From: Michael Cook <mcook@mackal.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] CoreOS vulnerability inherited from Gentoo?
Date: Tue, 31 May 2016 13:59:25 -0400 [thread overview]
Message-ID: <1fbd2ef8-c75b-6ec1-af94-cb63caa0a531@mackal.net> (raw)
In-Reply-To: <3181100.83d2K62WRd@dell_xps>
On 05/31/2016 01:44 PM, Mick wrote:
> On Tuesday 31 May 2016 16:30:27 James wrote:
>> Here is an interesting read::
>>
>> Security brief: CoreOS Linux Alpha remote SSH issue
>> May 19, 2016 · By Matthew Garrett
>>
>> <snippets>
>>
>> Gentoo defaults to ending the PAM configuration with an optional pam_permit.
>>
>> This meant that failing both pam_unix and pam_sss on CoreOS systems would
>> surprisingly result in authentication succeeding, and access being granted.
>>
>> The operator user was not used by CoreOS, but existed because it exists in
>> the Gentoo Portage system from which CoreOS is derived.
>> <end/snippets>
>>
>> Full read [1]. It kinda shows that CoreOS is derived from Gentoo
>> and not ChromeOS; at least when time to blame a security lapse elsewhere....
>>
>>
>> enjoy,
>> James
>>
>> [1] https://coreos.com/blog/
>
> Does this mean we need to do anything to improve the security of our systems?
>
I tried logging in as operator with any password, it did not work for
me. Unsure if that's because of my SSH set up or not though. The blog
post does however mention reverting their SSSD change did fix the issue,
so I assume if you set up SSSD the same way they did you would have
issues. With that being said, maybe it would be a good idea for the
gentoo pam team to set up pambase to support SSSD and not cause issues.
(Currently if you want to set up SSSD you are left to do it manually)
next prev parent reply other threads:[~2016-05-31 17:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-31 16:30 [gentoo-user] CoreOS vulnerability inherited from Gentoo? James
2016-05-31 17:44 ` Mick
2016-05-31 17:59 ` Michael Cook [this message]
2016-05-31 18:44 ` [gentoo-user] " James
2016-05-31 18:07 ` [gentoo-user] " Max R.D. Parmer
2016-05-31 21:02 ` Max R.D. Parmer
2016-06-01 7:11 ` Neil Bothwick
2016-06-02 13:44 ` [gentoo-user] " James
2016-06-02 14:31 ` Max R.D. Parmer
2016-06-02 16:21 ` James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1fbd2ef8-c75b-6ec1-af94-cb63caa0a531@mackal.net \
--to=mcook@mackal.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox