WEBVTT

00:00.000 --> 00:10.000
So now the mystery is going to talk about the response, the mystified and beyond.

00:10.000 --> 00:14.000
So thank you for coming to this session.

00:14.000 --> 00:29.000
I didn't expect to mention open message during this talk, but we will see how things will go.

00:29.000 --> 00:41.000
I really think that so many people would be interested in this pun thing, certainly not me.

00:41.000 --> 00:54.000
Well, first I would like to ask yourself how many times today did you use authentication of some kind of sword?

00:54.000 --> 00:59.000
My bet is you didn't count because it's ubiquitous nowadays.

00:59.000 --> 01:06.000
Unless you're debugging something which is not likely, today is not the best day for debugging.

01:06.000 --> 01:09.000
Well, as we saw just now.

01:09.000 --> 01:16.000
So today I'll be talking about whatever remains to be demystified about palm.

01:16.000 --> 01:22.000
Shortly we'll see what is it and why it evolved this way.

01:22.000 --> 01:29.000
I'll be talking about core concepts, a lot about configuration things, about the frozen stack thing.

01:29.000 --> 01:38.000
About recently recent developments and what could happen in the future, maybe possibly.

01:38.000 --> 01:43.000
And if time permits, a bit more about troubleshooting in best practices.

01:43.000 --> 01:45.000
So what is palm?

01:45.000 --> 01:53.000
It's a framework framework of shared libraries and plug-able models which are also shared objects.

01:53.000 --> 02:00.000
It's all configured and very flexible configuration leaves in a certain directory.

02:00.000 --> 02:11.000
And the purpose of this is to enable system means to choose how various applications and solve them the system authentication users.

02:11.000 --> 02:18.000
Without need to recompile or attach the applications themselves.

02:18.000 --> 02:26.000
And to switch between these authentication mechanisms without touching the applications.

02:26.000 --> 02:39.000
So in the very beginning, before it is scheduled, things were very simple and there are no need to do anything like what we are doing today.

02:39.000 --> 02:46.000
Like just two functions want to obtain the password entry and another to check the password.

02:46.000 --> 02:48.000
And everything was simple.

02:48.000 --> 02:57.000
Later when the shadow concept was introduced, things started to become complicated.

02:57.000 --> 03:06.000
Like when you think about adding, for example, cable support to every application, it becomes a peculiar task.

03:06.000 --> 03:21.000
So that resulted to inconsistency when one application used one implementation or one variation of authentication and another used another one.

03:21.000 --> 03:29.000
These, the situation could easily end in the past, easily run out of control.

03:29.000 --> 03:35.000
So with a centralized library that every application uses,

03:35.000 --> 03:43.000
you can achieve all these charges like consistency and control all the system.

03:43.000 --> 03:47.000
So how bomb organized things?

03:47.000 --> 03:50.000
It divides everything into four management groups.

03:50.000 --> 03:57.000
The authentication that answer the question is the user, the one who says his or she,

03:58.000 --> 04:06.000
the account management that answers the question whether the user is allowed to use that particular service right now.

04:06.000 --> 04:14.000
The session management, that setups whatever is needed for the session and then things up.

04:14.000 --> 04:19.000
And if there is a need for password management, there is a password management.

04:19.000 --> 04:32.000
Like there are explicit tools to change passwords and sometimes some models may say that password is expired and it has to be changed before the authentication proceeds.

04:32.000 --> 04:36.000
So let's go through all of these groups.

04:36.000 --> 04:42.000
The classic way of the authentication is the password indication.

04:42.000 --> 04:52.000
Like, for example, the traditional Pambianic module that indicates against the the question start for each either in an it is a shadow file.

04:52.000 --> 05:02.000
They could be like, relating against a dongle or biometrics scan or like remote server or any kind of like.

05:02.000 --> 05:06.000
There are a few modules for one time passwords.

05:06.000 --> 05:15.000
Well, most of them are out of few models, but some are very traditional like Pambianic city is fetched along with Linux power itself.

05:15.000 --> 05:23.000
Account management like it also Pambianic does something other kind like it checks the password expiration.

05:23.000 --> 05:26.000
There are various other.

05:27.000 --> 05:42.000
The reasons to to do accounting like whether whether the account is not due to too many legato attempts could be time based restrictions and like service based and whatever.

