Re: network-wide client authentication/authorization
From: Joachim Schipper (jDOTschipper_at_math.uu.nl)
Date: 06/21/05
- Previous message: R. Medack: "PKI on RH9"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Jun 2005 16:02:13 GMT
Luke <clairst@uiuc.edu> wrote:
> I'm looking for some sort of scheme to authenticate my clients to a variety
> of services across the network.
>
> Some of them will be:
>
> Wireless access
> Email
> Standard login (via PAM/gdm)
> NFSv4 or Samba (not required)
>
> What I want to do is for each client to only need configured once. The
> user should be able to sign on one time, via a "normal-looking" GDM login,
> and be authenticated to a variety of services. For instance, wireless VPN
> protection should be started for only authorized clients automatically.
>
> Obviously, Kerberos with LDAP authorization makes sense here, but my
> external address, though it has an assigned domain name, is not static, thus
> disabling the use of Kerberos to access network services from outside the
> netwok.
>
> Any thoughts on technologies that might be appropriate here? Some sort of
> SSL system perhaps?
>
> Thanks
How about having them use a VPN to connect to the internal interface
instead? This would also secure the clients' communication channel,
which is always a nice touch.
Linux has IPSec support. It works well, but isn't terribly
well-documented. With some additional work, Microsoft's idea of IPSec
(i.e., IPSec+L2TP) can be implemented as well, though I prefer forcing
the Windows machines to use IPSec without L2TP (look for ipsec.exe).
OpenVPN seems to be easier to install, but has the distinct disadvantage
of tunneling TCP only.
I cannot comment on Kerberos, as I don't know much about it.
Joachim
- Previous message: R. Medack: "PKI on RH9"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
