On Wed, 2007-05-23 at 14:27 -0600, Kenneth Burgener wrote: > Kenneth Burgener wrote: > > Maybe someone could point me in the right direction. I have several > > Linux servers, and maintaining users and passwords individually across > > all of them is getting to be painful. So I am hoping to find a "Linux > > password server" option that I can manage all users and passwords from. > > > > Any suggestions? > > > What about this suggestion: > > Centralized Authentication with Kerberos 5 > http://www.linuxjournal.com/article/7336 > > Has anyone had any experience with this option? Is this a fairly secure > and robust option? Thoughts?
Kerberos should form the center of any authentication system, even when you use LDAP. LDAP was never intended to provide authentication (although it can, and many use it as such). Rather it's intended to provide the information necessary for accounts themselves to exist. uidNumber to uid mapping, homedirectory, etc. So kerberos and LDAP are both important, but both perform different roles. Think of LDAP as /etc/passwd and Kerberos as /etc/shadow. So on Linux I set it up to use kerberos authentication and LDAP user information. With kerberos, if everything's kerberized, life is good indeed. In fact the other day I was surprised that I could ssh as myself to another server and it didn't require my password. Turned out that RHEL and CentOS 4 and 5 both have kerberized sshd by default. Once you set up kerberos on authconfig, it just works. Combine that with judicious use of .k5login files and you can ssh and ksu all over your servers in a secure manner. If your email client happens to be kerberized (mutt and pine both are), you can access mail over ldap with only your kerberos credentials. MIT uses keberos for everything from web page access to file server access to logins. Browser support for kerberos is spotty, often requiring a third-party plugin. But if it's there, you can kerberize apache and have unified logins in a very transparent manner. Michael > > Thanks for everyone's input, > Kenneth > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