05:42.000 --> 05:53.000
In management, a lot of models also like standard and out of three, like standard modules are the model that set up kernel keyring.

05:53.000 --> 06:01.000
Traditional resource limits, UMask home deacucation for remote dedicated users.

06:01.000 --> 06:08.000
Well, the out of three system D module that register the session against the in the login.

06:08.000 --> 06:12.000
And a password management.

06:12.000 --> 06:14.000
Let's usually two things.

06:14.000 --> 06:23.000
First, the checks that the password meets the quality rules and there are two out of three models for this.

06:23.000 --> 06:30.000
Checking whether it like other police rules like with pv history that checks against takes.

06:30.000 --> 06:37.000
Pass with a used for this user in the past and actually changing the password.

06:37.000 --> 06:49.000
These are traditional models, but out of few models are doing the same thing for for the remote service.

06:49.000 --> 06:53.000
So how it is implemented.

06:53.000 --> 07:03.000
Pum provides the library provides stable, backwards compatible API for applications and for models.

07:03.000 --> 07:10.000
So applications talk to the library and library calls functions from the models.

07:10.000 --> 07:21.000
Everything is configured and nothing has to be no executable has to be or shared library or any binary object has to be attached to do this.

07:21.000 --> 07:29.000
You can install additional models, but at least that is all they have to do is to install the models and configure them.

07:29.000 --> 07:42.000
So for every management group that is a user API for authentication and session management there are two entries.

07:42.000 --> 07:45.000
And for account and password management this just one.

07:45.000 --> 07:53.000
It's kind of important and will I'll mention this later when it's defined when funny thing.

07:53.000 --> 07:58.000
So how all this is configured nowadays?

07:58.000 --> 08:10.000
Well, Pum conversion is service specific and nowadays for each service there is a single configuration file stored usually in it is e.pum.de.

08:10.000 --> 08:23.000
A long time ago the past used to be centralized configure where all services were configured but nowadays like more than decade of things.

08:23.000 --> 08:27.000
It's long in the past so what you get is that.

08:27.000 --> 08:37.000
So for example for login service there is a file literally called lodging in it cpum.de that describes how to.

08:38.000 --> 08:44.000
It configures spam library and describes what models are called in which way.

08:44.000 --> 08:55.000
If for some if the file doesn't exist there is a full back to very to file code author that usually didn't identify success.

08:55.000 --> 08:58.000
Yeah, this way.

08:58.000 --> 09:11.000
We used to configure Pum for many years and at some point we found out that there are a lot of intersections in various configuration files.

09:11.000 --> 09:18.000
So there is an include concept where you can include files one config files from others.

09:18.000 --> 09:23.000
So this is this makes easy to implement system white policies.

09:24.000 --> 09:33.000
So what are actual Pum models they these are things after plaggable authentication models the things after them hoping is called.

09:33.000 --> 09:43.000
They are loaded dynamically according to configuration rest are starting very specific place and there are a lot of them.

09:43.000 --> 09:53.000
There are two specific models standard models that like Pum deny that all the data success and pamper it always permits and they use it as.

09:53.000 --> 09:55.000
Kind of.

09:55.000 --> 09:57.000
Configure blocks.

09:57.000 --> 10:01.000
So let's go through this syntax shortly briefly back in details.

10:01.000 --> 10:07.000
Configuration file each confusion file contains of lines each line has three.

10:07.000 --> 10:10.000
Management fields and one optional.

10:10.000 --> 10:12.000
So first one is type.

10:12.000 --> 10:15.000
It's a the name of the management group.

10:15.000 --> 10:21.000
Therefore them the current control that describes how to treat the return video from the module.

10:21.000 --> 10:24.000
The third is the module name itself.

10:24.000 --> 10:29.000
It could be a path but nobody should be using path to the file nowadays.

10:29.000 --> 10:34.000
And more any modules have optional arguments.

10:34.000 --> 10:44.000
In this simplified example well in all this presentation all examples are real life examples sometimes they are simplified and sometimes they are very much.

10:44.000 --> 10:53.000
So you can see like for some management groups there are more very several lines and for some just a single line.

10:53.000 --> 11:02.000
This by the way this is called stack Pum stack but probably you are aware that it's not a stack.

11:02.000 --> 11:06.000
I mean it's not a lasting first half thing.

11:06.000 --> 11:09.000
And why it's called stack is a bit mysterious.

