From owner-freebsd-security Tue May 7 8:49:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from ra.upan.org (ra.upan.org [204.107.76.19]) by hub.freebsd.org (Postfix) with ESMTP id A6E7F37B400 for ; Tue, 7 May 2002 08:49:10 -0700 (PDT) Received: from ocsinternet.com ([10.0.0.140]) by ra.upan.org (8.11.6/8.11.6) with ESMTP id g47Fm5V42531; Tue, 7 May 2002 11:48:06 -0400 (EDT) (envelope-from mikel@ocsinternet.com) Message-ID: <3CD8058D.4090706@ocsinternet.com> Date: Tue, 07 May 2002 11:49:17 -0500 From: Mikel King User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: "Douglas K. Rand" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication References: <874riov1et.wl@delta.meridian-enviro.com> <87d6x8smle.fsf@delta.meridian-enviro.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Douglas, I know this was an old post, but sometimes I can't keep up with the world...;) In any event... I do understand what it is you require, as I have been suffering from the same dilema. I tried ldap and wasn't happy with it, probably due to something I didn't setup correctly but that asside. I've used rsync via ssh, and it was time consuming... I began looking for something else. What I decided, was that I needed something simple: currently I'm playing around with pam_mysql, because I can use mysql's builtins to synchronize the db's, and as thing develop I can strap a webfront end on the db and manage the whole thing. Well the later part is the goal, but as a result of time constraints we're not there quite yet... Anyway that's what I came up with, and as time permits I've been trying to get there... I am curious to know what you've found... Cheers, mikel Douglas K. Rand wrote: >First, I'm sorry I disappeared for a few days, this has been a great >discussion. > >Jacques Vidrine is right: the subject doesn't really describe what I >need. In addition to authentication I also want centralized >distribution of /etc/passwd (uid, gid, home, shell) and /etc/group. > >A few people suggested NIS+. Virtually all of our boxes are FreeBSD, >and the ones that aren't FreeBSD we wish they were. :) Can I run an >NIS+ server on FreeBSD? I poked around the handbook and the searches >for FreeBSD and NIS+ didn't return anything that lead me to believe >that NIS+ support was ready, or even there. But it also sounds like I >should pick NIS over NIS+ unless I /really/ need the NIS+ features. > >I think Pieter Danhieux was the first to suggest using NIS for >everything EXCEPT the encrypted passwords, an approach that I had >never considered before. After a little thought on this I find myself >liking this idea. I could use NIS to distribute the (relatively) >unsensitive information, everything in /etc/passwd and /etc/group, and >also the login class, password change time, and account expiration >time from /etc/master.passwd, setting the encrypted password to "*". > >Then I can use PAM modules for authentication. (What my subject said >but not quite what I meant. :)) Here are the PAM modules that I know >about and that I'd consider: > > o pam_radius > o pam_ldap > o pam_ssh > >I'm going to group pam_radius and pam_ldap together simply because I >don't know very much about either server. My very limited >understanding leads me to believe that a Radius server is easier to >setup and get working than an LDAP server. I also understand that >unless you go through a fair amount of pain, secure communications >between the client and the LDAP server is difficult. I have a few >questions about these PAM modules: > > o How secure is the client-server communications with a Radius > server? > > o Can a user on a client change the password either the Radius or > LDAP server, either with the passwd command or some other command? > >What about the pam_ssh module? Is it reasonable to allow users to >authenticate off their own SSH key, or should the authentication be >done via some other mechanism and then just use the session part of >pam_ssh? I've played around with pam_ssh and xdm/wdm and I really like >having ssh-agent automatically started and your keys added. > >I want to thank everybody for their responses. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message