Re: Centralized authentication

From: Mikel King (mikel@ocsinternet.com)
Date: 05/07/02


Date: Tue, 07 May 2002 11:49:17 -0500
From: Mikel King <mikel@ocsinternet.com>
To: "Douglas K. Rand" <rand@meridian-enviro.com>

Douglas,

    I know this was an old post, but sometimes I can't keep up with the
world...;) In any event... I do understand what it is you require, as I
have been suffering from the same dilema. I tried ldap and wasn't happy
with it, probably due to something I didn't setup correctly but that
asside. I've used rsync via ssh, and it was time consuming... I began
looking for something else.

    What I decided, was that I needed something simple: currently I'm
playing around with pam_mysql, because I can use mysql's builtins to
synchronize the db's, and as thing develop I can strap a webfront end on
the db and manage the whole thing. Well the later part is the goal, but
as a result of time constraints we're not there quite yet...

    Anyway that's what I came up with, and as time permits I've been
trying to get there...

    I am curious to know what you've found...

Cheers,
mikel

Douglas K. Rand wrote:

>First, I'm sorry I disappeared for a few days, this has been a great
>discussion.
>
>Jacques Vidrine is right: the subject doesn't really describe what I
>need. In addition to authentication I also want centralized
>distribution of /etc/passwd (uid, gid, home, shell) and /etc/group.
>
>A few people suggested NIS+. Virtually all of our boxes are FreeBSD,
>and the ones that aren't FreeBSD we wish they were. :) Can I run an
>NIS+ server on FreeBSD? I poked around the handbook and the searches
>for FreeBSD and NIS+ didn't return anything that lead me to believe
>that NIS+ support was ready, or even there. But it also sounds like I
>should pick NIS over NIS+ unless I /really/ need the NIS+ features.
>
>I think Pieter Danhieux was the first to suggest using NIS for
>everything EXCEPT the encrypted passwords, an approach that I had
>never considered before. After a little thought on this I find myself
>liking this idea. I could use NIS to distribute the (relatively)
>unsensitive information, everything in /etc/passwd and /etc/group, and
>also the login class, password change time, and account expiration
>time from /etc/master.passwd, setting the encrypted password to "*".
>
>Then I can use PAM modules for authentication. (What my subject said
>but not quite what I meant. :)) Here are the PAM modules that I know
>about and that I'd consider:
>
> o pam_radius
> o pam_ldap
> o pam_ssh
>
>I'm going to group pam_radius and pam_ldap together simply because I
>don't know very much about either server. My very limited
>understanding leads me to believe that a Radius server is easier to
>setup and get working than an LDAP server. I also understand that
>unless you go through a fair amount of pain, secure communications
>between the client and the LDAP server is difficult. I have a few
>questions about these PAM modules:
>
> o How secure is the client-server communications with a Radius
> server?
>
> o Can a user on a client change the password either the Radius or
> LDAP server, either with the passwd command or some other command?
>
>What about the pam_ssh module? Is it reasonable to allow users to
>authenticate off their own SSH key, or should the authentication be
>done via some other mechanism and then just use the session part of
>pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like
>having ssh-agent automatically started and your keys added.
>
>I want to thank everybody for their responses.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: One login for multiple machines
    ... get authenticated from remote server (thus not need to create ... network) a centrally-stored login on a Linux server for Windows PCs ... I've excerpted some relevant info from two web pages on NIS and LDAP... ... It is for this reason that LDAP ...
    (Ubuntu)
  • Re: PAM & LDAP - Pointer anyone?
    ... We tried PAM LDAP and ditched it. ... If you are worried about security, I would not recommend running NIS. ... instead by the FreeBSD ypbind and ypldapd. ... can be tightened so as to ensure password authentication only ever happens ...
    (FreeBSD-Security)
  • Re: NIS - FreeBSD server and Linux clients
    ... > ypcat on the Linux client, it is obtaining information from the server. ... it is faiing to authenticate users defined on the FreeBSD machine. ... authenticating NIS accounts against a FreeBSD server. ...
    (freebsd-questions)
  • Re: Directory Server LDAP/LDIF import - working yet not working???
    ... I then generated LDIF files from the /etc files on our NIS ... > 10,000-foot understanding of LDAP. ... > I already downloaded the various LDAP BluePrints and Directory Server ...
    (comp.unix.solaris)
  • Re: NIS+ Server and LDAP Server on same machine?
    ... The LDAP directory server process does not need the ... > NIS domainname set to anything specific. ... Solaris, then configure LDAP client). ...
    (comp.unix.solaris)