From owner-freebsd-security Tue Apr 9 12:23:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from agena.meridian-enviro.com (thunder.meridian-enviro.com [207.109.234.227]) by hub.freebsd.org (Postfix) with ESMTP id B79C737B400 for ; Tue, 9 Apr 2002 12:23:10 -0700 (PDT) Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by agena.meridian-enviro.com (8.11.6/8.11.6) with ESMTP id g39JN9W87496 for ; Tue, 9 Apr 2002 14:23:10 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Received: (from rand@localhost) by delta.meridian-enviro.com (8.11.6/8.11.6) id g39JN9A97711; Tue, 9 Apr 2002 14:23:09 -0500 (CDT) (envelope-from rand@meridian-enviro.com) X-Authentication-Warning: delta.meridian-enviro.com: rand set sender to rand@meridian-enviro.com using -f To: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication References: <874riov1et.wl@delta.meridian-enviro.com> From: rand@meridian-enviro.com (Douglas K. Rand) Date: 09 Apr 2002 14:23:09 -0500 In-Reply-To: <874riov1et.wl@delta.meridian-enviro.com> ("Douglas K. Rand"'s message of "Sat, 06 Apr 2002 17:43:22 -0600") Message-ID: <87d6x8smle.fsf@delta.meridian-enviro.com> Lines: 51 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) XEmacs/21.4 (Common Lisp) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org First, I'm sorry I disappeared for a few days, this has been a great discussion. Jacques Vidrine is right: the subject doesn't really describe what I need. In addition to authentication I also want centralized distribution of /etc/passwd (uid, gid, home, shell) and /etc/group. A few people suggested NIS+. Virtually all of our boxes are FreeBSD, and the ones that aren't FreeBSD we wish they were. :) Can I run an NIS+ server on FreeBSD? I poked around the handbook and the searches for FreeBSD and NIS+ didn't return anything that lead me to believe that NIS+ support was ready, or even there. But it also sounds like I should pick NIS over NIS+ unless I /really/ need the NIS+ features. I think Pieter Danhieux was the first to suggest using NIS for everything EXCEPT the encrypted passwords, an approach that I had never considered before. After a little thought on this I find myself liking this idea. I could use NIS to distribute the (relatively) unsensitive information, everything in /etc/passwd and /etc/group, and also the login class, password change time, and account expiration time from /etc/master.passwd, setting the encrypted password to "*". Then I can use PAM modules for authentication. (What my subject said but not quite what I meant. :)) Here are the PAM modules that I know about and that I'd consider: o pam_radius o pam_ldap o pam_ssh I'm going to group pam_radius and pam_ldap together simply because I don't know very much about either server. My very limited understanding leads me to believe that a Radius server is easier to setup and get working than an LDAP server. I also understand that unless you go through a fair amount of pain, secure communications between the client and the LDAP server is difficult. I have a few questions about these PAM modules: o How secure is the client-server communications with a Radius server? o Can a user on a client change the password either the Radius or LDAP server, either with the passwd command or some other command? What about the pam_ssh module? Is it reasonable to allow users to authenticate off their own SSH key, or should the authentication be done via some other mechanism and then just use the session part of pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like having ssh-agent automatically started and your keys added. I want to thank everybody for their responses. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message