Since we use Debian's PAM autoconf, pam_unix isn't disabled and remains active.
This means pam_unix triggers first and pam_kanidm should use the password it already tried to match to a local user.
This change also moves the postinst hook for PAM config correctly to the libpam-kanidm package,
since that's the one that delivers the config that needs a reinstall!
This can have visible impacts on accounts that don't have a pam password
cached yet, but then appear to "stall" for a minute or two until it works
due to the fact that the provider was offline and waiting to reauth.
When we are still connected but our provider auth session has expired
we should reconnect faster. This reduces the timeout for reauthentication
for the provider so that it can return to the online state sooner. We
also loop when we detect the provider session is no longer authenticated
so that we can reauth immediately, rather than causing a noticable
interuption.
Our unix resolver would attempt the right thing to synthesise
user private groups on linux as these are an important security
boundary. However, it turns out that almost every distro has
botched their default system user accounts, and many are
installed with numeric-only UPGs that don't resolve. In the
case that later the user does attempt to fix that, because we
synthesised as UPG for the system account, the user trying to
add the UPG would now fail. In some cases this could cause
system updates to be prevented from installing.
This change limits UPG synth to user accounts only (uid > 1000)
which is the common uid boundary on unix-like platforms.
Options like map_group would fail silently when version=2 wasn't
set in our unix config. this detects that case and warns that it
is occuring.
To prevent this in the future, we deny unknown keys in v2 so that
if (when?) we add v3, new keys will cause an error.
In some cases if the transport drops out from underneath unixd,
it can be difficult to diagnose and leads to inconsistent errors
and output such as prompting for a password multiple times when
it can't succeed.
This makes it clearer that the transport had an error, and it
denies the inflight authsession to prevent spurious password
prompts.
* feat: Rebuild the deb packaging flow
fix: Add more sudo, GHA likes sudo
fix: Give build_debs.sh only the triplet argument
fix: Work around more GHA weirdness in apt sources
Drop crossbuild as it was only used by debian packaging
docs: Update book and other docs for packaging flow
feat: package kanidm_tools aka kanidm cli
docs: Update packaging docs for latest process and clarity
fix: use full triple in sdynlib variants
fix: Correct kanidm.pam asset placement
fix: Give pam & nss modules a description so the debs get it
fix: Work around wonky libssl3 naming in Ubuntu 24.04
fix: Place kanidm bin correctly :3
feat: Pin all blame on @yaleman :3
WIP: Swap out the submodule reference. Still not the final one though.
refactor: Switch kanidm-pam & kanidm-nss to mandatory deps
While in theory unixd will start and run without them, it also won't do
anything useful.
fix: explicit depends for nss & pam libs without versions
We build the debs on the ubuntu24.04 GHA runner so automatic pins
versions that are too new for 22.04. Ideally we'd run cargo-deb also on
the target images but that'll have to be a future improvement.
* refactor: Switch nss_kanidm & pam_kanidm package naming closer to debian guidance
* feat: Attempt enabling unixd by default with secure defaults
* fix: Relax config permissions so the kanidm user can read
Also, update postinst config instructions
Allow caching and checking of shadow entries (passwords)
Cache and serve system id's
improve some security warnings
prepare for multi-resolver
Allow the kanidm provider to be not configured
Allow group extension
This starts the support for multi-resolver operation as well as a system level nss resolver.
In future we'll add the remaining support to auth system users with pam too.
* disable mimalloc on illumos, in part because it immediately segfaults,
but also because we prefer libumem and link it into all Rust binaries
* switch from fs2 (unmaintained crate) to fs4 which provides the same
interface and has wider platform support
While basking under the shade of the coolabah tree, I was overcome by an intense desire to improve the performance and memory usage of Kanidm.
This pr reduces a major source of repeated small clones, lowers default log level in testing, removes some trace fields that are both large and probably shouldn't be traced, and also changes some lto settings for release builds.
* kanidm cli logs on debug level - Fixes#2745
* such clippy like wow
* It's important for a wordsmith to know when to get its fixes in.
* updootin' wasms
* Add keystore to unix_user_online_auth_init
Himmelblau needs this to check whether the device
is enrolled in the domain (via the presence of
TPM keys), to know whether to attempt Windows
Hello PIN auth, or to enroll first in the domain.
Signed-off-by: David Mulder <dmulder@samba.org>
* Implement PIN setup
After enrolling in a domain, Himmelblau will
prompt the user to choose a pin, which will be
the auth value for an associated Windows Hello
TPM key. We loop here until the values match.
Otherwise no validation is performed. Validation
can be done by the id provider, and can send an
additional request to PAM if the PIN is invalid.
Signed-off-by: David Mulder <dmulder@samba.org>
* Add Pin authentication
After setting up a Windows Hello pin, users can
authentication using this pin.
Signed-off-by: David Mulder <dmulder@samba.org>
Improve the support for the resolver to support MFA options with pam. This enables async task spawning and cancelation via the resolver backend as well.
Co-authored-by: David Mulder <dmulder@samba.org>
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
