Date: 09 Apr 2002 14:23:09 -0500 From: rand@meridian-enviro.com (Douglas K. Rand) To: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <87d6x8smle.fsf@delta.meridian-enviro.com> In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com> ("Douglas K. Rand"'s message of "Sat, 06 Apr 2002 17:43:22 -0600") References: <874riov1et.wl@delta.meridian-enviro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
First, I'm sorry I disappeared for a few days, this has been a great
discussion.
Jacques Vidrine is right: the subject doesn't really describe what I
need. In addition to authentication I also want centralized
distribution of /etc/passwd (uid, gid, home, shell) and /etc/group.
A few people suggested NIS+. Virtually all of our boxes are FreeBSD,
and the ones that aren't FreeBSD we wish they were. :) Can I run an
NIS+ server on FreeBSD? I poked around the handbook and the searches
for FreeBSD and NIS+ didn't return anything that lead me to believe
that NIS+ support was ready, or even there. But it also sounds like I
should pick NIS over NIS+ unless I /really/ need the NIS+ features.
I think Pieter Danhieux was the first to suggest using NIS for
everything EXCEPT the encrypted passwords, an approach that I had
never considered before. After a little thought on this I find myself
liking this idea. I could use NIS to distribute the (relatively)
unsensitive information, everything in /etc/passwd and /etc/group, and
also the login class, password change time, and account expiration
time from /etc/master.passwd, setting the encrypted password to "*".
Then I can use PAM modules for authentication. (What my subject said
but not quite what I meant. :)) Here are the PAM modules that I know
about and that I'd consider:
o pam_radius
o pam_ldap
o pam_ssh
I'm going to group pam_radius and pam_ldap together simply because I
don't know very much about either server. My very limited
understanding leads me to believe that a Radius server is easier to
setup and get working than an LDAP server. I also understand that
unless you go through a fair amount of pain, secure communications
between the client and the LDAP server is difficult. I have a few
questions about these PAM modules:
o How secure is the client-server communications with a Radius
server?
o Can a user on a client change the password either the Radius or
LDAP server, either with the passwd command or some other command?
What about the pam_ssh module? Is it reasonable to allow users to
authenticate off their own SSH key, or should the authentication be
done via some other mechanism and then just use the session part of
pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like
having ssh-agent automatically started and your keys added.
I want to thank everybody for their responses.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87d6x8smle.fsf>