Centralised authentication.

Centralised authentication.

Post by R. de Laa » Sat, 19 Nov 2005 05:14:12


Hi there,



I have a question about central authentication.

I started using linux a few months ago and i am in the process of
migrating my very last windows machine.
Should have done that a long time ago !!

But i have local users on all boxes and get sick of logging in all the time.

I would like to have a user account that can be used on all boxes.
All boxes should authenticate this account against a central server.
I have read about openldap, kerberos and NIS.
Which one should i use ?

I am not looking for a "for dummy's tutorial" here. Lot's of stuff on
the net about this. But i can't seem to find a good paper and how to
choose what to use.

Please tell me your experiences with this subject.


Regards,

Robert
 
 
 

Centralised authentication.

Post by Lars Kello » Sat, 19 Nov 2005 06:28:34

> I would like to have a user account that can be used on all boxes.

Probably a combination of some of the above. Kerberos is a good
solution to the "authentication" problem, and is the only solution that
will allow access to a variety of services without having to
re-authenticate. Once you have a valid Kerberos token you can
(depending on how things are configured) ssh to other nodes, access IMAP
or authenticated NNTP servers, etc., without having to type in your
password more than once (over a set period of time -- tokens do expire).

If all you really care about is remote login, you can accomplish much of
this with ssh keys and ssh-agent.

NIS and LDAP both solve essentially the same problem -- they are network
directory services, and store things like group membership, or the path
to your home directory, etc. You define your accounts in your directory
rather than locally on each machine.

LDAP is a little bit more difficult to set up but is ultimately more
flexible. NIS is more like a network version of /etc/passwd,
/etc/group, etc. It's simpler to set up and suitable for small
environments.

You could even use something like rsync to propogate group, passwd, and
other files around your systems.

-- Lars

--
Lars Kellogg-Stedman < XXXX@XXXXX.COM >
This email address will expire on 2005-11-23.

 
 
 

Centralised authentication.

Post by hayne » Sat, 19 Nov 2005 12:11:35

You might want to look at
ftp://athena-dist.mit.edu/pub/ATHENA/usenix/athena_changes.PS

This is a very old paper setting forth what the Athena project was
doing, which is where Kerberos came from.

One of the strengths of Kerberos is that it is designed to do just
one thing well. What you gain from this is that the security of your
authentication is maintained by just one network service rather than
in a more complicated service that is harder to audit.
--

jhhaynes at earthlink dot net
 
 
 

Centralised authentication.

Post by Nico Kadel » Sat, 19 Nov 2005 21:30:52


Heh. One of the authors of Kerberos works in my building. We've had some...
interesting chats about network security, not related to this, but it's been
nice to ask someone that sharp hard questons.

From my experience, the problem with Kerberos was that it scaled very well
to 10,000 users, but for an office of 20 people, it was wild overkill. I
haven't had the opportunity to work with it in a mixed environment of
Windows/UNIX/etc., but I've tried integrating it into a mixed Linux/Solaris
environment, and the results were much more pain to administrate than, say,
NIS. The problem is that NIS doesn't integrate with Samba or Windows
authentication, and Kerberos and its ilk are very good at integrating not
just user login, but actually controlling remote file-sharing access, which
they considered very important in a huge environment like MIT with home
directories, lots of core servers, etc.

I can only assume it's gotten much easier to work with since then: I'll be
very curious to hear of the experience of others here, and how well it
integrates with mixed environments.
 
 
 

Centralised authentication.

Post by Michael He » Sat, 19 Nov 2005 22:08:55

In comp.os.linux.setup R. de Laat < XXXX@XXXXX.COM >:







For a couple of boxes wouldn't go to the trouble of setting up
ldap. I'd simply use rsync through a forced ssh command to sync
accounts from time to time. To login use ssh key-login +
ssh-agent with ssh-agent forwarding to login, no password to
enter, beside when you login to your local workstation and enter
the ssh-key passphrase once.

Good luck

[..]

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo XXXX@XXXXX.COM | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 261: The Usenet news is out of date
 
 
 

Centralised authentication.

Post by fredhan » Sun, 20 Nov 2005 03:58:26

Try this link.
LinuxCOE View topic - Joining the NT domain with Samba
http://www.yqcomputer.com/

It walks you through ldap etc.
 
 
 

Centralised authentication.

Post by Michael He » Sun, 20 Nov 2005 04:38:30

In comp.os.linux.setup fredhand < XXXX@XXXXX.COM >:


[..]

[..]


Why should he want to join a NT domain?



The URL doesn't work for me?

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo XXXX@XXXXX.COM | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 284: Electrons on a bender