Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 03:53
    Firstyear opened #1082
  • 03:24
    yaleman opened #1081
  • 03:24
    yaleman review_requested #1081
  • 03:24
    yaleman labeled #1081
  • 03:24
    yaleman labeled #1081
  • 03:23

    yaleman on python_things

    docs and notes updates (compare)

  • 01:19

    dependabot[bot] on pip

    (compare)

  • 01:19

    dependabot[bot] on pip

    (compare)

  • 01:19
    dependabot[bot] commented #1075
  • 01:19
    dependabot[bot] commented #1074
  • 01:19
    yaleman closed #1075
  • 01:19
    yaleman closed #1074
  • 01:13
    yaleman commented #1079
  • 01:12
    yaleman synchronize #1079
  • 01:12

    yaleman on 20220927-techdebt-cleanup

    Bump mkdocs-material from 8.5.2… Bump aiohttp from 3.8.1 to 3.8.… Bump aiohttp from 3.8.1 to 3.8.… and 2 more (compare)

  • 01:10

    github-actions[bot] on latest

    20220911 api tokens (#1071) Bump mkdocs-material from 8.5.2… Bump aiohttp from 3.8.1 to 3.8.… and 2 more (compare)

  • 00:31

    Firstyear on rustversions

    (compare)

  • 00:31
    Firstyear closed #1072
  • 00:31

    Firstyear on master

    Fixing the CI failures (#1080) (compare)

  • 00:31
    Firstyear closed #1080
Firstyear
@Firstyear
But I do some firewall rules to limit what can hit it.
James Hodgkinson
@yaleman
I'll set the origin to example.com then, makes more sense (I can't change the order of the hostnames, because no)
Firstyear
@Firstyear
That's fine. :)
James Hodgkinson
@yaleman
Thaaaanks <3
soloturn
@soloturn

Apparently there has been movement away from libressl as it has been lagging behind openssl for fixes recently, but I need to double check the sources of that info

is macos also shipping libressl? there are a couple of links which would indicate it, like https://stackoverflow.com/questions/68242329/cannot-create-ssl-certificate-request-file and cl-plus-ssl/cl-plus-ssl#135

Firstyear
@Firstyear
Macos is a bit more fun. They have corecrypto but i think underneath that's using boringssl for tls at least.
James Hodgkinson
@yaleman
libressl's part of macos but it's all broken and weird
Firstyear
@Firstyear
I wouldn't be surprised if they remove libressl at some point, I think some distros that swapped to it are "having buyers regret" now.
James Hodgkinson
@yaleman
So many different SSL libs, why can't we just have a standard :D
Triss Healy
@trissylegs
Well everyone used to use OpenSSL until Shellshock and the ecosystem shattered
(or NSS for Firefox and Chrome)
I succesfully managed to setup PAM and NSS switch for everythign but actually authentication
Firstyear
@Firstyear
@trissylegs What issues are you hitting?
Did you set an allowed group ?
Also yeah, I think it was heartbleed that caused a lot of panic and initial forks like libressl, but it also prompted a lot of investwent into openssl and it's actually gotten a lot better since.
Where libressl seems to have languished
Heck, openssl 3.0.0 today
Triss Healy
@trissylegs
libressl also suffers from nobody wants to work with OpenBSD devs if they can help it.
Firstyear
@Firstyear
Loooooolllll
Yeah
@trissylegs When you say you can't authenticate what's the actual logs or symptmos from a login attempt? Can users resolve with getent passwd <name>?
Triss Healy
@trissylegs
# getent passwd nirya                        
nirya:x:1001:1001:Triss Healy:/home/nirya:/usr/bin/zsh
Firstyear
@Firstyear
Okay that's a solid start
Triss Healy
@trissylegs
(Yes I'm using name instead of spn because there's too many names to fix up)
Firstyear
@Firstyear
No that's fine
That's why it's there
I use name as well at home too
the spn thing is meant for future proofing when (if?) i add trusts
Triss Healy
@trissylegs
It's also good for RDM and other weird things.
Firstyear
@Firstyear
Okay, can you show me your /etc/kanidm/unixd config?
Triss Healy
@trissylegs
% cat /etc/kanidm/unixd
# this should be at /etc/kanidm/unixd, and configures kanidm-unixd
# some documentation is here: https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md
pam_allowed_login_groups = ["humans"]
# default_shell = "/bin/bash"
home_prefix = "/home/"
home_attr = "uuid"
home_alias = "name"
uid_attr_map = "name"
gid_attr_map = "name"
Oh this is the message I get:
$ su -l nirya
Password: 
su: Authentication service cannot retrieve authentication info
Firstyear
@Firstyear
can you show me getent group humans?
Triss Healy
@trissylegs
$ getent group humans
humans:x:2001:test_user,nirya
Firstyear
@Firstyear
Which distro?
Triss Healy
@trissylegs
Arch linux. Editing PAM is mostly been guessing because its different to both SUSE and Redhat
Firstyear
@Firstyear
Right
Okay, so the next steps would be

systemctl edit kanidm-unix.service

[Service]
Environment="RUST_LOG=kanidm=debug"

in pam, on lines with pam_kanidm.so, add the option debug

Then restart kanidm-unixd, and try su again.
Youll have more info in journalctl, and it prints more to the TTY from the pam module.
But after that I'll need to see your /etc/pam.d/su and probably other fules.
files*
There is a troubleshooting section here which is honestly what I'm reading XD
Triss Healy
@trissylegs
Yea. I've been through most of that
I think it'll be something in /etc/pam.d
Firstyear
@Firstyear
Yeah, most likely
Pam is really tricky and delicate at the best of times :(
Triss Healy
@trissylegs