4CTwdH4Q9@lan>

On Wed, Apr 20, 2022 at 10:23:06PM +0200, Gabor Gombas wrote:
> Doing a quick check, PAM only seems to rely on the RPC libraries for
> changing NIS passwords. Personally, I think losing that would not be a
> big deal. While I can still see NIS being useful in some corners of the
> world, I cannot imagine such an environment wanting to enforce password
> expiration. And if you don't expire passwords, then you don't need PAM
> to be able to change passwords - running yppasswd should be fine for
> voluntary password changes.

Thanks, that's an important nuance that I'd forgotten about (or I would have
mentioned it).  Indeed, dropping support in PAM for NIS won't make the NSS
modules go away - so a properly-configured /etc/nsswitch.conf will still
give you user/group lookups via NIS or NIS+, and there are other ways to
handle password changes.

IMHO this further raises the bar for keeping support for these (insecure,
obsolete) backends in pam.

On Wed, Apr 20, 2022 at 04:26:02PM -0400, Boyuan Yang wrote:
> Before any discussion takes place, I would like to point out a previous
> attempt of Fedora trying to get rid of NIS/NIS+ back in 2021.  Please
> check out the LWN article at https://lwn.net/Articles/874174/ , which
> would definitely be helpful for the condition in Debian.

Thanks for the pointer.  I think that's useful in terms of understanding the
landscape in the abstract, but shouldn't be taken as a definitive answer
because it doesn't really address whether any Debian users depend on this
functionality today.

NIS also dates from a period when rsh was considered acceptable, and unless
I'm mistaken, has a comparable level of security.  Allowing access to
password hashes for users based on the IP of the machine you are querying
from is not a sane security policy, and I don't think we should indefinitely
make Debian worse for all other users (bigger minimal system == worse) to
cater to users of these obsolete, insecure systems.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- RFC: pam: dropping support for NIS/NIS+?
  - From: Steve Langasek <vorlon@debian.org>
- Re: RFC: pam: dropping support for NIS/NIS+?
  - From: Gabor Gombas <gombasg@digikabel.hu>

Prev by Date: Re: Firmware - what are we going to do about it?
Next by Date: Re: RFC: pam: dropping support for NIS/NIS+?
Previous by thread: Re: RFC: pam: dropping support for NIS/NIS+?
Next by thread: Re: RFC: pam: dropping support for NIS/NIS+?
Index(es):
- Date
- Thread