11:09.000 --> 11:18.000
Nobody could tell me why and I don't remember and I'm involved into Pum development for more than 20 years.

11:18.000 --> 11:27.000
So probably just a pile of things but it's called stack and I will be using this word because it's all in the documentation.

11:27.000 --> 11:30.000
So you can see here like.

11:30.000 --> 11:36.000
This is a way to to silence the air message from the module.

11:36.000 --> 11:44.000
It's in this example you can see this in the dash between the before the before that management group name.

11:44.000 --> 11:49.000
So there are four.

11:49.000 --> 12:10.000
Traditional cultural values one is required that says that the failure of this module will lead to the failure of the whole stack that is the processing of the stack continues but the stack itself is marked as failed.

12:10.000 --> 12:19.000
Now the requisite that differs from required is that the processing of the stack stops at this point and it's a failure.

12:19.000 --> 12:24.000
Why there could be different different controls of that kind.

12:24.000 --> 12:35.000
Sometimes it's not desired to continue processing because like it is unsafe for example it wouldn't make sense to set the password if it doesn't.

12:35.000 --> 12:46.000
But sometimes it's desirable to proceed to avoid information leaks.

12:46.000 --> 12:58.000
For example like if you stop the stack at the point and for example user is not allowed to pass the check for it or whatever.

12:58.000 --> 13:05.000
It would be easy to measure timing and for example easily check whether it uses exist in the system.

13:05.000 --> 13:21.000
There is a sufficient control that says that if the module succeeds then the whole stack succeeds unless it failed before and processing stops at this point.

13:21.000 --> 13:24.000
But if module fails it just the failure ignored.

13:24.000 --> 13:38.000
An optional tricky word that says that the return value from the module doesn't contribute to the result of the stack unless it's the only meaningful module in the stack.

13:38.000 --> 13:47.000
Usually if you see looking into a real file you can see that optional is associated.

13:47.000 --> 13:55.000
It's used with a one group name with a dash because like if module doesn't exist.

13:56.000 --> 14:02.000
For example you can imagine a system as pump system module doesn't exist.

14:02.000 --> 14:07.000
It's a real example from federal configuration.

14:07.000 --> 14:18.000
So they use dash session optional which means if the module doesn't exist then it wouldn't be error in the stack and error wouldn't be printed anyway.

14:18.000 --> 14:31.000
So about 20 years ago I don't remember exactly the include keyword was introduced which is the way to include other lines that are starting a different file.

14:31.000 --> 14:44.000
I don't I I contributed this thing so many years ago to remember when and it has been using used since in various distributions to to use system white policies.

14:44.000 --> 14:54.000
Later sub-stick was introduced it's a way of doing the same but creating a sub-stick which means that failure or not of the stack.

14:54.000 --> 15:05.000
Like for example when it's two minutes prematurely doesn't terminate the whole stack but only the sub-stick where the module was called.

15:05.000 --> 15:11.000
So you can can jump out of this sub-stick and all that kind of things it feels like a sub-stick.

15:11.000 --> 15:16.000
And there is like even more arcane and advanced syntax.

15:16.000 --> 15:24.000
Like you can explicitly specify what will happen for each pump error code.

15:24.000 --> 15:36.000
And there is a keyword default that says that what should happen for all the pump codes that are not explicitly mentioned.

15:36.000 --> 15:44.000
So the actions are similar to to control values to traditional control values so you can ignore.

15:44.000 --> 16:05.000
Let me turn value of mark stack as bad max stack and continue processing max stack as bad and stop processing mark max stack as succeeding if it isn't failing and continue processing and max stack succeeding and stop processing.

16:06.000 --> 16:11.000
If it's not failing and there is a way to jump.

16:11.000 --> 16:17.000
You can specify how many lines in the step should be skipped.

16:17.000 --> 16:28.000
So you can express traditional controls using this advanced syntax and it's sufficiently complicated but still you can jump backwards.

16:28.000 --> 16:33.000
So you can create loops, but you can do branching.

16:33.000 --> 16:41.000
Since you can create loops it's still fairly simple, not too complicated.

16:41.000 --> 16:48.000
So in this example you can see like there is a password jump like for local user.

16:48.000 --> 17:00.000
You jump or they're called to pump TV history module and for in the session stack for it's written that for current service.

