On 05/31/2016 01:44 PM, Mick wrote:
On Tuesday 31 May 2016 16:30:27 James wrote:
Here is an interesting read::
Security brief: CoreOS Linux Alpha remote SSH issue
May 19, 2016 ยท By Matthew Garrett
<snippets>
Gentoo defaults to ending the PAM configuration with an optional pam_permit.
This meant that failing both pam_unix and pam_sss on CoreOS systems would
surprisingly result in authentication succeeding, and access being granted.
The operator user was not used by CoreOS, but existed because it exists in
the Gentoo Portage system from which CoreOS is derived.
<end/snippets>
Full read [1]. It kinda shows that CoreOS is derived from Gentoo
and not ChromeOS; at least when time to blame a security lapse elsewhere....
enjoy,
James
[1] https://coreos.com/blog/
Does this mean we need to do anything to improve the security of our systems?
I tried logging in as operator with any password, it did not work for
me. Unsure if that's because of my SSH set up or not though. The blog
post does however mention reverting their SSSD change did fix the issue,
so I assume if you set up SSSD the same way they did you would have
issues. With that being said, maybe it would be a good idea for the
gentoo pam team to set up pambase to support SSSD and not cause issues.
(Currently if you want to set up SSSD you are left to do it manually)
