[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: centralized user management
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: centralized user management
- From: "Matt Van Mater" <nutter__(_at_)_hotmail_(_dot_)_com>
- Date: Mon, 14 Apr 2003 13:36:46 -0400
NIS would be the simplest choice in your situation. Put all your
accounts on one machine, and have it serve out passwd, shadow, and >group
maps to the others. Not at all secure if you don't trust your >users, but
for a home network it should be fine. LDAP would the more
professional way to handle it, and be more interoperable with Windows
machines, but as you've seen is non-trivial to setup. If you want more
security than NIS, or just want to play around with it, Kerberos is
relatively easy to setup. For Kerb login authentication, just use NIS
to get passwd and group maps (not shadow maps), and replace /bin/login
with /usr/sbin/login.krb5. Check out the "How to Kerberize your site"
link from the Kerb home page for a good HOWTO.
The problem with the 'kerberize your site' howtos is that they address using
kerberos for certain services, but never mentions how to turn it on for a
ssh connection or even local logins. I've just recently looked through the
sshd_config man page and think I know how to enable kerb for ssh logins, but
still don't really know how to turn it on for local login auth. The howto
says to turn on several daemons in inetd.conf without explaining or even
briefly mentioning why I should turn each one on (which seems very
un-openbsdish to me). I'm not a super paranoid type but i don't like
turning services on if i don't know what the hell they do. I think I would
want to uncomment kauthd for local kerb authentication and will have to read
up on if that does what i think it does.
I will however look into NIS because several people have suggested it. I
was trying to stay away from NIS or YP because of security reasons, but I
might as well look in to them just to be more aware of exactly what they do.
I'd rather spend more time doing it The Right Way rather than just some
old method that noone trusts anymore.
MSN 8 with e-mail virus protection service: 2 months FREE*
Visit your host, monkey.org