Date: Tue, 07 May 2002 11:49:17 -0500 From: Mikel King <mikel@ocsinternet.com> To: "Douglas K. Rand" <rand@meridian-enviro.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <3CD8058D.4090706@ocsinternet.com> References: <874riov1et.wl@delta.meridian-enviro.com> <87d6x8smle.fsf@delta.meridian-enviro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Douglas,
I know this was an old post, but sometimes I can't keep up with the
world...;) In any event... I do understand what it is you require, as I
have been suffering from the same dilema. I tried ldap and wasn't happy
with it, probably due to something I didn't setup correctly but that
asside. I've used rsync via ssh, and it was time consuming... I began
looking for something else.
What I decided, was that I needed something simple: currently I'm
playing around with pam_mysql, because I can use mysql's builtins to
synchronize the db's, and as thing develop I can strap a webfront end on
the db and manage the whole thing. Well the later part is the goal, but
as a result of time constraints we're not there quite yet...
Anyway that's what I came up with, and as time permits I've been
trying to get there...
I am curious to know what you've found...
Cheers,
mikel
Douglas K. Rand wrote:
>First, I'm sorry I disappeared for a few days, this has been a great
>discussion.
>
>Jacques Vidrine is right: the subject doesn't really describe what I
>need. In addition to authentication I also want centralized
>distribution of /etc/passwd (uid, gid, home, shell) and /etc/group.
>
>A few people suggested NIS+. Virtually all of our boxes are FreeBSD,
>and the ones that aren't FreeBSD we wish they were. :) Can I run an
>NIS+ server on FreeBSD? I poked around the handbook and the searches
>for FreeBSD and NIS+ didn't return anything that lead me to believe
>that NIS+ support was ready, or even there. But it also sounds like I
>should pick NIS over NIS+ unless I /really/ need the NIS+ features.
>
>I think Pieter Danhieux was the first to suggest using NIS for
>everything EXCEPT the encrypted passwords, an approach that I had
>never considered before. After a little thought on this I find myself
>liking this idea. I could use NIS to distribute the (relatively)
>unsensitive information, everything in /etc/passwd and /etc/group, and
>also the login class, password change time, and account expiration
>time from /etc/master.passwd, setting the encrypted password to "*".
>
>Then I can use PAM modules for authentication. (What my subject said
>but not quite what I meant. :)) Here are the PAM modules that I know
>about and that I'd consider:
>
> o pam_radius
> o pam_ldap
> o pam_ssh
>
>I'm going to group pam_radius and pam_ldap together simply because I
>don't know very much about either server. My very limited
>understanding leads me to believe that a Radius server is easier to
>setup and get working than an LDAP server. I also understand that
>unless you go through a fair amount of pain, secure communications
>between the client and the LDAP server is difficult. I have a few
>questions about these PAM modules:
>
> o How secure is the client-server communications with a Radius
> server?
>
> o Can a user on a client change the password either the Radius or
> LDAP server, either with the passwd command or some other command?
>
>What about the pam_ssh module? Is it reasonable to allow users to
>authenticate off their own SSH key, or should the authentication be
>done via some other mechanism and then just use the session part of
>pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like
>having ssh-agent automatically started and your keys added.
>
>I want to thank everybody for their responses.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CD8058D.4090706>