17:00.000 --> 17:05.000
They're called to pump units model is skipped for some reason.

17:05.000 --> 17:13.000
It's a funny thing that you see like in the first example ignore equal signal for pump local user.

17:13.000 --> 17:21.000
You have no idea why who wrote this did it this way because pump local user doesn't hit or the code pomegranor.

17:21.000 --> 17:30.000
So this piece is useless but it could be used as an example of how people actually write things.

17:30.000 --> 17:35.000
It's not not a big deal but raises questions.

17:35.000 --> 17:46.000
And the first step thing is it's not very well known concept so I'll touch a bit about this.

17:46.000 --> 17:49.000
This is a real case.

17:49.000 --> 17:52.000
The issue was submitted to us.

17:52.000 --> 17:54.000
I think last year.

17:55.000 --> 17:59.000
And he's an excerpt from the pomegranor version.

17:59.000 --> 18:07.000
Like you see that there is a pump in location and branching on its written video.

18:07.000 --> 18:17.000
And the user asks why the variable isn't set according to the configuration and only one line is printed.

18:18.000 --> 18:25.000
And to understand this we have to recall that for authentication there are two functions.

18:25.000 --> 18:34.000
And what pump library does is during the first indication it fixes the models that are called and the order of these models.

18:34.000 --> 18:36.000
So it freezes the stack.

18:36.000 --> 18:46.000
So for the second time when the second function is called it does the models are called in the sequence.

18:46.000 --> 18:49.000
Then they are called during pomegranate.

18:49.000 --> 18:55.000
And pump in actually does something during this second function that sets credentials.

18:55.000 --> 19:01.000
But well the model is skipped according to the first ignore really.

19:01.000 --> 19:07.000
So for this and probably the user didn't know that pump in does nothing at pomegranate.

19:07.000 --> 19:11.000
And didn't know about the concept of the first stack.

19:11.000 --> 19:14.000
So it looked mystery for them.

19:14.000 --> 19:19.000
But it's pretty simple if you know things.

19:19.000 --> 19:29.000
It's a kind of modern development that started like 20 something years ago and still going on.

19:29.000 --> 19:35.000
As I said earlier pomegranates is a traditional way of authenticating users.

19:35.000 --> 19:40.000
Let's specify the password that against the hash value.

19:40.000 --> 19:47.000
And in the it is a shadow file and access it is a shadow.

19:47.000 --> 19:50.000
You have to be privileged enough.

19:50.000 --> 19:54.000
For example.

19:54.000 --> 20:00.000
Screaser who could be not privileged enough to access this file.

20:00.000 --> 20:07.000
Or if there are is a Linux rules that limit access even for quite privileged processes.

20:07.000 --> 20:10.000
So for pomegranate pomegranates comes with a helper.

20:10.000 --> 20:13.000
And it's traditionally situated.

20:13.000 --> 20:17.000
Later like some distributions, some distributions.

20:17.000 --> 20:23.000
What they did is they installed it is a pump is set up to capabilities that allow access.

20:23.000 --> 20:26.000
But still very risky thing.

20:26.000 --> 20:35.000
So there is an alternative implementation that influences a different way of storing shadow files.

20:36.000 --> 20:38.000
And it's called TCP.

20:38.000 --> 20:45.000
So every user for every user there is a separate directory with the shadow entry.

20:45.000 --> 20:47.000
And so you don't have to be rude.

20:47.000 --> 20:54.000
But still you have to be privileged to access this because there is a group that limit success.

20:54.000 --> 20:57.000
And so it's still somewhat privileged.

20:57.000 --> 21:02.000
For example for people who are doing image based distributions.

21:02.000 --> 21:07.000
Even said get executables are not good.

21:07.000 --> 21:17.000
So the various approach that's available in the latest version that was released last week of Linux pome.

21:17.000 --> 21:22.000
You can build pomegranates with pd access this support.

21:22.000 --> 21:25.000
This way the helper is unprivileged to toll.

21:25.000 --> 21:28.000
And it just communicates with the demon.

21:28.000 --> 21:32.000
In a way like Alexander was mentioning with our models.

21:32.000 --> 21:34.000
This way.

21:34.000 --> 21:38.000
Like many models that do remote education.

21:38.000 --> 21:43.000
You can now have the system without a privileged helper.

21:43.000 --> 21:45.000
Which is nice.

