Re: Centralized authentication

From: Mikel King (
Date: 05/07/02

Date: Tue, 07 May 2002 11:49:17 -0500
From: Mikel King <>
To: "Douglas K. Rand" <>


    I know this was an old post, but sometimes I can't keep up with the
world...;) In any event... I do understand what it is you require, as I
have been suffering from the same dilema. I tried ldap and wasn't happy
with it, probably due to something I didn't setup correctly but that
asside. I've used rsync via ssh, and it was time consuming... I began
looking for something else.

    What I decided, was that I needed something simple: currently I'm
playing around with pam_mysql, because I can use mysql's builtins to
synchronize the db's, and as thing develop I can strap a webfront end on
the db and manage the whole thing. Well the later part is the goal, but
as a result of time constraints we're not there quite yet...

    Anyway that's what I came up with, and as time permits I've been
trying to get there...

    I am curious to know what you've found...


Douglas K. Rand wrote:

>First, I'm sorry I disappeared for a few days, this has been a great
>Jacques Vidrine is right: the subject doesn't really describe what I
>need. In addition to authentication I also want centralized
>distribution of /etc/passwd (uid, gid, home, shell) and /etc/group.
>A few people suggested NIS+. Virtually all of our boxes are FreeBSD,
>and the ones that aren't FreeBSD we wish they were. :) Can I run an
>NIS+ server on FreeBSD? I poked around the handbook and the searches
>for FreeBSD and NIS+ didn't return anything that lead me to believe
>that NIS+ support was ready, or even there. But it also sounds like I
>should pick NIS over NIS+ unless I /really/ need the NIS+ features.
>I think Pieter Danhieux was the first to suggest using NIS for
>everything EXCEPT the encrypted passwords, an approach that I had
>never considered before. After a little thought on this I find myself
>liking this idea. I could use NIS to distribute the (relatively)
>unsensitive information, everything in /etc/passwd and /etc/group, and
>also the login class, password change time, and account expiration
>time from /etc/master.passwd, setting the encrypted password to "*".
>Then I can use PAM modules for authentication. (What my subject said
>but not quite what I meant. :)) Here are the PAM modules that I know
>about and that I'd consider:
> o pam_radius
> o pam_ldap
> o pam_ssh
>I'm going to group pam_radius and pam_ldap together simply because I
>don't know very much about either server. My very limited
>understanding leads me to believe that a Radius server is easier to
>setup and get working than an LDAP server. I also understand that
>unless you go through a fair amount of pain, secure communications
>between the client and the LDAP server is difficult. I have a few
>questions about these PAM modules:
> o How secure is the client-server communications with a Radius
> server?
> o Can a user on a client change the password either the Radius or
> LDAP server, either with the passwd command or some other command?
>What about the pam_ssh module? Is it reasonable to allow users to
>authenticate off their own SSH key, or should the authentication be
>done via some other mechanism and then just use the session part of
>pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like
>having ssh-agent automatically started and your keys added.
>I want to thank everybody for their responses.
>To Unsubscribe: send mail to
>with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message