If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.
Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
For one, remove the password cache cleaning, as it no longer is run.
For another, skip the fork if uid is already 0.
Finally, wrap the check in a try/finally to keep the privileged process
more certain in exiting.
PyPAM is no longer part of the distributions. Closest match is also not in
the distributions and also contains a security problem without an external
patch, so it is pulled in and pull request with copyright and license
intact.
Have the cache operate against the sha256 of the passphrase rather
than the passhprase directly (mitigate presence of password in memory).
Pull PAM into the cache behavior to accelerate PAM based usage.
Rearrange things so that both built in confluent and PAM passwords
can be used.
Cryptodome is a modern, but compatible replacement for pycrypto.
We may move to cryptography eventually, but start with this for now
for some nice speedups in some cases.
Most of the time, we don't need this pool. Create when needed,
and clean up after 30 seconds of inactivity. This avoids a slow
shutdown that was due to core python hanging in help_finish_stuff,
and as a bonus means most of the time, one only sees one confluent
process, which has been a source of questions already.
This causes some additional features into core. Namely
the ability to use a fixed module rather than a string
defined plugin. This allows shellserver to implement the
'plugin' interface without living in 'plugins'. 'plugins'
implies modularity and potential eventual choice, but
this functionality is core. It would make sense for the
'attributes' plugin to be changed to match this strategy.
Previously, any PAM result was treated as good. This isn't
actually of practical value, since we need a user object to
really do authorization. Change strategy to give pam a chance
to deny anyone, but require the user to exist in confluent
even if pam says the user is a valid one.
To facilitate a clean coordinated shutdown, create a verb so that a termination can be done
and know when it is completed. Only allow for the 'special' case of 'skipauth', where unix domain
socket connection is in hand and only root or the service owner can access.
