[Freedombox-discuss] Dev: Granting Users Service Access?

[Nick Daly]

Hi folks, did we ever arrive at a consensus on a general solution to the
user-level password storage/accounts (see the "Kerberos and remctl"
discussion in September)?  I'm looking into a similar question: how do
we safely grant different users access to multiple services on the box?

Please let me know if I'm missing some basic information or
understanding here, and I'll get back to researching.  I'm worried that
I might be conflating two different, independent, concerns here.

There are two basic approaches, both of which seem to have their
disadvantages:

1. Keep user accounts separate for each service, let each service handle
   logins and user accounts.  For example, if I hosted a XMPP and Wiki
   service on my box, users would have separate logins for each of
   those.

   This is bad because it duplicates logins and asks each service to
   handle logins on its own.  If you're running five services on your
   box, chances are good that at least one of them is putting your login
   information at risk.

   This is good because it keeps your service level login separate from
   the system level login.  Specific user accounts can't put the system
   at risk because they don't exist in the system.

2. Tie service logins into the system-level logins.  For example, if I
   hosted an XMPP and Wiki service on my box, users would also have a
   system (shell) level login that each service looked to for
   authentication.

   This is bad because it hands malicious users a shell-level account.
   We could attempt to close that hole with the nologin shell, but it
   still feels dangerous.  It also requires us to use services that can
   pass authentication off to other login services (see LDAP).

   This is good because it means users will have only a single
   password/authentication mechanism to guard.  This increases system
   security by helping protect users from themselves.  This also gives
   us a single point to modify and update authentication methods in the
   future.

As far as I see it, those are our trade offs: put the user at risk (1)
through foolish service configuration or put the system at risk (2) to
malicious users.  I'm leaning more toward option 2 because it *prevents
individual users from engaging in bad password management practices,* but
I'd like to hear if somebody has already thought this through.

This came up because I *really* want to get password storage out of
Plinth.  It's fine that it's there now, but it should probably be
removed by 1.0.

(Yay bus rides.  Lots of thinking time.)

Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20131106/d36f56f4/attachment.sig>