Re: SSH-login authentication, using Active Directory credentials.
Suraj, You're better of kerberizing your unix environment and join them with AD. this way your can have a fully single sign on environment. including samba file share without entering username and passwords. This is what you need to do. 1) install SFU3.5 on all your DC's 2) install openldap and mit kerberos on all your linux boxen 3) install samba 4) use samba "net join " command to add your host to AD 5) install kerberized putty done, enjoy On Jan 25, 2008 7:57 AM, suraj shankar <[EMAIL PROTECTED]> wrote: > > --- Alan DeKok <[EMAIL PROTECTED]> wrote: > > > Any solution would have exactly the same security > > issues. > Yes; I can understand and appreciate that. Thanks, > Alan. > > Regards, > suraj. > > > > > > Looking for last minute shopping deals? > Find them fast with Yahoo! Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
--- Alan DeKok <[EMAIL PROTECTED]> wrote: > Any solution would have exactly the same security > issues. Yes; I can understand and appreciate that. Thanks, Alan. Regards, suraj. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
suraj shankar wrote: > I understand that pam_radius_auth 'encrypts' the > password. But if a user has the privileges to change > the /etc/raddb/server file (and point it to a > freeradius server), wouldn't he/she be able to siphon > off the credentials? Yes. > Our setup would disallow direct 'root' logins, over > SSH. However, once the user logs in using his/her > credentials, they would then be allowed to do a sudo > or a privileges escalation. Thereby, opening the > possibility of a /etc/raddb/server edit. So... why are you giving people root access if you don't trust them? > I know worse things can happen with superuser > privileges; however, I am not worried of the bad that > can happen to the client machines. > > Is there a better way, using radius? Please suggest. > If this query is a rerun, pointers/references would > do. Thank you. Any solution would have exactly the same security issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
--- [EMAIL PROTECTED] wrote: > >Is there a better way, using radius? > No. Once user is authenticated radius has nothing to > do with them (you > say that they can increase privileges after > authentication). Can't you > put them in jail. Yeah, I would eventually do that, if there is no 'better way'. But usually the App. administrators complain that they are crippled by insufficient privileges. So I am looking for something more creative ... :) And so, what I really meant by a 'better way' was like a way to tell pam_radius_auth, to use a certificate instead of a PSK! ... or something like that ... Hey, but thanks Ivan, for the suggestion - will lock them up, if I can't find a better way! Regards, suraj. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH-login authentication, using Active Directory credentials.
> >Is there a better way, using radius? > No. Once user is authenticated radius has nothing to do with them (you say that they can increase privileges after authentication). Can't you put them in jail. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