21:45.000 --> 21:49.000
I think.

21:49.000 --> 21:50.000
Okay.

21:50.000 --> 21:55.000
I think you have a few minutes to talk about travel switching.

21:56.000 --> 22:06.000
Then probably the most well-known fear of users is to get it out when they do something with pomegranate configuration.

22:06.000 --> 22:17.000
And like if you use models in not in a correct way or just any very small people who could make the system accessible.

22:17.000 --> 22:22.000
So what could you actually do in this case?

22:23.000 --> 22:27.000
You probably have to use your common sense and first know what you are doing.

22:27.000 --> 22:37.000
And all these traditional recommendations supply like backup before making changes and always test your changes and do your changes incrementally.

22:37.000 --> 22:43.000
And always have an emerging success unless you are ready to deal with it.

22:43.000 --> 22:47.000
Well, unless you are dealing with the disposable system.

22:47.000 --> 22:56.000
And by the way, many distributions have very useful default configuration and tools like in Fedorics of Select.

22:56.000 --> 23:03.000
To simplify configuration of all this pomefiles.

23:03.000 --> 23:09.000
So usually you don't even have to dive into all these details.

23:09.000 --> 23:15.000
But if actually you do have to do something, there is a lot of loss.

23:15.000 --> 23:21.000
For every service you can check the looks and by default pomem is very robust.

23:21.000 --> 23:27.000
And many models they accept debug argument that makes it even more robust.

23:27.000 --> 23:36.000
And what I should have said in the beginning is a lot of documentation and please read the docs there written for you.

23:36.000 --> 23:44.000
Like a lot of month pages is a guide for application developers model developers and system animation developers.

23:44.000 --> 23:50.000
Well, if you have to resolve to real debugging, you can use the burgers.

23:50.000 --> 23:58.000
It would be really odd if I didn't mention stress in this talk, because I'm known as a stress guide.

23:58.000 --> 24:03.000
So if you are in stress, I have few simple recommendations.

24:03.000 --> 24:08.000
Like demons, they usually forks or forks for every user.

24:08.000 --> 24:12.000
So you are going to follow forks.

24:12.000 --> 24:22.000
And you probably want to detach from executables because you don't usually want to debug whatever is being run by the authentication server.

24:22.000 --> 24:37.000
And sometimes to debug all kinds of delays and things related to timings, you can use options, industries to debug timings.

24:37.000 --> 24:41.000
And let's mostly it.

24:41.000 --> 24:45.000
If I have time for questions, you are welcome to ask them.

24:45.000 --> 24:52.000
If not, thank you.

24:52.000 --> 24:54.000
Yes, we have a little bit of time again.

24:54.000 --> 24:58.000
So, I was wondering, you know, with the modules you are going to experiment.

24:58.000 --> 25:06.000
Does parent have a verification or some sort of mechanism to ensure that the malicious replacement of this module?

25:06.000 --> 25:16.000
So the question was whether palm itself has a mechanism to,

25:16.000 --> 25:23.000
whether the right modules are being loaded, whether the right modules are being loaded or not replaced?

25:23.000 --> 25:28.000
By myself, it doesn't do anything or that kind.

25:28.000 --> 25:36.000
Likewise, if you are invoked and executable, it's up to the system.

25:36.000 --> 25:43.000
Essentially, what palm does is load shared objects from the file system.

25:43.000 --> 25:52.000
And they are loaded with their open but using the same mechanism like any shared library is being loaded.

25:52.000 --> 26:03.000
So if the system implements that kind of mechanism for shared libraries, it surely has to implement the same exactly the same mechanism for checking that kind of shared objects.

26:03.000 --> 26:12.000
And the palm itself shouldn't have anything specific because it wouldn't help because other shared objects that are loaded into applications.

26:12.000 --> 26:18.000
They have essentially the same access to the process memory.

26:18.000 --> 26:25.000
So it should be either all or nothing in this case, I think.

26:25.000 --> 26:42.000
Maybe I can have a video.

26:42.000 --> 26:44.000
Yeah, that's for sure.

26:45.000 --> 26:57.000
Some systems they don't just route for that extent and have extra level of validation, but they exist, of course they do.

26:57.000 --> 26:58.000
Peter.

26:58.000 --> 26:59.000
Yeah, we run out of time.

26:59.000 --> 27:00.000
Thank you.