From owner-freebsd-questions@freebsd.org Sun Mar 15 16:41:00 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DA87E272C22 for ; Sun, 15 Mar 2020 16:41:00 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48gQDC262lz4Df4 for ; Sun, 15 Mar 2020 16:40:59 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=eZVB2fahODA7tPHfF7KIkt0gmOQmXwsdmxXAFjbk1DM=; b=eLn29jFJH1ceAz9GMvaJKbyAjV gdksxz3LRxDcpvACAaMR2QqQfz5sm2mtxsCp2EE41ufmPFaVdJRMGTH6G6AwtBPJryDsxexCNNpXt x/+K2ZEEX3SvFpzVQcpKdSaQnJfkq75b20Sgcd5t7uj7qN7y9DdZIZAiDrPg9plnoIdc=; Received: from vas by admin.sibptus.ru with local (Exim 4.93.0.4 (FreeBSD)) (envelope-from ) id 1jDWJt-000JcF-Hf for freebsd-questions@freebsd.org; Sun, 15 Mar 2020 23:40:57 +0700 Date: Sun, 15 Mar 2020 23:40:57 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org Subject: Re: Centralized user/group/whatever management Message-ID: <20200315164057.GB74628@admin.sibptus.ru> References: <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> <5B2796E0-14E3-4CD2-AC05-5A83EE2C0300@theory14.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline In-Reply-To: <5B2796E0-14E3-4CD2-AC05-5A83EE2C0300@theory14.net> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 48gQDC262lz4Df4 X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=eLn29jFJ; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.42 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.973,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-3.35)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn: 20473(-1.88), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2020 16:41:01 -0000 --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris Gordon wrote: >=20 >=20 > >> LDAP and Kerberos are common solutions for this. There are many ways = you could do this, both or just one of them depending on your specific need= s. You could: > >> - Setup servers yourself. For instance setting up OpenLDAP > >> - Use some "pre-integrated" solutions: > >> - FreeIPA. Underneath, this is just LDAP, Kerberos, DNS, etc. You d= on't have to use SSSD to use FreeIPA as an auth source. Not sure what "fea= tures" may or may not be there. > >> - Active Directory. Yes, you could use a Windows solution. It's fun= damentally LDAP, Kerberos, DNS, etc. Note that FreeIPA is an attempt to re= -create AD with Open Source components -- if they state that or not, it's w= hat it is. > >> - Samba acting as an AD server > >=20 > > There is one missing link which was never mentioned in the thread. > > What's the bridge between nsswitch framework (or some other replacement > > of getpwent(), getgrent() and friends) to be used with all those LDAP > > solutions mentioned above? > >=20 > > Kerberos is fine of course, when we have a user already. I use FreeBSD's > > build-in Heimdal a lot for SSH access, SVN access (duh!) and some other > > things. >=20 > https://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/index.html >=20 > If the above doesn't cover sufficiently for you, a quick search of the > web with your favorite search engine will turn up many different > articles, tutorials and discussions. I just put in "freebsd ldap > client" into Google and found the above. Thanks, a useful article. Matthew Seaman also mentioned net/nss-pam-ldapd in this context, because it's supposed to be better than security/pam_ldap+net/nss_ldap. But the idea is clear now. >=20 > > You could also look at using signed SSH keys. There are some articles > >> about some of the hyper scale sites doing this to address the failure > >> points and scalability problems you get with a centralized directory > >> service. It's on my list to read up on, but I haven't gotten to it > >> yet. > >=20 > > I did not quite understand how you can use SSH keys to create/delete us= ers > > and manage group memberships. Could you elaborate or give a link? >=20 > Like I said, I haven't read the details of how this works. "signed > ssh keys" in Google gives a link to an article from Facebook > engineering on the subject: > https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/. > From what I recall when I heard about this, a similar solution is used > and discussed by a number of other hyper-scale companies. As I've not > had time to research this myself, I'll leave it as an exercise to the > reader. I've perused the article, it's useful in its own way. I've been looking for a good example of using SSH certificates *with* *authorization*, that is exactly it. For the bastion hosts however the author says they use LDAP and/or Kerberos, and later they access the internal hosts as the local "root" users (provided a person is authorized to by the SSH CA). [dd] > > I was of course interested in modern best practices and personal success > > stories rather than in "you can implement this or that thing I've read > > about." > >=20 > > If any person who replied in this thread is using a centralized user > > database, please share what *you* *particularly* use and why. > >=20 > > I've already shared mine: I use NIS (yp*) but want to migrate from it, > > for the reasons I stated in the first mail. >=20 [dd] >=20 > Now maybe I'm overreaching in what you want. If you just want to hear > about specific cases of implementations from those that have them, Kind of, yes. That was my intention from the start. > then please disregard my entire email. =20 Disregarding your entire email would be unwise because you gave at least to useful links :-) >=20 > I hope that helps some. It did, thank you. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeblqZAAoJEA2k8lmbXsY0fbMH/Rkbhy/MbIQnpImQUpk1s0k4 BCQQj9nf1wihH9/vIIrc/AwynvgMHR1sgS6pqH9/VZC59+txti01OihPR5u23bFH Nyy2We+TC7tvzjNIdkxorn1OW61CJDtI2tuewXYlsbKC1AJlekarbxJ9uL/GoQ/i ejbCs6EvnaM21KSzfFi1UvWAogMgaa5dKCabpfDyD0IDyG3BEzheqO+1NTJ2RBtX URNgcwjQnVnBvYMUw08dBCLlV6KjuKEyDbadIMIzlyX87/hLYrDlI5Gqu4vGFasp 7Jij5ZX9qjOEXP+dlxGB79h78gQgXRxQ9kd5cqvDVbBaXHPYvvt/ar04fVRMD9g= =0OCm -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG--